Pritunl Client v1.3.4075.60 has been released. This release fixes issues with automatic reconnections after the device wakes from sleep. Improved single sign-on authenticated reconnections and fixed disabled gateway for IPv6 connections.
Hi, we are using Azure SSO and in version 1.3.3782.35, Autostart worked as Pritunl opened a tab in Edge and signed us in. There was however and issue with users who had multiple profiles and the login required user input, this caused a lot of users to wake up in the morning after server restart, to have 100+ tabs open. This was adressed I believe in version 1.3.4066.51 or earlier, then Autostart stopped working completely. Now in version 1.3.4075.60, at least we get a reasonable feedback saying “Authentication required to reconnect”. Would it be possible for us with Azure SSO to have Pritunl attempt at least one login, to open a tab to try and start the VPN tunnel automatically after client restart, but if the user is not present at the computer, then give the message above in the app? Most of us have one profile set up in Edge so this would work for more than 90%+ users.
Kind regards
Torbjørn
It may be configured to try once but most OSs will wake to check notifications so it will always result in tabs being opened unprompted.
The Pritunl Client authentication cache option in the top right settings will allow reconnection without prompting the user. This is done with a in memory only token that is not stored on the disk. If security is a concern device authentication will provide a very high level of security without needing to prompt the user.
Not sure you misunderstand or I do, but since version 1.3.4066.51 it doesn’t even automatically try to authenticate once, even if Autostart is enabled. Prior to this version, some of us ended up with multiple tabs open during the night, but most of us just had one tab and VPN was connected. If Pritunl Client could attempt once at startup, would be nice, since most of our users only have one profile and that would work for most of us. Just one attempt and if that fails, then pause the reconnect and wait for user input.
We do have “Pritunl Authentication Cache” enabled, but from the description, this doesn’t support Azure SSO, only Duo, Okta etc. If the intention is that it supports Azure, then it doesn’t work as I have to authenticate through browser every day.
I’m reluctant to use device authentication. I’m not about to approve 1500 clients individually to connect. We can probably run the command sudo pritunl override-device-key on all our servers for a few days and hope that most if not all clients authenticates during that time, but it doesn’t come without a risk and this solution does come with some hands on moving forward. Not fully ideal for a large company unless we can deploy using an approved key of sorts.
The intention is for the client to no longer attempt a reconnection if an interactive authentication is anticipated. This had been an issue primarily on macOS and which resumes from sleep at regular intervals.
The description on the authentication cache is referring to the supported two-factor authentication types. All of the connection single sign-on providers should work including Azure. It may be an issue with the configuration sync not updating the client. Check the last sync time in the profile settings and click debugging and look for Token set to true and Token TTL the duration of the cache in seconds.
The command sudo pritunl override-device-key will not automatically approve devices each one would still require clicking approve. It just can be done with one click for each device instead of needing to enter the registration code.
Thanks, I have a feature request for the next version. An option to disable the notification inside the client regarding “Update available”
Last Configuration Sync says Never on my computer. How do we force a sync or how often does it sync? Token is set to true and Token TTL is set to 2592000.
We had to downgrade from this version due to Windows and Linux users losing connection multiple times a day.
Check the client logs for configuration sync errors. Verify the configuration sync hosts are correct and that the Pritunl web server is available at those addresses. If the profile is unable to sync it will need to be reimported.
We’re not seeing anything about configuration sync. The error starts off with:
[2024-11-15 09:40:41][ERRO] 
connection: Keepalive failed
That reply was referencing the other comment.
The keepalive failed error typically indicates the WireGuard connection is offline. Run sudo wg and check the link. There may also be more information in the top right logs in the server web console.
If that’s happening, shouldn’t it kick everyone else off who is connected on the same server?
No errors in the top right hand corner logs button, which I think is just the /var/log/pritunl.log.
Only directly related errors I’ve found are in the client log, and starts off with the keepalive error. I do see a nonstop streaming TLS Handshake errors but I assumed that was just internet scanning.
Nothing in the other system error logs around the time these things happen.
I’m not seeing any instance of multiple people being simultaneously dropped.
