We use S2S VPN with pritunl-link from AWS to Azure/GCP. Works like a charm and love the ease. Nevertheless, a consideration that I was thinking into is has anyone implemented a hub spoke replacement to Transit Gateway using pritunl-link?
We got 4 AWS VPCs within AWS and we are looking into using pritunl-link to be the replacement. Has this been done before?
There is support for this in Pritunl Link, but it is complicated to configure. By default all locations connect to all other locations. Clicking Transit Peer instructs that location to provide that peer to all other peers. Clicking Remove Peer will remove the direct connection between those peers and if available will pull the peer from an available peer that has it with transit. Clicking Remove Peer a second time will fully remove the peer and transit peer link. Clicking Add Peer will return it back to a direct connection.
The Remove Peer will remove it from both locations, it can be done from either side. It should not be removed from each location separately as that will result in the second option of fully removing the link.
To use us-south as a central hub for links with the configuration us-east ā us-south ā us-west follow the actions below. Once this is done us-east ā us-west should have a label indicating Transit with the name of the location handling the transit.
There isnāt any significant benefit to this configuration. Itās primarily intended for configurations where a direct connection isnāt possible such as a network behind a NAT or a fully private network. This likely isnāt what you are looking for and AWS Transit Gateway isnāt internally using a hub and spoke connection, the actual links between VPCs are going to be direct. The Transit Gateway just centrally controls the state of the links. This is similar to the default design already in Pritunl, the Pritunl server only handles the state of the links. All connections between links are done directly.
Itās also far better to use the WireGuard mode in Pritunl Link instead of IPsec. Itās almost always faster and Iāve continued to see connection problems with IPsec where it will get stuck failing to connect even after multiple resets which Pritunl Link does automatically. Iāve personally been using several WireGuard Pritunl Link configurations and never had any disruptions. With recent updates new links are created with WireGuard as the default.
Ya thatās complicated 
. I enjoy using TGW in AWS but costs can get become crazy high sporadically for us. For the time to invest in setting up AWS TGW, took me 1 day.
I will take a stab at this but thanks for the explanation. If you ever have spare time would appreciate documentation or features to make this easier. However, knowing how busy you are itās fine to put this in the backlog. Thanks again!
There are tutorials in the Pritunl Link seciton in the documentation. There is some outdated information in those and it is still missing some of the functionality. I did go through and update the install scripts to use the latest Linux distributions available. When installing Pritunl packages the pritunl/pritunl-pacur repository will show the currently available distributions in the targets of each build file. This can then be matched to one of the configurations in the repositories documentation.