#general (2021-01)

General conversations related to DevOps/Automation

General Discussions

2021-01-22

Matt Gowie avatar
Matt Gowie

Anyone using pritunl? Any feedback on this tool / the paid options?

I’m getting pushback from a client’s auditing team that Tailscale is not PCI compliant (still working through that with them). But just in case that doesn’t work out, I’m looking for real experience on pritunl. I feel like I’ve heard folks discuss it here before and weigh in on pros / cons, but can’t seem to find it.

loren avatar
loren

i looked at pritunl some. or at least pritunl-zero, not the whole vpn. it just seems really confusing from the docs. and despite being open source and on github, issues are disabled, and there is basically a single contributor. didn’t give me a ton of confidence.

1
aaratn avatar
aaratn

I have used pritunl multiple times, no experience with paid version though but community version is rock solid

Matt Gowie avatar
Matt Gowie

Huh — can you use the community version with more than 1 server? Their pricing is a bit confusing, but it seems to limit community to 1 server from what I can see.

aaratn avatar
aaratn

We had one server only

Matt Gowie avatar
Matt Gowie

Gotcha

aaratn avatar
aaratn

How many users are you planning to provision ?

Matt Gowie avatar
Matt Gowie

30-50

Matt Gowie avatar
Matt Gowie

We would need to go with the full paid option.

aaratn avatar
aaratn

Okay got it, you can have one server and keep ami as standby

aaratn avatar
aaratn

If something happens to server, you can create a new one from that AMI

aaratn avatar
aaratn

poor man’s HA solution

1
Matt Gowie avatar
Matt Gowie

@Erik Osterman (Cloud Posse) have you used pritunl with any Cloud Posse clients? I just saw you folks have a helmfile for it when searching through this Slack.

Drew Davies avatar
Drew Davies

We’re just in the process of deploying it now, to replace our existing OpenVPN instances.

Drew Davies avatar
Drew Davies

It’s a pretty great wrapper around OpenVPN & Wireguard from my experience, although, it’s effectively a one man operation (https://github.com/pritunl/pritunl/graphs/contributors) and the documentation leaves a lot to be desired.

pritunl/pritunl

Enterprise VPN server. Contribute to pritunl/pritunl development by creating an account on GitHub.

2
Drew Davies avatar
Drew Davies

It’s still using Python v2, which leads to some deprecation warnings at present, but there is an effort via Zach to update the codebase to v3 (https://github.com/pritunl/pritunl/pull/468#issuecomment-689651018)

Matt Gowie avatar
Matt Gowie

Ah good stuff Drew! That helps me in a couple aspects.

Matt Gowie avatar
Matt Gowie

Thanks for weighing in folks — appreciate the thoughts / experience.

Drew Davies avatar
Drew Davies

I can’t speak to it’s level of PCI compliance, however, since it’s just a wrapper around OpenVPN/Wireguard, the security vector shouldn’t be impacted to a great degree.

Drew Davies avatar
Drew Davies

Sure thing, happy to provide some perspective. Feel free to DM me if you end up deciding on it, and if have any implementation questions.

Matt Gowie avatar
Matt Gowie

Have you used the wireguard aspect of it at all? I would like to avoid any VPN configuration and wireguard seems superior in regards to be a mesh over point to point.

Drew Davies avatar
Drew Davies

I’ve used it personally, but we’re not implementing it at present within my org. The thing about Pritunl though, is that you’ll have your users retrieve their configurations for either OpenVPN or Wireguard from the same web interface. After that, there really isn’t much maintenance for either OpenVPN or Wireguard.

Drew Davies avatar
Drew Davies

The Electron-based Pritunl client (https://client.pritunl.com) sync’s any changes with your Pritunl cluster, so once users download their OpenVPN configuration, there really isn’t any ongoing end user maintenance.

aaratn avatar
aaratn

By the way if you are on aws, there is. also aws managed openvpn called as aws-client-vpn that you can use, also supports OKTA integration

Matt Gowie avatar
Matt Gowie

Thanks for that info Drew, that’s good to know about the maintenance of the two protocol configs + the client.

