Pritunl Single sign-on timeout - Authenticating status stuck

Pritunl Pritunl VPN
,
1

Hello team,
We continuously facing the Single sign-on timeout issue. Here are more information about the system installed here.

  1. Pritunl version: was pritunl v1.32.4057.36, today upgraded to pritunl v1.32.4278.46. Single host, 7 servers.
  2. MongoDB version: was 8.0.3, today upgraded to 8.0.10. Self-hosted community edition version, deployed on a separate VM in the same network as pritunl.
  3. SSO provider - Azure
  4. On most servers - Single-sign on should be configured.

What is the problem?

User is connecting to profile from Client app and the following is happening:

  1. Clicking Connect button
  2. Redirecting to browser for authenticating with Azure
  3. Green message: Successfully authenticated connection
  4. On client app Status is still β€œAuthenticating”.
  5. After some time I receive error Connection timed out on <server_name>.
    There are logs:
Post "https://<PUBLIC_IP>/key/ovpn_wait/<org_id>/<user_id>/<server_id>/": context canceled
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).EncRequest
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:987 +0x1027fb614
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:545 +0x1027f8ae7
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:653 +0x1027f923b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).connectPreAuth
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:287 +0x1027f72ef
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:189 +0x1027f64ff
github.com/pritunl/pritunl-client-electron/service/connection.(*Ovpn).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/ovpn.go:107 +0x1027fd96f
github.com/pritunl/pritunl-client-electron/service/connection.(*Connection).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/connection.go:127 +0x1027fd958
github.com/pritunl/pritunl-client-electron/service/handlers.profilePost.func1
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/handlers/profile.go:148 +0x102824abb
runtime.goexit
	/opt/homebrew/Cellar/go@1.22/1.22.8/libexec/src/runtime/asm_arm64.s:1222 +0x1022b2343
[2025-06-10 13:09:11][ERRO] β–Ά profile: Failed to start profile β—† profile_id="7f2ac329a667557a"
profile: Request put error
Post "https://<PUBLIC_IP>/key/ovpn_wait/<org_id>/<user_id>/<server_id>/": context canceled
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).EncRequest
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:987 +0x1027fb614
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:545 +0x1027f8ae7
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:653 +0x1027f923b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).connectPreAuth
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:287 +0x1027f72ef
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:189 +0x1027f64ff
github.com/pritunl/pritunl-client-electron/service/connection.(*Ovpn).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/ovpn.go:107 +0x1027fd96f
github.com/pritunl/pritunl-client-electron/service/connection.(*Connection).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/connection.go:127 +0x1027fd958
github.com/pritunl/pritunl-client-electron/service/handlers.profilePost.func1
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/handlers/profile.go:148 +0x102824abb
runtime.goexit
	/opt/homebrew/Cellar/go@1.22/1.22.8/libexec/src/runtime/asm_arm64.s:1222 +0x1022b2343
[2025-06-10 13:43:51][INFO] β–Ά profile: Connecting β—† device_auth=true β—† disable_dns=false β—† disable_gateway=false β—† dynamic_firewall=false β—† force_connect=false β—† force_dns=false β—† geo_sort="" β—† mode="ovpn" β—† profile_id="7f2ac329a667557a" β—† reconnect=true β—† sso_auth=true
[2025-06-10 13:43:51][INFO] β–Ά connection: Resolved remotes β—† public_address="" β—† public_address6="" β—† remotes=[]string{"<PUBLIC_IP>"} β—† sort_method="random"
[2025-06-10 13:43:51][INFO] β–Ά connection: Attempting remote β—† client_disconnect=false β—† client_disconnect_waiters=0 β—† client_disconnected=false β—† client_provider=true β—† client_startime=0 β—† data_iface="" β—† data_mode="" β—† data_remotes=[]string{"<PUBLIC_IP>"} β—† data_status="connecting" β—† data_timestamp=0 β—† data_tun_iface="" β—† ovpn_auth_failed=false β—† ovpn_cmd=false β—† ovpn_connected=false β—† ovpn_dir="" β—† ovpn_last_auth_failed=-1 β—† ovpn_management_pass=false β—† ovpn_management_port=0 β—† ovpn_path="/Applications/Pritunl.app/Contents/Resources/pritunl-openvpn" β—† ovpn_remotes=[]string{} β—† ovpn_running=0 β—† ovpn_tap_iface="" β—† profile_device_auth=true β—† profile_disable_dns=false β—† profile_disable_gateway=false β—† profile_dynamic_firewall=false β—† profile_force_connect=false β—† profile_force_dns=false β—† profile_geo_sort=false β—† profile_id="7f2ac329a667557a" β—† profile_mode="ovpn" β—† profile_reconnect=true β—† profile_sso_auth=true β—† profile_system_profile=false β—† profile_timeout=false β—† remote="<PUBLIC_IP>" β—† state_closed=false β—† state_closed_waiters=0 β—† state_deadline=false β—† state_delay=false β—† state_id="445e74e4e050d208" β—† state_interactive=true β—† state_no_reconnect=false β—† state_stop=false β—† state_system_interactive=false β—† state_temp_paths=[]string{} β—† state_time=time.Date(2025, time.June, 10, 13, 43, 51, 862947000, time.Local) β—† wg_bash_path="/Applications/Pritunl.app/Contents/Resources/bash" β—† wg_conf_path="" β—† wg_conf_path2="" β—† wg_connected=false β—† wg_last_handshake=0 β—† wg_path="/Applications/Pritunl.app/Contents/Resources/wg" β—† wg_priv_key=false β—† wg_pub_key=false β—† wg_quick_path="/Applications/Pritunl.app/Contents/Resources/wg-quick" β—† wg_server_pub_key=false β—† wg_sso_start=time.Date(1, time.January, 1, 0, 0, 0, 0, time.UTC) β—† wg_sso_token=false β—† wg_util_path=""
[2025-06-10 13:45:23][ERRO] β–Ά profile: All connection requests failed
connection: Single sign-on timeout
ORIGINAL STACK TRACE:
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:559 +0x1027f8be3
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:564 +0x1027f8c7b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).authorize
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:653 +0x1027f923b
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).connectPreAuth
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:287 +0x1027f72ef
github.com/pritunl/pritunl-client-electron/service/connection.(*Client).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/client.go:189 +0x1027f64ff
github.com/pritunl/pritunl-client-electron/service/connection.(*Ovpn).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/ovpn.go:107 +0x1027fd96f
github.com/pritunl/pritunl-client-electron/service/connection.(*Connection).Start
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/connection/connection.go:127 +0x1027fd958
github.com/pritunl/pritunl-client-electron/service/handlers.profilePost.func1
	/Users/apple/go/src/github.com/pritunl/pritunl-client-electron/service/handlers/profile.go:148 +0x102824abb
runtime.goexit

