Another topic Wireguard and Reverse Proxy (AWS ELB)

Pritunl Pritunl VPN
1

Hi,

I am in the testing phase of the Pritunl enterprise, we basically want to achieve the following:

  • Pritunl running without SSL, port 80 (or 8080) . With one Organization, one Host and one server. Pretty basic. The public address let’s say is 33.33.33.33
  • Since it is in AWS, we want to use AWS ELB to access the Pritunl webUI, and to in the ELB the TLS termination. Using the dns. for example https://pritunl.hakka.com
  • Authentication will be using SSO with Google.

We are using the official Pritunl Client for linux/mac

When doing this, the openVPN will work no problem, but the Wireguard won’t work at all. Of course all the Security groups were tested and in fact with exactly the same configuration but without using the ELB, and doing the TLS termination through Pritunl everything work.

So, using the ELB setup the webUI and theu openVPN works with the client, no problem at all but I want to use Wireguard, and I cannot make it work… It won’t connect, I would say that there is some problem with the authentication since the wireguard port is open as it should be…

Also I have set in the Prituni webUI → Host → Settings : the “Sync Address” as pritunl.hakka.com but no luck…

Am I doing something wrong ??

Thanks in advance :slight_smile:

2

The load balancing documentation explains how to configure a load balancer.

Below are all the addresses and how to configure them. This must be done correctly when using load balancers.

Hosts Tab

  • Host Public Address: The public IPv4 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
  • Host Public IPv6 Address: The public IPv6 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
  • Host Sync Address: In the advanced host settings. The public address or domain that the web server of the Pritunl servers can be accessed from. If a load balancer is configured that address should be set here.

Top Right Settings

  • Connection Single Sign-On Domain: Only shown when using single sign-on connection authentication. The public address or domain that is used to validate single sign-on requests through the Pritunl web server for a new VPN connection. If a load balancer is configured that address should be set here. Requires valid SSL certificate.
3

Hi Zach,

Actually the Host settings I do have as you specified in your post, the only difference is I am not using the IPv6. Even though I tried with and without using the DNS directly for the server (NOT the load balancer DNS) and in both cases Wireguard didn’t work (openVPN does work).

I also have checked that Load Balancing documentation before, but as I specified in my post, the Load Balancer is NOT nginx NOR HAProxy, but directly the AWS ELB, and the termination is done there, I want to use the AWS ELB, because I can also have the opportunity to use the WAF from AWS for the webUI.

The options I have set on the server are:

app.reverse_proxy true
app.redirect_server false
app.server_ssl false
app.server_port 80

but it doesn’t help.

Edit: Just to clarify, there is NO firewall rule now for the AWS ELB, I am trying to make it work before protecting it… So, it’s just the AWS ELB + the pritunl webUI running on port 80.

Thanks

4

The difference between the OpenVPN and WireGuard connection is the WireGuard connection needs to send an HTTP request to authenticate with the Pritunl server. If that request is unable to reach the Pritunl server it will fail with an authentication error.

5

Hi Zach,

I am not sure what happened there, out of desperation I reinstall the whole machine and it started to work, so I cannot tell what was the problem but most likely some bad config I did or who knows… the important is that it’s working now..

Thanks very much