Install and Configure Pritunl VPN on Ubuntu 24.04

Pritunl is an open-source VPN solution that supports various protocols such as OpenVPN and WireGuard. Through an intuitive web console, you can manage organizations, users, servers, and client configuration profiles. Pritunl automatically handles VPN traffic forwarding, performs NAT, and issues SSL certificates via Let’s Encrypt, enabling secure TLS-encrypted VPN connections for clients.

This guide explains how to install and configure Pritunl on Ubuntu 24.04. It also details how to create servers, organizations, users, generate OpenVPN-compatible client profiles, and enable VPN connections on the server.

Prerequisites

Before starting:

• You need access to an Ubuntu 24.04 server using a non-root sudo-enabled user.
• Create an A record pointing to your server’s public IP, for example pritunlvpn.example.com.

Install Pritunl

Pritunl is not included in the default Ubuntu 24.04 repositories and requires multiple dependencies such as MongoDB, OpenVPN, and WireGuard. MongoDB stores management data, while OpenVPN and WireGuard enable VPN tunnels. Follow the steps below to install all dependencies and Pritunl.

Update APT package lists.

$ sudo apt update

Upgrade installed system packages.

$ sudo apt upgrade -y

Install gnupg to verify repository keys.

$ sudo apt install gnupg -y

Add the MongoDB 8.0 repository.

$ sudo tee /etc/apt/sources.list.d/mongodb-org.list << EOF
deb [ signed-by=/usr/share/keyrings/mongodb-server-8.0.gpg ] https://repo.mongodb.org/apt/ubuntu noble/mongodb-org/8.0 multiverse
EOF

Add the OpenVPN repository.

$ sudo tee /etc/apt/sources.list.d/openvpn.list << EOF
deb [ signed-by=/usr/share/keyrings/openvpn-repo.gpg ] https://build.openvpn.net/debian/openvpn/stable noble main
EOF

Add the Pritunl repository.

$ sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb [ signed-by=/usr/share/keyrings/pritunl.gpg ] https://repo.pritunl.com/stable/apt noble main
EOF

Import MongoDB, OpenVPN, and Pritunl GPG keys.

$ curl -fsSL https://www.mongodb.org/static/pgp/server-8.0.asc | sudo gpg -o /usr/share/keyrings/mongodb-server-8.0.gpg --dearmor --yes
$ curl -fsSL https://swupdate.openvpn.net/repos/repo-public.gpg | sudo gpg -o /usr/share/keyrings/openvpn-repo.gpg --dearmor --yes
$ curl -fsSL https://raw.githubusercontent.com/pritunl/pgp/master/pritunl_repo_pub.asc | sudo gpg -o /usr/share/keyrings/pritunl.gpg --dearmor --yes

Apply repository changes by updating package lists again.

$ sudo apt update

Install MongoDB, OpenVPN, and WireGuard.

$ sudo apt install mongodb-org openvpn wireguard wireguard-tools -y

Install Pritunl.

$ sudo apt install pritunl -y

Check the installed Pritunl version.

$ pritunl version

Example output:

pritunl v1.32.4278.46

Manage the Pritunl System Service

The following steps show how to manage the Pritunl daemon using systemd.

Enable Pritunl on system startup.

$ sudo systemctl enable pritunl

Sample output:

Created symlink /etc/systemd/system/multi-user.target.wants/pritunl.service → /etc/systemd/system/pritunl.service.

Start the Pritunl service.

$ sudo systemctl start pritunl

Check the Pritunl service status.

$ sudo systemctl status pritunl

Output excerpt:

● pritunl.service – Pritunl Daemon
Active: active (running)

Pritunl relies on MongoDB for storing management data. Enable MongoDB at startup as well.

$ sudo systemctl enable mongod

Start MongoDB.

$ sudo systemctl start mongod

Configure Pritunl

Pritunl supports the OpenVPN and WireGuard protocols, which can be configured using the web UI. The following steps explain how to generate a setup key and access the web console.

Check Pritunl service status again.

$ sudo systemctl status pritunl

Generate a setup key for initialization.

$ sudo pritunl setup-key

This one-time setup key initializes the web console:

ef5e2ae11293466daba9c20d12cfc50e

Allow port 80 for Let’s Encrypt verification.

