I would like to ask if below scenario is possible to do with pritunl VPN or not? If yes would anyone be able to provide configuration example?
I have 2 routers with separate internet connection for each router. Both routers have their own subnets to serve.
Let me try to explain what I would like to achieve:
I would like to use 1 VPN organization with 2 pritunl servers and 2 MongoDB servers. The 2 MongoDB servers would replicate between each other and the 2 pritunl servers would be failover of each other. Each pritunl server would have their own connection to the internet. Pritunl Server 1 uses Router 1 to access the internet through ISP 1 connection and Pritunl Server 2 uses Router 2 to access the internet through ISP 2 connection.
When client connects it would try to connect through the registered domain name of ISP 1 connection but if that is not available then client would try the registered domain name of ISP 2 connection.
If both sides are available then connection would be always through ISP 1. While connection is live but Pritunl Server 1 goes down the connection would automatically failover to Pritunl Server 2 using ISP 2 connection. I understand that each pritunl server would need separate virtual subnet which will require static routes accordingly.
MongoDB requires an odd number of servers for the quorum vote. After both the Pritunl
Hosts are configured one VPN server can be created. Attach both hosts to the server and it will automatically failover.
Thanks for the quick reply. Isn’t your answer exactly the same as the configuration example as the failover setup from the official website?
If you attach both hosts to 1 server wouldn’t it cause issues with the virtual client networks? I would need separate virtual clients network for both sides of the network.
What will be the domain name in the client connection profile? Will both domains be included for the client connection?
If NAT is used the virtual network won’t have any effect on the local network. The Pritunl server will handle routing clients if a replicated configuration is used. The client profile will include both server public addresses.
Thanks for the reply again. Unfortunately we don’t want to use NAT as we would like to have access to the client computers. Is that still possible to do with failover setup?
I have read in the setup article that the 2 pritunl hosts must be in the same subnet.
To have failover without NAT the routing table needs to be updated automatically. This option is labeled route advertisement but it is only available with the AWS and Oracle Cloud APIs.
If you have another network you will need to create two servers for each host and the user will need to select one of the two.
Is OSPF on development plan by any chance? That could deal with route advertisement.
In terms of NAT… We would like to disable it so we can access remote VPN clients from local network. Am I correct saying that is only available in the Premium version?
If I buy 1 Premium license can I use the same license for those 2 pritunl hosts/servers in question?
Just revisiting this question. I thought about something. Is it possible to disable DHCP server on pritunl server?
If I would create separate scope for each host then 1 of them would have different client addresses to the other host in the replica setup. This way if I have NAT disabled by having control over the IP addresses I could create the local route on our routers and access the remote clients based on the server scope that they are connected through.
There is code in Pritunl to maintain static addresses for each client and a pool of temporary addresses for clients using multiple devices. The VPN connections require an address be given to the VPN client during the connection process. This cannot be disabled.
A non-NAT configuration should not require a subnet for each host. Pritunl will automatically configure a VXLan overlay network and route the clients between each host or route them without a VXLan if the VXLan Routing option is disabled in the server settings. This allows setting the destination for the VPN virtual network in the routing table to any active Pritunl host. The VXLan will allow this to function even if the Pritunl hosts are on a cloud network that only has layer 3 routing. Verify that traffic is allowed between Pritunl hosts for these configurations.
Thank you for the response. Is VXLan a new feature in pritunl?
It could work for us however I still don’t know how the static routes would work with the local routers in a non-NAT configuration?
Going back to my original example (I know I need 1 more MongoDB server) I cannot have the same client network route on Router 1 and Router 2 in case Pritunl Server 1 fails then routing from 192.168.0.100 will fail to the VPN Remote client.
In failover scenario can we have pritunl server host 1 and host 2 on separate subnets?
The route advertisement feature is intended to handle that. This will automatically update the routing tables on AWS and Oracle Cloud. On other platforms you would need to either create multiple servers instead or create a plugin to automate the routing table updates using the plugin system.
In failover setup can we have the 2 host on separate subnets?
In the given configuration example (picture that was posted) we have 2 sites where both sites are connected to each other through site-to-site VPN. VPN connection is between Router 1 and Router 2. Each site has their dedicated WAN connection with registered A records for the pritunl setup. We would like to place pritunl host on both site 1 and site 2 so in case ISP1 or ISP2 goes down we can access the local network by the pritunl VPN. Also if any pritunl host goes down on either site the other will still provide connectivity.
To complicate things we would be looking for a non-NAT configuration so remote clients can be accessed from local network. Currently there are OSPF route advertisements going on between the sites and that is why I was asking about the OSPF option in pritunl. I can look into it if it is possible by python plugin to do OSPF advertisement but I will need OSPF plugin installed too.
