Is it possible to use same host tunnel every time Pritunl VPN server is restarted due to whatever reasons ? If so how can we achieve this? Basically I’m searching for functioanaility that can reserve the host tunnel somehow because I’m adding additional iptables rules used to limit the peer to peer communication.
Thanks!
If you’re referring to the tunnel interface the best way to handle that is with the server_start and server_stop plugin handlers. This will include the interface and interface_wg variables that can then be used to create iptables rules. The plugin documentation has more information on configuring plugins.
I may not have explained my idea clearly earlier, so here’s an update: Every time a Pritunl VPN server starts, it assigns a random tunnel on the host where the Pritunl service is running. The issue I’m encountering is that each time the VPN server is stopped and restarted, a new host tunnel is assigned.
For example, the first time I start my Pritunl VPN server with the CIDR 172.16.0.0/24, the Linux host assigns it the tunnel tun10. After starting the server, I decide to add new routes. To do this, I need to stop the server, add the routes, and then restart it. However, when I restart the server, instead of reusing tun10, a new tunnel, tun11, is assigned for the same VPN server.
Is there a way to configure the VPN server to reuse the same tunnel (e.g., tun10) instead of creating a new one? Is this behavior configurable at all?
There isn’t a way to assign the same tunnel interface but it is included in the plugin calls.
How this can be used ? Could you provide an example ?
Run sudo nano /var/lib/pritunl/plugins/custom_iptables.py then add the code below. Then run sudo systemctl restart pritunl.
from pritunl import logger
import subprocess
def server_start(host_id, host_name, server_id, server_name, network,
network_wg, interface, interface_wg, **kwargs):
logger.info('Adding custom iptables', 'plugin',
server_name=server_name,
interface=interface,
)
try:
subprocess.check_call([
'iptables',
'-I', 'FORWARD',
'-i', interface,
'-p', 'tcp',
'--dport', '22',
'-j', 'DROP'
])
except:
logger.exception('Failed to add custom iptables', 'plugin',
server_name=server_name,
interface=interface,
)
raise
def server_stop(host_id, host_name, server_id, server_name, network,
network_wg, interface, interface_wg, **kwargs):
logger.info('Removing custom iptables', 'plugin',
server_name=server_name,
interface=interface,
)
try:
subprocess.check_call([
'iptables',
'-D', 'FORWARD',
'-i', interface,
'-p', 'tcp',
'--dport', '22',
'-j', 'DROP'
])
except:
logger.exception('Failed to remove custom iptables', 'plugin',
server_name=server_name,
interface=interface,
)
raise
So, if I understand correctly, plugins provide additional functionality that takes effect after restarting the Pritunl service. Please correct me if I’m mistaken. This approach might work if you don’t require dynamically changing host tunnels each time the service restarts. However, how would I handle scenarios where I need to use the tunnel created by the Pritunl VPN server as input/output interfaces in my iptables rules?
No the plugin files stored in that directory are loaded when the service restarts. The plugin functions are called at different times for each handler. When each function is called is documented in the example in the plugins documentation. The server_start function is called every time a server starts and server_stop is called every time a server stops.