Matt Gowie avatar
Matt Gowie

@aaratn I’ve implemented the AWS Client VPN for a client before… I wouldn’t go down that path again. VPN configurations are a nightmare to manage and AWS’s client VPN is super expensive for what it is.

masterpointio/terraform-aws-client-vpn

This terraform module installs a client VPN. Contribute to masterpointio/terraform-aws-client-vpn development by creating an account on GitHub.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

@ how’s pritunl holding up for your team?

Robert Horrox avatar
Robert Horrox

once configured it has held up well, the okta integration has been very useful for our company. We are working on having the organization come from Okta so a user is placed into the correct Org on Pritunl to grant different levels of access. You can’t however push groups down from okta to pritunl

Robert Horrox avatar
Robert Horrox

We have pritunl running on k8s and it has been stable. We also have it elsewhere on ec2 instances and it runs just fine there as well

1
Matt Gowie avatar
Matt Gowie

Huh gotcha — How was setting up the cluster configuration? That hasn’t given you any trouble?

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

One of the biggest downsides is it depends on mongo

1
Robert Horrox avatar
Robert Horrox

we don’t use a cluster per say on the k8s side

Matt Gowie avatar
Matt Gowie

Yeah, that’s one of my problems with it right now… I don’t want to have to standup a cluster for a tool that I pay for.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

I don’t know if it works with DocumentDB. By default, on kubernetes, we deploy mongodb as a container (it’s only for storing configuration data)

Robert Horrox avatar
Robert Horrox

with ec2 instances I have mongodb atlas setup and once you do the initial setup all instances that connect to the cluster get their config from it

Robert Horrox avatar
Robert Horrox

@Erik Osterman (Cloud Posse) would need to comment on trying to run multiple Pritunl pods inside k8s

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Yea, so that works fine too. It’s basically deployed as a statefulset.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

Requires though the enterprise version.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

which is a “whopping” $600/year for unlimited seats and SSO.

Erik Osterman (Cloud Posse) avatar
Erik Osterman (Cloud Posse)

(in otherwords dirt cheap)

Robert Horrox avatar
Robert Horrox

they will charge you per-cluster

Matt Gowie avatar
Matt Gowie

Yeah it’s super cheap… why are you evaluating alternatives @Erik Osterman (Cloud Posse) ?

Robert Horrox avatar
Robert Horrox

I did do math on AWS VPN at one point, it gets expensive very fast

Matt Gowie avatar
Matt Gowie

AWS VPN is crazy.

Robert Horrox avatar
Robert Horrox

Lastly I would suggest looking at something like https://www.pomerium.io/ instead of a VPN. If you can get away without running a VPN, all the better. I don’t personally use pomerium, so buyer beware.

Home - Pomerium attachment image

Pomerium is an identity-aware proxy that enables secure access to internal applications.

Matt Gowie avatar
Matt Gowie

Hahah I think this is one of the most crowded spaces right now. Every flavor of BeyondCorp under the sun. That’s the first I’ve heard of this one.

1
Matt Gowie avatar
Matt Gowie

That’s another cluster driven solution. I’m trying to avoid those if I can. But thanks for adding it to the pile.

loren avatar
loren

what do you mean by “cluster driven”?

Matt Gowie avatar
Matt Gowie

As in it has a centralized management layer that requires deploying a cluster for the solution to work. E.g. pritunl, Hashi Boundary, Pomerium, ect.

Matt Gowie avatar
Matt Gowie

Really I think I’m just enamored with the simplicity of tailscale and now I don’t want anything else

loren avatar
loren

heh, yeah, tailscale architecture is bomb. mesh private internet with acls. though i still want to self-host my own relays and coordination server

Robert Horrox avatar
Robert Horrox

that cost per user though, 3 users is more than a pritunl license

Robert Horrox avatar
Robert Horrox

sorry 5 users

loren avatar
loren

i mean, comparing to pritunl pricing is a bit nuts. why it is so underpriced, i do not understand

Matt Gowie avatar
Matt Gowie

Yeah maybe I would host the tailscale coordination server if I could.. That would solve the PCI compliance issues I’m running into. And I’m sure that’s lightweight anyway considering [their Database was a JSON file up until recently>. </i](https://tailscale.com/blog/an-unlikely-database-migration/)

An unlikely database migration attachment image

When I first joined Tailscale, I was horrified to learn that “the database” was a single JSON file that was rewritten on any change. We migrated to something better.

