I am using a cluster of 2 Pritunl servers and Atlas MongoDB and Enterprise license.
For authorization, I use PIN + Google MFA.
In settings VPN “Replication Count 2”
When there was only one Pritunl server, clients connected the first time. When there are 2 Pritunl servers, now it is not always possible to connect at the first attempt using Wireguard protocol.
You can try to connect 2-4 times before you connect.
Can you please tell me what the problem could be?
Logs from server
If it’s 2 hosts with Google Authenticator and only one doesn’t work it’s most likely the time. Google Authenticator is a time based algorithm. From the logs it may be the time is off slightly causing the OTP code window to be much shorter. The server will accept the previous, current and next code for a total 90 second window.
Sometimes the timezone is set incorrectly causing issues but this would cause the code to never be accepted. The time is converted to UTC when calculating the code if the timezone is set incorrectly the conversion will be wrong.
@zach Thanks for your reply.
I try to connect from different devices using my Google MFA and the same thing happens. Sometimes it connects the first time, but sometimes it takes 2-3 attempts, which is very inconvenient for users.
I synchronized the time in Google MFA, but it didn’t help.
Could this be because the client is trying to connect with a WG key from a second Pritunl server. I understand each server has its own WG public key. And when a client tries to connect to server 1 with a key from server 2, can this reject the client?
Run the commands below to add a log message with the provided code and valid codes to see what the server is receiving.
sudo nano /usr/lib/pritunl/usr/lib/python3.9/site-packages/pritunl/user/user.py
ctrl+w valid_codes
if code not in valid_codes:
logger.info('Google OTP invalid', 'user',
user_name=self.user.name,
code=code,
valid_codes=valid_codes,
)
return False
ctrl+x s
sudo systemctl restart pritunl
The client will send a connection request and the server will send back a token and public IP address for connecting. If a load balancer were to send the connection request to a different server it wouldn’t have any effect. Once connected the requests are sent to the internal VPN network IP which would skip any load balancers. If a network load balancer did impact the connection it wouldn’t cause this error.
If it’s a duplicate key error you likely have a server that isn’t functioning causing the request to fail halfway through and the client will reuse the key assuming it was not checked.
Hi @zach
I haven’t added your code or tested it yet. But I have enabled the use of custom cache "pritunl set app.sso_cache true" and I am testing (connect and disconnect several times) the VPN client. And I see that sometimes the client tries several times to connect to the server. And only on the 2nd or 3rd try it succeeds. But I enter MFA only once when I start the client for the first time. I think this shows that it’s not the client’s Google MFA.
In Pritunl VPN server logs:
I tested this on an Ovpn and WireGuard connection.
Maybe you’ll have time to bring up 2 Pritunl servers and try connecting to them?
I use AWS, LB → 2 EC2 instances (Pritunl server in Docker container on these instances). And this EC2 instances in 2 availability zones (us-east-1a, us-east-1b)
My infrastructure looks like this
The WireGuard connection design in Pritunl isn’t going to work with a network load balancer. The server will expect the client to connect to the same server that received the authentication request. A load balancer can be used in front of the Pritunl web server but not for both with WireGuard connections.
Hi @zach. Tell me please how we can use Pritunl cluster (redundant) if we use Wireguard type connection?
I don’t find the information in documentation about WireGuard on several Pritunl servers.
Or if we use WireGuard type connection, we need to use only one “big instance” of Pritunl server?
Or how we need to reconfigure Pritunl VPN in redundant mode?
It somehow works, but because of this I suspect the client sometimes reconnects several times before connecting to the VPN until it reaches the VPN server from which the client received the key?
It would already be done automatically. The Pritunl Client will randomly select a host to connect to, it will work with both OpenVPN and WireGuard. Newer hosts will automatically be synced to the client configuration. A web load balancer can be configured for the Pritunl web server. The host address should be set to the public IP of the host and the sync address set to the address of the load balancer. The load balancing documentation has more information.
Hi @zach. Thanks for the answer, but you said:
“The WireGuard connection design in Pritunl isn’t going to work with a network load balancer. The server will expect the client to connect to the same server that received the authentication request.”
The server will return with the host public address in the authentication request, the client will use the public address to connect. The host public address must be correctly configured to either the automatically detected IP address or a domain for the IP address of the host. The sync address would be configured with the load balancer domain. This will result in the client connecting to the same host that received the authentication request.
Hi @zach thanks for your response.
I use load balancer before 2 Pritunl servers with enabled WireGuard servers like in the diagram above. Use 1 IP for LB. And that WireGuard needs to use one Pritunl server per VPN server?
Am I correct in understanding that in Pritunl cluster mode, WireGuard will not work as it should?
