#general (2021-01)

Thanks!

i looked at pritunl some. or at least pritunl-zero, not the whole vpn. it just seems really confusing from the docs. and despite being open source and on github, issues are disabled, and there is basically a single contributor. didn’t give me a ton of confidence.

I have used pritunl multiple times, no experience with paid version though but community version is rock solid

Huh — can you use the community version with more than 1 server? Their pricing is a bit confusing, but it seems to limit community to 1 server from what I can see.

We had one server only

Gotcha

How many users are you planning to provision ?

30-50

We would need to go with the full paid option.

Okay got it, you can have one server and keep ami as standby

If something happens to server, you can create a new one from that AMI

poor man’s HA solution

@Erik Osterman (Cloud Posse) have you used pritunl with any Cloud Posse clients? I just saw you folks have a helmfile for it when searching through this Slack.

We’re just in the process of deploying it now, to replace our existing OpenVPN instances.

It’s a pretty great wrapper around OpenVPN & Wireguard from my experience, although, it’s effectively a one man operation (https://github.com/pritunl/pritunl/graphs/contributors) and the documentation leaves a lot to be desired.

It’s still using Python v2, which leads to some deprecation warnings at present, but there is an effort via Zach to update the codebase to v3 (https://github.com/pritunl/pritunl/pull/468#issuecomment-689651018)

Ah good stuff Drew! That helps me in a couple aspects.

Thanks for weighing in folks — appreciate the thoughts / experience.

I can’t speak to it’s level of PCI compliance, however, since it’s just a wrapper around OpenVPN/Wireguard, the security vector shouldn’t be impacted to a great degree.

Sure thing, happy to provide some perspective. Feel free to DM me if you end up deciding on it, and if have any implementation questions.

Have you used the wireguard aspect of it at all? I would like to avoid any VPN configuration and wireguard seems superior in regards to be a mesh over point to point.

I’ve used it personally, but we’re not implementing it at present within my org. The thing about Pritunl though, is that you’ll have your users retrieve their configurations for either OpenVPN or Wireguard from the same web interface. After that, there really isn’t much maintenance for either OpenVPN or Wireguard.

The Electron-based Pritunl client (https://client.pritunl.com) sync’s any changes with your Pritunl cluster, so once users download their OpenVPN configuration, there really isn’t any ongoing end user maintenance.

By the way if you are on aws, there is. also aws managed openvpn called as aws-client-vpn that you can use, also supports OKTA integration

Thanks for that info Drew, that’s good to know about the maintenance of the two protocol configs + the client.

@aaratn I’ve implemented the AWS Client VPN for a client before… I wouldn’t go down that path again. VPN configurations are a nightmare to manage and AWS’s client VPN is super expensive for what it is.

@Robert Horrox how’s pritunl holding up for your team?

once configured it has held up well, the okta integration has been very useful for our company. We are working on having the organization come from Okta so a user is placed into the correct Org on Pritunl to grant different levels of access. You can’t however push groups down from okta to pritunl

We have pritunl running on k8s and it has been stable. We also have it elsewhere on ec2 instances and it runs just fine there as well

Huh gotcha — How was setting up the cluster configuration? That hasn’t given you any trouble?

One of the biggest downsides is it depends on mongo

we don’t use a cluster per say on the k8s side

Yeah, that’s one of my problems with it right now… I don’t want to have to standup a cluster for a tool that I pay for.

I don’t know if it works with DocumentDB. By default, on kubernetes, we deploy mongodb as a container (it’s only for storing configuration data)

with ec2 instances I have mongodb atlas setup and once you do the initial setup all instances that connect to the cluster get their config from it

@Erik Osterman (Cloud Posse) would need to comment on trying to run multiple Pritunl pods inside k8s

Yea, so that works fine too. It’s basically deployed as a statefulset.

Requires though the enterprise version.

which is a “whopping” $600/year for unlimited seats and SSO.

(in otherwords dirt cheap)

they will charge you per-cluster

Yeah it’s super cheap… why are you evaluating alternatives @Erik Osterman (Cloud Posse) ?

I did do math on AWS VPN at one point, it gets expensive very fast

AWS VPN is crazy.

Lastly I would suggest looking at something like https://www.pomerium.io/ instead of a VPN. If you can get away without running a VPN, all the better. I don’t personally use pomerium, so buyer beware.

Hahah I think this is one of the most crowded spaces right now. Every flavor of BeyondCorp under the sun. That’s the first I’ve heard of this one.

That’s another cluster driven solution. I’m trying to avoid those if I can. But thanks for adding it to the pile.

what do you mean by “cluster driven”?

As in it has a centralized management layer that requires deploying a cluster for the solution to work. E.g. pritunl, Hashi Boundary, Pomerium, ect.

Really I think I’m just enamored with the simplicity of tailscale and now I don’t want anything else

heh, yeah, tailscale architecture is bomb. mesh private internet with acls. though i still want to self-host my own relays and coordination server

that cost per user though, 3 users is more than a pritunl license

sorry 5 users

i mean, comparing to pritunl pricing is a bit nuts. why it is so underpriced, i do not understand

Yeah maybe I would host the tailscale coordination server if I could.. That would solve the PCI compliance issues I’m running into. And I’m sure that’s lightweight anyway considering their Database was a JSON file up until recently.

Yeah, pritunl is definitely winning the pricing game 100%.

pritunl is just a simple wrapper around OpenVPN, in fact their whole codebase is opensource. Even the code that checks if you are an enterprise user

But compare pritunl vs tailscale vs strongDM… tailscale aint that bad.

we use StrongDM, their support is great. Product is a bit immature

i don’t think tailscale is even checking against licenses right now anyway ;)

Oh interesting… why do you use both?

in StrongDM you can give time grant access to users to databases

a VPN is needed for some items that SDM doesn’t support

Huh

similar to PCI, we have compliance requirements that keep us from public exposing endpoints

hey hey! glad you stopped by!

https://github.com/cloudposse/terraform-aws-components

Atmos is just a cli. Our components are kept in separate monorepo and versioned separately.

Thanks for the welcome.

Hi Everyone! glad to be part of this community!

The files that live in the prod and staging folder are typically very small. They reference different versions of a “module” so that you can do exactly what you are talking about up above.

But it’s also not the only way to do it. My team doesn’t do it that way, they do it in a more typical app-dev kind of way. There’s lots of different ways to skin this particular cat

Take a look at #atlantis for a tool that is popular around here that helps a lot when deploying IaC

CP does it with GitHub actions as well, though I think that process is more homegrown and “proprietary”? Not sure how extensible it is.

Then others use Terraform Cloud with nice success

so, one way to do it might to be to call a shared “module” that actually handles most of the composition?

yes, and utilizing different versions of that module let you gradually promote something up through your environments

while sharing the same codebase

that module would be called from each of the environments but with different inputs

yes

that makes a lot of sense

thanks a bunch for the tips

also see https://www.youtube.com/watch?v=4MLBpBqZmpM. It’s a whole office hours about different Terraform cloud services

@Evan Pitstick happy to talk about this again on #office-hours

in the next 1-2 months, we’ll have more documentation on getting started with our reference architecture. in the next week, we’ll have documentation for our various components coming out. after that we’re focused on archiving a lot of our legacy documentation before starting down the path of documenting our current approach.

@Evan Pitstick I’m also interested in this, how to map code releases to production/environment releases. I’ll be curious to be on the Office Hours this week!

Hey @Jordan Mendler! welcome

Yo guys! Glad to be a member