We are currently using the Pritunl VPN freeware version with 200+ active VPN users connected daily.
Considering the current global situation, having a Disaster Recovery (DR) plan is mandatory for our environment.
Our biggest concern and tension point is that these 200+ users are business-critical, and any interruption during failover directly impacts live user sessions and productivity.
The most critical challenge is that all end clients are configured to connect using the current Pritunl server VPN public IP address. Because AWS public IPs are region-specific, during a cross-region DR failover the VPN endpoint IP changes, which means all client connectivity breaks until users manually reconnect using the new IP.
Due to this regional IP limitation in AWS, the current DR planning is not practical for us.
We are looking for an alternative architecture or automatic failover strategy that can preserve client connectivity with minimal or zero interruption, even when the primary AWS region becomes unavailable.
Our key requirements are:
Automatic cross-region failover
No manual end-user reconfiguration
Minimum disruption for 200+ live VPN users
Same stable public endpoint for clients
Support for clients currently using server VPN IP address
Please suggest the best DR/failover design for Pritunl in AWS, especially where clients are already hardcoded with the server VPN public IP.
pritunl is designed with independent nodes that get award of each other when they are connected to the same database. To achieve cross-region failover, you could use mongodb atlas cluster with read and write databases in different regions, then connect your pritunl node to its closer database and set up replication. Replication | Pritunl VPN | Pritunl Documentation you will need pritunl entreprise for this.
If multiple hosts are configured it will require an enterprise subscription also included in the subscription is the configuration sync. Before the client connects it will use the HTTPS port on the Pritunl server to sync configuration changes including host changes. This will sync any new IP addresses into the configuration.
The client will also handle automatic failover to connect to the other hosts when one is offline. There is also the additional geo sort host selection option which will have the client connect to the nearest host based on location.
Both servers need to be mapped to the same domain. Kindly confirm the final VPN DR architecture on AWS, along with key considerations, so we can take the necessary precautions before making a decision.
We would appreciate your support in helping us conclude this matter at the earliest.
It will be on the the same domain. Below are all the addresses and how to configure them.
Hosts Tab
Host Public Address: The public IPv4 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
Host Public IPv6 Address: The public IPv6 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
Host Sync Address: In the advanced host settings. The public address or domain that the web server of the Pritunl servers can be accessed from. If a load balancer is configured that address should be set here.
Top Right Settings
Single Sign-On Domain: The public address or domain that is used to validate single sign-on requests through the Pritunl web server for a new VPN connection. This should be the same domain used to access the web console. If a load balancer is configured that address should be set here. Requires valid SSL certificate.