Pritunl v1.30.3098.52 and Pritunl Link v1.0.2296.34 have been released in the stable repository. These releases improve link reliability and cipher configuration. The drop permissions option has also been added to the Pritunl server.
Preferred Cipher Option
The IPsec preferred ciphers can now be set from the Pritunl server link configuration. The preferred cipher can also be forced to configure IPsec to exclusively accept the provided ciphers.
This allows using newer ciphers such as the AES 128 GCM cipher that is capable of multi-gigabit link speeds. Below is a speed test of the aes128gcm128-x25519
cipher on an Oracle Cloud BM.Optimized3.36 bare metal server using an Intel Xeon Gold 6354 processor with 50 gigabit/sec Mellanox ConnectX-6 DX adapters. Additionally with CPU AES-NI offloading these ciphers will use minimal CPU resources on the system.
The test below is a single connection iperf3 -t 10
test measuring a 12.8 gigabit/sec speed.
The test below is a 10 connection iperf3 -t 10 -P 10
test measuring a 13.2 gigabit/sec speed.
The base network speed between these servers without an IPsec connection is 32.6 gigabit/sec.
Multiple Hosts in Pritunl Link URI
The Pritunl Link client will now accept multiple Pritunl server hostnames in the URI. When multiple hostnames are provided the link client will simultaneously send update requests to all the hosts and use the first response from an online host. Although links will currently remain online even if the Pritunl server cannot be reached due to the caching functionality this update provides additional reliability to keep links online even during significant outages. Below is an example URI with two hostnames.
pritunl://ID:SECRET@pritunl0.domain.com,pritunl1.domain.com
Drop OpenVPN Permissions
An option to drop OpenVPN permissions is now available in the Pritunl settings interface. This will configure the OpenVPN server process to drop to the Linux nobody
user after initializing. This will provide additional security to the OpenVPN process and restrict the possibility of RCE exploits on the process.
@pritunl
Follow Pritunl on Twitter | Find us on GitHub | Subscribe to our mailing list