wit-letsencrypt/pritunl/README.md

# Pritunl

[Pritunl](https://pritunl.com/) is an [open source](https://github.com/pritunl/pritunl) VPN server with a web UI. It manages many [openvpn](https://openvpn.net/) instances underneath its python daemon and Go frontend. The basic version supports multiple servers/users with PKI + TOTP multi-factor auth. The professional/enterprise versions offer site-to-site VPNs as well as multiple SSO options for user auth.


## WIT on Pritunl

WIT is using as our VPN server as it is both OSS and user friendly; something we can offer to customers. The VPN is being used to access the overlay network of customer clouds, while control plane access will remain via a bastion host for now.

## Pritunl on WIT Cloud

Pritunl only has one external dependency: it uses mongodb for storing organization/server/user data. Connect to the existing mongo daemon and create a new database and user for Pritunl. Store the password as a secret in the cloud-ui.

Note that the WIT Cloud ingress layer currently only supports TCP based VPN servers.

## Configuring the Daemon

First setup the daemon according to `daemon-pritunl.conf`.

Once the deployment is up and running edit it directly to add the container `securityContext`.

`kubectl -n <namespace> edit deploy <deploy-name>`

Add the following block below `spec.template.spec.container.securityContext`:

```
securityContext:
  capabilities:
    add:
    - NET_ADMIN
```

TODO: ping @tim once WIT Cloud supports configuring container `securityContext`.

## Configuring Pritunl

Follow the [Pritunl Setup](https://docs.pritunl.com/docs/connecting) instructions with the following notes:

- Use a TCP based VPN server. Make sure to configure both the HAProxy on `roberto` as well as configuring `wit-proxy` via `etcd`
- Once the server is created make sure to remove the default route and add the appropriate routes for the k8s pod and services subnets.