Pritunl v1.32.4400.99 has been released. This release improves VPN authentication speed and resolves connection timeouts on servers processing high levels of concurrent connection requests. The pritunl-openvpn RHEL package provided in the Pritunl repository has also been updated to OpenVPN v2.6.15.
Client Connection Speed
When the Python Cryptography library used by Pritunl was updated and migrated to OpenSSL v3.0 a significant performance regression occurred. This would result in web based authenticated VPN connections taking up to a full second of high CPU load to parse the users public key to validate the signed request. Web based authentication is done for all WireGuard connections and OpenVPN connections using connection single-sign, device authentication or dynamic firewall. This becomes problematic when a large server is restarted and all the users attempt to reconnect at the same time. During this time the web console could also become unusable. This has been fixed along with some other changes made to tune the web server queue sizes and some Python compiler options. These changes will result in around a 50x-60x improvement in connection times. Below are the average response times before and after with a server under load. Additional testing is now done to ensure a server with 2 cores can handle 1000 concurrent connection requests which in this release completes with an average response time of 7300ms.
# Without Device Authentication
3200ms
55ms
# With Device Authentication
4800ms
95ms
A server tuning section has also been added to the documentation with information on adjusting the web server queues for high capacity deployments.
Organization Expiration Warning
Older versions of Pritunl created organizations with a 10 year expiration on the CA certificate. This was later increased to 30 years. The organization will need to be deleted and recreated before this occurs. The web console will now display a warning if this less than 2 years away.