Pritunl setup with 2 outgoing ips

I’m looking for a way to serve 2 different IP addresses, based on user group/organization.

context: In collaboration with an external party, we have ~200 users making use of a web app, and ~5 data team users that have access to their database. For security reasons, they want to whitelist based on IP. They’d prefer not to whitelist the general users for the database. So what we’re looking for is 2 outgoing IPs, 1 whitelisted for web app, 1 whitelisted for database and web app.

our setup so far:
We’re running a high-availability Pritunl deployment on Azure consisting of:

  • 2 Pritunl hosts (shared MongoDB backend)
  • 1 MongoDB VM
  • Azure Standard Load Balancer
  • Both Pritunl hosts attached to both VPN servers

The Azure Load Balancer has two frontend public IP addresses:

  • Public IP 1
    • UDP 1194 (OpenVPN)
    • UDP 51820 (WireGuard)
  • Public IP 2
    • UDP 1195 (OpenVPN)
    • UDP 51821 (WireGuard)

Both frontend IPs load balance across the same two Pritunl hosts. The VMs themselves do not have public IP addresses.

Our goal is:

  • Regular users connect to VPN Server A and should always use Public IP 1.
  • Data Team users connect to VPN Server B and should always use Public IP 2.
  • Both VPN servers should remain highly available across both Pritunl hosts.

Currently, users are correctly assigned to the appropriate Pritunl organization through Microsoft Entra ID, but the generated client profiles always contain the same remote address. It appears Pritunl is using the host’s detected public address (host.auto_public_address) instead of the Azure Load Balancer frontend IP associated with the VPN server.

Is it possible to set up pritunl this way, or what would be the correct approach to do this?

This should be done without a load balancer. The software already handles automatic failover, random host selection and geo-sorted host selection to connect to the nearest host. There are also some authentication modes that are scoped to the specific host. The client will send a pre-connection authorization request then it needs to connect to that same host. When controlling access with public IP addresses each host should have a different server and different organizations attached to that host to control which users can connect to that host. Below are all the domains in Pritunl and how to configure them for multi host configurations.

Below are all the addresses and how to configure them.

Hosts Tab

  • Host Public Address: The public IPv4 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
  • Host Public IPv6 Address: The public IPv6 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
  • Host Sync Address: In the advanced host settings. The public address or domain that the web server of the Pritunl servers can be accessed from. If a load balancer is configured that address should be set here.

Top Right Settings

  • Single Sign-On Domain: The public address or domain that is used to validate single sign-on requests through the Pritunl web server for a new VPN connection. This should be the same domain used to access the web console. If a load balancer is configured that address should be set here. Requires valid SSL certificate.