How it started?

Before upgrading to new versions we sometimes faced with this issue.
I read topics from the Pritunl forum, I understand that there is the issue with host to host messaging communication.
When I executed command sudo pritunl clear-message-cache it helped and I continued working with VPN. I was thinking it’ll be a good idea to clear messages cache by cron each day, but sometimes I was receiving this error even after few hours after running this command.

How is it going now?

I decided to upgrade Pritunl version and MongoDB version. I upgraded Pritunl from pritunl v1.32.4057.36 to pritunl v1.32.4278.46 and MongoDB version from 8.0.3 to 8.0.10.

And issue not even gone, it’s became permanent. sudo pritunl clear-message-cache doesn’t help now, I’m checking the messages collection inside the DB and it’s not cleared. There are still the same records that I had before upgrade.
I tried both: MacOS and Windows 11, not working.

I have few questions:

  1. How to fix it and make it work again?
  2. How to prevent such issues for the future? Maybe some MongoDB or Pritunl options that I can adjust, so it’ll not happen again?
  3. What are the reasons for this to happen? We don’t have a lot of active users for now.
2

The context cancelled in the client logs is from an issue fixed in Pritunl Client v1.3.4275.94. With the right timing the client was cancelling the context before the response is read causing the context cancelled in the logs. It may be more common with the newer server because of the effects the changes had on the timing of the single sign-on requests.

The other single sign-on issues are caused by problems with capped collections in MongoDB. It seems to start in v7, before being fixed then started again in recent v8 releases. The issues in v8 seem to be far more common on standalone databases than in replica sets. The capped collections and tailable cursors allow creating a publish-subscribe event system that is used to send events between hosts.

One of the ways the event system is used is to notify the client that the single sign-on authentication request has been completed. If the event system doesn’t work, the connection will time out.

The latest release v1.32.4278.46 should avoid these issues with an added token sync that runs at a 3 second interval. This will allow single sign-on connections to work without the event system, although it would add up to 3 seconds to connection time.

3

Hey @zach
Thank you for the quick response.

I updated my Pritunl Client version to v1.3.4275.94 and it’s not working as well. I still see context canceled errors in logs.

Regarding the server version, as you can see from my initial request - I perform an upgrade today and installed the newest (I was assuming that) version of Pritunl on Ubuntu.
I used to install pritunl using apt package manager on Ubuntu and now the current version is:

pritunl-ndppd/unknown,now 0.2.5-0ubuntu1~noble amd64 [installed,automatic]
pritunl-strongswan/unknown,now 5.9.14-0ubuntu1~noble amd64 [installed,auto-removable]
pritunl/unknown,now 1.32.4258.38-0ubuntu1~noble amd64 [installed]

However, I see that in this installation the pritunl version is 1.32.4258.38 while the latest one is pritunl v1.32.4278.46 (Release pritunl v1.32.4278.46 Β· pritunl/pritunl Β· GitHub). I assume I should install it by downloading the deb package then.

I want to clarify regarding the Pritunl Client version. You mentioned the following:

The latest release v1.32.4278.46 should avoid these issues with an added token sync that runs at a 3 second interval. This will allow single sign-on connections to work without the event system, although it would add up to 3 seconds to connection time.

Does it mean that it will work only if the SERVER version also updated to the latest version?
Is it possible that it’ll not work if the client version is v1.3.4275.94, but the server version is still 1.32.4258.38? I think it may be important, because there is the following mentioning in the latest server release version: Improve connection single sign-on.

Regarding MongoDB:

The issues in v8 seem to be far more common on standalone databases than in replica sets.

Does it mean that we should ideally use MongoDB Atlas for working with Pritunl?
If not Atlas - then self-hosted one, but deployed as replica set?

4

Those are two separate issues. The cancelled context can occur with any web request made from the client. The server update does not effect compatibility with client versions.

If you updated the client verify the latest release is shown in the menu to confirm it is running the new version. It can still show context cancelled if the connection is cancelled by clicking disconnect or by some other events. If issues are still occurring with single sign-on timeouts that is likely the server side issue not the client.

The v1.32.4278.46 release is for the server not the client. If the update isn’t available run sudo dnf clean all or sudo apt clean to clear the cache before updating.

The majority of the issues are reported with MongoDB Atlas databases, using it won’t improve reliability. The shared tier Atlas databases specifically are not intended for production and will have issues.

1 Like
5

Upgrading both - Pritunl client and Pritunl server to the mentioned versions solved the problem.
Tried also to use the older version of the client with the new version of the server - works as well.

Going to perform few more tests, but for now it seems to be working.
Thank you very much @zach !