Our router has 2 WAN interfaces with 2 IPs, but clients always connecting use one. As far as I understand, in the Pritunl server settings (set by the public address in either the top right settings or in the host settings for enterprise subscriptions) specify only one.
By default public address is blank to automatically detect the servers public address.
How can it be possible to use the 2nd WAN interface? Only by additionally installing a second Pritunl or setting up a software like Traefik or similar behind the router?
Because we want so that some clients connect via WAN1, the rest of the clients via WAN2. At this time it’s not convenient to edit user profile configs manually…
The server isn’t designed to support that, if it’s an enterprise subscription a blank host can be created by temporarily removing /var/lib/pritunl/pritunl.uuid and running sudo systemctl restart pritunl. This will create a second host, the public address of that host can be set to the second IP address. Then both hosts can be attached to the server. Even though the second host is offline the client will still attempt both IP addresses in a random order. This would not result in additional billing for the offline host.
Please clarify, finally must be exists only one file pritunl.uuid (new created automatically)? Pritunl client can’t connect although 2nd host added successfully and we set up 2nd IP explicitly as Public address. Now in pritunl client log:
2024-11-06 17:37:49 TCP/UDP: Preserving recently used remote address: [AF_INET]IP_WAN1:port
2024-11-06 17:37:49 UDPv4 link local: (not bound)
2024-11-06 17:37:49 UDPv4 link remote: [AF_INET]IP_WAN1:port
2024-11-06 17:37:53 Server poll timeout, restarting
2024-11-06 17:37:53 SIGUSR1[soft,server_poll] received, process restarting
type or paste code here
The uuid should be restored to the original value after the second host is created. If the host isn’t able to connect to the IP address then it is an issue with that network configuration. Check the remote values in the profile paths listed in the client debugging documentation.
thank you! actually in profile file for ovpn I can see:
remote WAN1-IP 21159 udp
remote WAN2-IP 21159 udp
but with equal port number value although in the server settings (exists 2 VPN servers configured in one VM with Pritunl) we have 2 different port values: 21159 and
24924. I tried to add other port value to Public Address in host settings but it 's not working. Now we have 2 Hosts available with different Public IPs but one of them still in offline state. As I understand both Hosts must be in online state…
So if remove temporarily pritunl.uuid followed by systemctl restart pritunl new created second host anyway will be in offline state but clients will be a able to connect both IPs (WAN1+WAN2) in a random order, correct? We a have new created second host in offline state now. Or both hosts must be in online state?
Yes it doesn’t matter if the host remains in an offline state. The remotes will be added to the client configuration and the client will attempt both hosts IP addresses.
We can connect successfully in ovpn mode to both IPs: WAN1 and WAN2 (when one of host remains in an offline state) but in wg mode we can connect only with one of WAN interfaces (which assign to host in online state). I.e. if we manually changed Host IPs vice versa then we can connect to other WAN (new host in online state) in wg mode. And strange that this error message occurred in client’s log when WG connection successful:
[2024-11-13 15:21:09][ERRO] â–¶ connection: Failed to complete authorize â—† body="413: Payload Too Large" â—† method="POST" â—† status_code=413 â—† url="https://WAN2-IP:port/key/wg/61ff20cbc1e709c149fd0572/642c8e939b8aa8a4abb8991d/653644b488c49b9109058421/" request: Bad status 413 code from server
Actually this method won’t work with WireGuard even if the web server access was fixed. WireGuard connections are going to return the public address of the current host in authentication response and that will be used for the connection. This will cause only one IP to be used for WireGuard connections.
In the future it may be possible to put the second IP in the Public IPv6 Address field but currently this is ignored by the Pritunl Client due to limited support for supplying multiple endpoints to the WireGuard wg-quick configuration.