Matt Gowie avatar
Matt Gowie

Yeah, pritunl is definitely winning the pricing game 100%.

Robert Horrox avatar
Robert Horrox

pritunl is just a simple wrapper around OpenVPN, in fact their whole codebase is opensource. Even the code that checks if you are an enterprise user

Matt Gowie avatar
Matt Gowie

But compare pritunl vs tailscale vs strongDM… tailscale aint that bad.

Robert Horrox avatar
Robert Horrox

we use StrongDM, their support is great. Product is a bit immature

loren avatar
loren

i don’t think tailscale is even checking against licenses right now anyway ;)

Matt Gowie avatar
Matt Gowie

Oh interesting… why do you use both?

Robert Horrox avatar
Robert Horrox

in StrongDM you can give time grant access to users to databases

Robert Horrox avatar
Robert Horrox

a VPN is needed for some items that SDM doesn’t support

Matt Gowie avatar
Matt Gowie

Huh

Robert Horrox avatar
Robert Horrox

similar to PCI, we have compliance requirements that keep us from public exposing endpoints

1
SweetOps avatar
SweetOps
08:00:09 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

2

2021-01-21

SweetOps avatar
SweetOps
08:00:23 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

1

2021-01-20

SweetOps avatar
SweetOps
08:00:10 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

1

2021-01-19

SweetOps avatar
SweetOps
08:00:29 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

1
1
Zach Holt avatar
Zach Holt

Thanks!

2021-01-18

Zach M avatar
Zach M

Thank you for the welcome!

SweetOps avatar
SweetOps
08:00:19 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

7

2021-01-17

SweetOps avatar
SweetOps
08:00:15 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

2
1

2021-01-16

SweetOps avatar
SweetOps
08:00:17 PM

Hey everyone, give a warm welcome to our newest members!

  • @

Good to have you here =)

1

2021-01-15

SweetOps avatar
SweetOps
08:00:20 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

3
3

2021-01-14

SweetOps avatar
SweetOps
08:00:15 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

1

2021-01-13

SweetOps avatar
SweetOps
08:00:10 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

3

2021-01-12

SweetOps avatar
SweetOps
08:00:24 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

2
3

2021-01-11

mfridh avatar
mfridh

Miss the old scaffolding from rails etc when building grpc go apps? – https://github.com/lileio/lile

lileio/lile

Easily generate gRPC services in Go . Contribute to lileio/lile development by creating an account on GitHub.

SweetOps avatar
SweetOps
08:00:13 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @Oleg Batozhnyi

Good to have you here =)

1
2

2021-01-10

SweetOps avatar
SweetOps
08:00:08 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

1

2021-01-09

SweetOps avatar
SweetOps
08:00:10 PM

Hey everyone, give a warm welcome to our newest members!

  • @

Good to have you here =)

1
1

2021-01-08

SweetOps avatar
SweetOps
08:00:12 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

3
Vincent Sheffer avatar
Vincent Sheffer

Thanks for the welcome.

1

2021-01-07

Bill Clark avatar
Bill Clark

</wave>

SweetOps avatar
SweetOps
08:00:12 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @

Good to have you here =)

3

2021-01-06

SweetOps avatar
SweetOps
08:00:24 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

5
1

2021-01-05

Julian avatar
Julian

Hello All! Julian here, trying to learn the latest and greatest of DevOps practices and incorporate them into my architecture for the ultimate in AWS Wizardry. aws

5
3
3
3
SweetOps avatar
SweetOps
08:00:25 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @
  • @
  • @
  • @
  • @

Good to have you here =)

4
1

2021-01-04

PePe avatar

Who works for slack here????? ohhh wait….

3
SweetOps avatar
SweetOps
08:00:09 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @
  • @
  • @

Good to have you here =)

4

2021-01-02

SweetOps avatar
SweetOps
08:00:08 PM

Hey everyone, give a warm welcome to our newest members!

  • @
  • @

Good to have you here =)

3

2021-01-01

SweetOps avatar
SweetOps
08:00:15 PM

Hey everyone, give a warm welcome to our newest members!

  • @

Good to have you here =)

    keyboard_arrow_up