Sync without Pritunl interface/API publicly exposed


We are not comfortable exposing publicly Pritunl web interface/API.
In such situation, profile sync is obviously not working.

Our idea would be to apply profile sync only when users are:

  • Physically in the office, so Pritunl API is reachable
  • When already connected to a “working Pritunl profile”

However what we observed is profile sync is never applied when already connected to VPN for example.

So few questions:

  • When exactly the profile sync occur ? How we can force a profile sync ?
  • If we really need to expose Pritunl API, can I limit access to /key/%s/%s/%s/%s paths (using a reverse Proxy, …)

The profile sync occurs before connecting. The sync address can be set in the host settings and can be set to an internal address that will only work when the user is on a secure network. The path for profile sync is /key/sync/<org_id>/<user_id>/<server_id>/<key_hash> all of the parameters can be filtered to [a-zA-Z0-9]. The security of the web server can be improved by using Oracle Linux which will include SELinux polices that isolate the pritunl-web process. Additionally in the next release that is currently in the unstable repository the command sudo pritunl set app.web_systemd true will run the pritunl-web process in a systemd unit. This allows the process to run as a non-root user and include the systemd isolation options such as ProtectSystem=full.

Hi @zach , thanks for your answer.

When you said sync host can be set to internal address, and the profile sync occurs before connecting, can you share a use case ?
If I understand correctly, when I’m on a secured network, I usually don’t need to established a VPN connection, so I will never sync the profile because it only happened when I’m initiating a connection.

Is there another solution to initiate profile sync rather than waiting for a connection attempt ? (CLI, …)


That is the only way of running the configuration sync.