The profile sync occurs before connecting. The sync address can be set in the host settings and can be set to an internal address that will only work when the user is on a secure network. The path for profile sync is /key/sync/<org_id>/<user_id>/<server_id>/<key_hash> all of the parameters can be filtered to [a-zA-Z0-9]. The security of the web server can be improved by using Oracle Linux which will include SELinux polices that isolate the pritunl-web process. Additionally in the next release that is currently in the unstable repository the command sudo pritunl set app.web_systemd true will run the pritunl-web process in a systemd unit. This allows the process to run as a non-root user and include the systemd isolation options such as ProtectSystem=full.
When you said sync host can be set to internal address, and the profile sync occurs before connecting, can you share a use case ?
If I understand correctly, when I’m on a secured network, I usually don’t need to established a VPN connection, so I will never sync the profile because it only happened when I’m initiating a connection.
Is there another solution to initiate profile sync rather than waiting for a connection attempt ? (CLI, …)