Pritunl VPN subscription gets revoked upon reconfiguring network

Previously we had our pritunl VPN server instance in GCP enabled with public IP and the enterprise subscription that we had was working fine. But for being compliant with SOC2, we planned to make the instance private, and exposed it through a pass-through network load balancer.
The host domain was reconfigured to target to the new loadbalancer IP. Everything was working fine and while i tried connecting to the VPN, the IP in the pritunl client was shown as the new loadbalancer IP. So far so good.

But when i removed the public IP from the server instance, everything started failing. The Google login and the vpn connection was not working. But i can access the vpn server webUI through the host ( also i have the ports 80,443 and the VPN port added to the forwarding rule ). Then i tried restarting the server from the vpn instance. Thats where i found that the enterprise subscription got revoked. The google login was no more available. When i added back my public IP to the instance, everything started working again.

Why did this happen? Can anyone find me a proper solution to this issue considering my scenario?
I want the vpn server to work with the loadbalancer IP and not by the public IP of the instance. Any help is appreciated. Thankyou!!

+1
Hi abhishekpradeep,

I’m also looking to implement that solution, currently at the stage of planning.

While we’re waiting for the support team to respond to the subscription issue, can I ask if you had to make any changes to the VPN Host config when you placed the LB in front of it?

In my brief plan:

  • Create a pass-through network load balancer
  • Add vpn Host to uig (that should not cause any current connection issues I believe)
  • Update the DNS record to point to the Load Balancers IP (when ready to switch or could just modify the hosts file on my machine for a quick test)
  • Detach Public IP from VPN Host

Have I missed anything? Any help/advice would be much appreciated.

Thank you!

It will need internet connection for the subscription to work. When removing a public IP a NAT gateway will need to be configured on that cloud provider.

If there is a web load balancer that load balancer domain needs to be set in the top right settings under Single Sign-on Connection Domain this option is only shown if that feature is in use and in the advanced host settings under Sync Address.

Also after this is done unless all the existing clients can sync the changes from the previous IP the profiles will need to be reimported. The load balancer can be added to the addresses before removing the public IP to allow time for all the clients to sync on the next connection.

Thanks for your response Zach.

I have setup a GCP pass-through network load balancer (with port ports 80,443 and the udp VPN port added to the forwarding rule and created a cloud NAT), reimported the profile and when I try to connect via client app, its stuck on connecting and I don’t get the DHCP IP assigned form the IP pool. Do I need a HTTPS load balancer as well just to establish the connection?

As the post author mentioned, we need to get this to work via the loadbalancer IP and not via the public IP of the instance for security compliance reasons.
I’ve already looked through all the documentation and tutorials but I’m hoping that you could put some steps(tutorial) to achieve this scenario please as I’m sure many other people would also benefit from this.

Many thanks

Network load balancers will break several configurations.

Some configurations such as single sign-on, device authentication and dynamic firewall will require HTTPS requests to the Pritunl server.

Thanks Zach, do you know if this solution will work with HTTPS Load Balancer instead?

There’s no issues with web requests going through a load balancer. Putting the VPN traffic through a network load balancer will cause problems.

Hey Zach,

So I created the Application LB (HTTPS) and I am able to access the dashboard now however the client is stuck on connecting now. From logs I can see its trying to connect to LB IP on the udp port assigned during installation. So now the issue is that the Application LB does not support udp traffic which is why my original attempt was to use Network Passthrough LB.
Is there any workaround for this?

Please note I’m using the free version atm while working on POC incase there are any settings only available under subscription.

Appreciate your help with this.

Below are all the addresses and how to configure them. The host public address is likely configured incorrectly.

Hosts Tab

  • Host Public Address: The public IPv4 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
  • Host Public IPv6 Address: The public IPv6 address or domain of the Pritunl host. This should always be the public IP of the host for all configurations even when using a load balancer.
  • Host Sync Address: In the advanced host settings. The public address or domain that the web server of the Pritunl servers can be accessed from. If a load balancer is configured that address should be set here.

Top Right Settings

  • Connection Single Sign-On Domain: Only shown when using single sign-on connection authentication. The public address or domain that is used to validate single sign-on requests through the Pritunl web server for a new VPN connection. If a load balancer is configured that address should be set here.

Thanks Zach,

In free version the Hosts tab is not present but I can see it under Enterprise so thats fine.

So I assume I cannot fully test it with free subscription correct?

Thanks for your help!

The free version will only support one host. Attempting to use a load balancer to route to multiple hosts running on different databases won’t work the keys would be different on each installation.

Once an enterprise cluster is created the domain options will be available in addition to load balancer options in the top right settings. The load balancing documentation has more information on configuring a load balancer.