I have a multi host setup and PritunlVPN public interface is reached through R53 DNS which points to one of the available EC2 hosts.
In case of failure of the host that is used as “route traffic to” for the public PritunlVPN interface how can we automatically update this value with the other host available ?
I though this might be achieve using Auto Route 53 Region and Auto Route 53 Zone settings but it looks like they server different purpose. Could you explain further the purpose of this option too ?
A single domain shouldn’t be used for multiple hosts for the VPN connections. Use the information below to configure all the available domain options. In cases where there is a shared domain a load balancer should be used or just put all the host IPs in a single A record and most web browsers will try all the IPs until a working one is found.
The only domain that is relevant for availability is the connection single sign-on domain, this will need to work to complete a single sign-on for a VPN connection.
All other requests done by the client will try all the addresses it has knowledge of. Additionally these requests don’t require a valid SSL certificate as a combination of SHA512+HMAC, RSA and NaCl is used to authorize and encrypt the requests.
Hosts Tab
- Host Public Address: The public IPv4 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
- Host Public IPv6 Address: The public IPv6 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
- Host Sync Address: In the advanced host settings. The public address or domain that the web server of the Pritunl servers can be accessed from. If a load balancer is configured that address should be set here.
Top Right Settings
- Connection Single Sign-On Domain: Only shown when using single sign-on connection authentication. The public address or domain that is used to validate single sign-on requests through the Pritunl web server for a new VPN connection. If a load balancer is configured that address should be set here. Requires valid SSL certificate.
In my case I’m referring only to the web interface of PritunlVPN.
If the domain is only for the web traffic then both the IP addresses can be added in an A record. Typically a load balancer would be used instead but it will work.
The public address option in the host settings must always point to that specific host.