diff --git a/pritunl/README.md b/pritunl/README.md
new file mode 100644
index 0000000..59b51c8
--- /dev/null
+++ b/pritunl/README.md
@@ -0,0 +1,40 @@
+# Pritunl
+
+[Pritunl](https://pritunl.com/) is an [open source](https://github.com/pritunl/pritunl) VPN server with a web UI. It manages many [openvpn](https://openvpn.net/) instances underneath its python daemon and Go frontend. The basic version supports multiple servers/users with PKI + TOTP multi-factor auth. The professional/enterprise versions offer site-to-site VPNs as well as multiple SSO options for user auth.
+
+
+## WIT on Pritunl
+
+WIT is using as our VPN server as it is both OSS and user friendly; something we can offer to customers. The VPN is being used to access the overlay network of customer clouds, while control plane access will remain via a bastion host for now.
+
+## Pritunl on WIT Cloud
+
+Pritunl only has one external dependency: it uses mongodb for storing organization/server/user data. Connect to the existing mongo daemon and create a new database and user for Pritunl. Store the password as a secret in the cloud-ui.
+
+Note that the WIT Cloud ingress layer currently only supports TCP based VPN servers.
+
+## Configuring the Daemon
+
+First setup the daemon according to `daemon-pritunl.conf`.
+
+Once the deployment is up and running edit it directly to add the container `securityContext`.
+
+`kubectl -n <namespace> edit deploy <deploy-name>`
+
+Add the following block below `spec.template.spec.container.securityContext`:
+
+```
+securityContext:
+  capabilities:
+    add:
+    - NET_ADMIN
+```
+
+TODO: ping @tim once WIT Cloud supports configuring container `securityContext`.
+
+## Configuring Pritunl
+
+Follow the [Pritunl Setup](https://docs.pritunl.com/docs/connecting) instructions with the following notes:
+
+- Use a TCP based VPN server. Make sure to configure both the HAProxy on `roberto` as well as configuring `wit-proxy` via `etcd`
+- Once the server is created make sure to remove the default route and add the appropriate routes for the k8s pod and services subnets.
diff --git a/pritunl/daemon-pritunl.conf b/pritunl/daemon-pritunl.conf
new file mode 100644
index 0000000..60344a3
--- /dev/null
+++ b/pritunl/daemon-pritunl.conf
@@ -0,0 +1,17 @@
+name: pritunl
+cpu: 500m
+disk:
+- path: /var/lib/pritunl
+  size: 5
+environment:
+  PRITUNL_MONGODB_URI: "mongodb://pritunl:{{secrets.pritunl}}@{{deps.mongo.ip}}:27017/pritunl"
+  PRITUNL_BEHIND_LOADBAL: true
+image: registry.services.wit.com/drags/pritunl
+internet-facing: true
+memory: 1024
+ports: [9700, 1194]
+replicas: 1
+containerSecurityContext:
+  capabilities:
+        add:
+        - "NET_ADMIN"