🛡️ Setup Pritunl — Enterprise VPN Server
Deploy Pritunl, an enterprise distributed OpenVPN server with a web dashboard for managing organizations, servers, users, and client configurations at scale.
📦 Resources & Setup Scripts
Grab the automated bash script from GitHub to follow along.
Quick Install:
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/vpn/pritunl/pritunl-ubuntu.sh
chmod +x pritunl-ubuntu.sh
sudo bash pritunl-ubuntu.shTutorial Steps
1 Download & Run the Script
The script installs Docker, pulls Pritunl and MongoDB, and starts the full stack. A setup key is generated for the initial web configuration.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/vpn/pritunl/pritunl-ubuntu.sh
chmod +x pritunl-ubuntu.sh
sudo bash pritunl-ubuntu.sh2 Initial Setup via Web UI
Open your browser and navigate to Pritunl. Enter the setup key printed by the script, then set your admin username and password:
https://YOUR-SERVER-IP3 Create Organization and Users
Go to Users → Add Organization, then add users to the organization. Each user can have multiple devices and download their .ovpn config profile.
4 Attach a Server and Go Online
Go to Servers → Add Server, attach the organization, and click Start Server. Users can now connect using the OpenVPN client or the Pritunl client app.
Ports Used
| Port | Protocol | Purpose |
|---|---|---|
| 80 | TCP | HTTP (redirects to HTTPS) |
| 443 | TCP | Web UI (HTTPS) |
| 1194 | UDP | OpenVPN Tunnel |
Files Location
/root/docker/pritunl/docker-compose.ymlOverview
Pritunl is an enterprise-grade, distributed OpenVPN and WireGuard server with a web management interface. It supports multi-server clustering, SSO via Google and Okta, two-factor authentication, and granular access control — making it suitable for organizations that need a managed, scalable VPN solution.
Why Use It
Pritunl brings enterprise VPN management to self-hosted infrastructure without the per-seat licensing costs of commercial solutions. Its web UI lets you create VPN organizations, manage user certificates, set bandwidth limits, and enforce two-factor authentication — tasks that would require manual OpenVPN config editing otherwise. With SSO via Google and Okta, users authenticate with their existing corporate credentials, eliminating separate VPN password management. WireGuard support as an optional backend provides modern, faster connections.
When You Need It
Who Should Use It
Real Use Cases
Main Features
How to Use After Installation
Security Best Practices
Ports and Firewall Notes
Pritunl needs several ports open. Port 443 (TCP) is used for the Pritunl web admin interface. The VPN server port (default UDP 1194 for OpenVPN or UDP 51820 for WireGuard) must be open for client connections — you can change this in the server settings. MongoDB uses port 27017 internally and must never be exposed publicly. If you run multiple servers for HA, they communicate over TCP port 9700 internally.
Backup and Maintenance
Common Mistakes
Troubleshooting
Alternatives
OpenVPN Access Server is the commercial version of OpenVPN with a similar web UI but charges per connected user beyond 2 simultaneous connections. WireGuard Easy offers a simple Docker-based WireGuard server with a minimal web UI — great for small teams but lacks SSO and audit features. Headscale is a self-hosted Tailscale control plane with a mesh VPN model. Netbird provides zero-trust mesh networking. Outline is focused on proxy-based censorship circumvention rather than full VPN management.
When Not to Use It
Pritunl is overkill for personal use or tiny teams — a simple WireGuard Easy setup is easier to manage and requires no MongoDB. If you need a zero-trust model where devices authenticate to each other without a central gateway, Tailscale or Headscale is a better fit. For provider-grade VPN with billing and client management, a dedicated VPN panel like 3x-ui serves that use case. If your team is already standardized on Cisco or Fortinet hardware, integrating a self-hosted Linux VPN may add unnecessary complexity.
Need Help Setting Up Pritunl?
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Frequently Asked Questions
Does Pritunl support WireGuard in addition to OpenVPN?
Yes. You can choose the protocol per server — OpenVPN, WireGuard, or both simultaneously. WireGuard is recommended for modern clients because it offers better performance and a smaller cryptographic attack surface. OpenVPN remains useful for compatibility with older clients and networks that block UDP. Switch the protocol in the server settings and regenerate user profiles for them to receive the correct config.
Can I use Pritunl with Google SSO?
Yes. Pritunl supports Google OAuth and Okta SAML. Configure SSO under Settings > Single Sign-On. Once enabled, users click Login with Google in the VPN client app or web panel instead of entering a VPN-specific password. When you disable someone in Google Workspace, they automatically lose VPN access at the next authentication.
What database does Pritunl use and can I use an external one?
Pritunl uses MongoDB exclusively. The install script sets up a local MongoDB instance on the same server. For production high-availability deployments, configure a MongoDB replica set (at minimum 3 nodes) and point Pritunl to the replica set URI under pritunl.conf. Using an external MongoDB cluster is fully supported and recommended for any setup where downtime is unacceptable.
How many users can Pritunl handle?
The free self-hosted Pritunl has no hard user limit. Performance scales with your server's CPU and RAM. In practice, an 8-core server handles hundreds of simultaneous OpenVPN connections before CPU becomes a bottleneck. WireGuard backend scales even better due to kernel-level packet processing. For very large deployments, cluster multiple Pritunl nodes and use a load balancer.
Is Pritunl free or is there a paid version?
Pritunl is open source under the AGPLv3 license. The self-hosted version is free with no user limits. Pritunl Enterprise adds SSO, route synchronization with AWS/Azure/GCP, and priority support — Enterprise requires a paid license. Most self-hosted scenarios work perfectly with the free tier including basic multi-user VPN, 2FA, and web management.
Can I run multiple VPN servers with one Pritunl installation?
Yes. A single Pritunl instance manages multiple servers (each with its own port and protocol). You can also attach the same organization to multiple servers, giving users the ability to connect to the closest VPN node. For true multi-host clustering, install Pritunl on each server and connect them to the same MongoDB replica set — they appear as a cluster in the admin panel.
How do I revoke a user's VPN access immediately?
Go to Users in the admin panel, find the user, and click Delete or Disable. Their certificate is revoked in real time — any active connection will be dropped within seconds and they cannot reconnect. For SSO users, disabling their account in Google or Okta achieves the same result at the next re-authentication. Always revoke server-side; deleting the profile from the client device alone does not prevent reconnection.
Does Pritunl log VPN connections?
Yes. Pritunl logs connection events, user identities, IP addresses, and timestamps in MongoDB. View the logs under Logs in the admin panel. These logs are useful for compliance auditing and security incident investigations. You can also forward logs to a syslog server or SIEM by configuring syslog output in /etc/pritunl.conf.