Pritunl v1.32.3504.68 has been released. This update adds device authentication, Python 3.9, improved single sign-on verification and improved web server security.
Device Authentication
Device authentication is a new authentication factor that utilizes the client TPM or Apple Secure Enclave. When a user connects to a server with device authentication for the first time the user will be prompted to contact an administrator with a pin to approve the users physical device. This pin prevents the administrator from inadvertently approving an unknown device. All Windows or Linux devices that are able to run Windows 11 have a TPM as part of the requirements for Windows 11. Most macOS devices made after the introduction of the touch bar have support for the Secure Enclave.
This system provides a high level of protection against authentication and phishing attacks. Even if an attacker is able to obtain a user VPN profile and fully compromises the users account and two-factor authentication the device making the connection would be prompted for approval when attempting to connect.
The Device Authentication documentation has more information. The High Security Environment documentation has also been added to document all recommendations for environments requiring the highest level of security.
Python 3.9
The Pritunl package for all distributions except Arch Linux will now include a full Python 3.9 interpreter separate from the systems Python environment. This allows modernizing the code base and ensuring continued support for all Linux distributions as the older Python releases on these distributions reach EOL.
Single Sign-On Verification
Previously when a user utilizing single sign-on connected to a server the server would use the single sign-on API to verify the user is not disabled or deleted. This would prevent disabled or deleted single sign-on users from connecting to Pritunl servers even if the Pritunl user was still active. This check has been expanded to refresh every 30 minutes while a user is connected. With this change if a user is disabled or deleted from the single sign-on provider that user will be disconnected from the VPN server within 30 minutes. This feature only applies to single sign-on providers with API support where the API key is configured in the top right single sign-on settings.
Web Server Security
Currently Pritunl utilizes an external web server that runs in the separate pritunl-web process. This Golang based web server handles the SSL and sanitization of user input before the request is sent to the internal pritunl process. On RHEL distributions SELinux policies are included to further restrict this process. This design provides a high level of protection from RCE attacks on the web server. Further protection is now available that utilizes Systemd to run this process as a non-root user and add Systemd protection options such as ProtectSystem. Currently this is disabled by default and can be enabled by running sudo pritunl set app.web_systemd true then sudo systemctl restart pritunl. This feature is documented in the high security environment documentation.