$ sudo ufw allow 80/tcp

Allow HTTPS port 443 for accessing the web UI.

$ sudo ufw allow 443/tcp

Reload firewall rules.

$ sudo ufw reload

Check the firewall status.

$ sudo ufw status

Open the login page in a browser:

http://YOUR-SERVER-IP

Accept the SSL warning to continue. Enter the setup key and verify the MongoDB URI. Then generate the default password:

$ sudo pritunl default-password

Example credentials:

username: pritunl
password: i8g1JLkZQmdl

Open the login page:

http://YOUR-SERVER-IP/login

After logging in, set a strong password and enter your domain—such as pritunlvpn.example.com—into the Let’s Encrypt field.

Access the Pritunl Web Console

Pritunl organizes VPN management into three core components:

• Server: The VPN endpoint used by clients to establish encrypted tunnels using OpenVPN or WireGuard. It handles routing, encryption, and client connections.
• Organization: A logical management workspace containing its own certificate authority (CA). Organizations issue and manage user certificates separately.
• User: An individual VPN client profile that connects to a server using certificates and authentication.

Open the web console using your domain:

https://pritunlvpn.example.com

Log in using the administrator credentials you configured earlier.

Create a New Server

Navigate to Servers in the top navigation bar and click Add Server.

Fill in the required details, including:

• Server name
• DNS server for client configurations
• Port used for incoming VPN connections
• Protocol such as OpenVPN or WireGuard
• Virtual network range for VPN clients

Click ADD to save the configuration. After saving, a confirmation message appears: Successfully added server.

You must create and attach an organization before the server can start.

Create an Organization

To create an organization, go to Users → Add Organization.

Enter the desired organization name and click Add.

Next, navigate back to Servers and use Attach Organization to link the organization to your server.

Once attached, you can start the server.

Create VPN Users

To create individual VPN user profiles, follow these steps:

Under Users, click Add User.

Enter the user’s name and choose the organization the user belongs to.

Provide the user’s email address and assign a secure PIN for authentication during VPN connection.

Click Add to create the user. The new entry now appears in the organization’s user list.

To download the user profile, click Download Profile. This saves a compressed archive on your local machine.

Alternatively, select Link to provide a publicly accessible download link for importing the profile into a Pritunl VPN client.

Secure the Pritunl VPN Server

To protect your VPN server, review the active firewall rules and ensure all ports required by your server profiles are open.

In the web console, navigate to Servers to view each profile’s port and protocol.

On your server’s terminal, check the firewall status:

$ sudo ufw status

Allow the required VPN port—for example, 12800/udp—based on your server profile:

$ sudo ufw allow 12800/udp

Reload UFW to apply the updated firewall rules:

$ sudo ufw reload

Verify that UFW now allows the necessary ports:

$ sudo ufw status

Note: Each server configured in the Pritunl dashboard may use a different port. Always check Servers → Server for the specific port to allow through the firewall.

Test the Pritunl VPN Server

Pritunl supports a variety of VPN clients depending on the protocol you configured—such as the Pritunl Client, OpenVPN Connect, or WireGuard applications.

Use the download links in the Pritunl web console to retrieve a user profile archive.

Install the Pritunl Client for your device (Windows, macOS, or Linux).

Open the Pritunl Client and click Import in the top navigation menu.

Select the downloaded .tar archive and import it.

Review the user and server information, then click Connect.

When prompted, enter the user’s PIN to authenticate and establish the VPN connection.

Monitor connection status and traffic statistics in the client interface.

Visit an IP-checking website to confirm your public IP now reflects the VPN server’s IP.

In the Pritunl Web Console under Users, confirm the user’s status has changed from Offline to Online.

Revoke VPN Users

To remove a user’s access, open the Users menu in the Web Console.

Select the user you want to revoke.

Click Delete Selected in the top right corner.

This action removes the user profile and certificate, disabling access to the VPN server.

Conclusion

This guide demonstrated how to install and configure Pritunl on Ubuntu 24.04 to build a fully functional VPN server. Pritunl provides an intuitive web interface that simplifies managing servers, organizations, and users. Client profiles can be generated for both OpenVPN and WireGuard, depending on the server configuration. For additional features, best practices, and extended documentation, consult the official Pritunl documentation.