Pritunl Prod Design

Tuesday, Jul 15, 2025 | 2 minute read | Updated at Tuesday, Jul 15, 2025

Doug Munsinger

Multi-EC2 instances, Mongodb Atlas backend, oh my…

Cacti

Solid, production-grade WireGuard-only Pritunl architecture.

✅ Architecture Summary

  • VPN: WireGuard only — no TLS certs needed per EC2
  • WebUI: Exposed via ALB (with HTTPS termination + sticky sessions via client IP)
  • Cert: ACM cert attached to ALB (beta.vpn.example.com)
  • VPN Traffic: Direct to EC2 instances via Elastic IPs
  • MongoDB Atlas: Single backend, all Pritunl instances sync state via Atlas

🧩 WebSockets in Pritunl

Does Pritunl use WebSockets?

Pritunl’s WebUI and admin console do not require WebSockets for core functionality, but:

  • Pritunl can use WebSockets for:

    • Real-time updates on connected users
    • Live status/dashboard stats
    • Possibly real-time logging updates or session state

ALB Compatibility:

  • ALB supports WebSockets natively on HTTPS (TCP upgrade to WS/WSS)
  • NLB does not support Layer 7 protocols like WebSockets

🔎 Conclusion: ALB. WebSocket support is included implicitly — no extra setup is needed if Pritunl uses them.

✅ Finalized Refined Design

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20

                                     [ ACM Cert ]
                                       HTTPS
                                +-----------------+
                                |      AWS ALB     |
                                | (HTTPS Terminate |
                                |   Sticky by IP)  |
                                +--------+--------+
                                         |
                  +----------------------+-------------------+
                  |                      |                   |
            [EC2 - Pritunl A]     [EC2 - Pritunl B]    [EC2 - Pritunl C]
               - WebUI              - WebUI              - WebUI
               - WireGuard (UDP)    - WireGuard (UDP)    - WireGuard (UDP)
               - Elastic IP         - Elastic IP         - Elastic IP

                                 ↘        ↓        ↙
                             VPN Clients connect via public EIPs (51820 UDP)

                          All instances sync with single MongoDB Atlas

🛡 Security Considerations

AreaRecommendation
MongoDB AtlasUse VPC peering or strict IP allowlist (only Pritunl EC2s)
Security GroupsAllow only: - 51820/UDP from Internet (VPN) - 443/TCP from ALB (WebUI) - 443/TCP from EC2s to MongoDB Atlas IPs
IAMLock down SSM / EC2 metadata access; no IAM required unless pulling secrets or certs
Health ChecksALB health check should hit https://<instance-ip>:443 or /ping if available on Pritunl

✅ TL;DR

ComponentValue
VPN ProtocolWireGuard only (no TLS required)
WebUI Load BalancerALB (HTTPS termination, sticky IP)
ACM Cert LocationOn ALB
Public IPsUse Elastic IPs per EC2
MongoDBAtlas (single instance, multi-node if HA)
WebSocketsSupported on ALB, optional in Pritunl

—doug

© 2025 by Doug Munsinger

About Me

About Cover

I build tools. I write scripts, plugins, compiled Go code binaries, terraform .tf files, APIs, hacks (a lot of these…). Glue that makes automation happen by connecting together open source projects like terraform, ansible packer, Jenkins, Docker, Kubernetes, Github and so on.

I do a lot of note taking and documentation. Mostly this is to let me pick back up where I left off on code or infrastructure when it has issues or needs to be upgraded or replaced a year or two down the road. Some of those notes & docs might be useful to someone other than myself. If that might be the case, they go here.

intuitive engineering describes taking physical structure and system design out of the lego or erector set viewpoint — where you piece things together one-by-one — and into an understanding of the art of engineering.

Watch really complex systems, say a network, for awhile and you find unexpected interactions become normal as complexity increases. The same is true for CICD systems and Devops/Infrastructure Engineering tools. There are gremlins in the dark corners.

Totems:

  • Avoid wherever possible, complexity, and where you find complexity, work toward a simpler design as a goal.
  • The elegant, aesthetically pleasing solution is also in most cases the least effort and personnel to support in the long run.
  • Expect and deal with missteps as they show up – complex designs can present opportunities as you work through them that are NOT visible at the start of the project. This is true in building construction. It is also true in network and system design, in software design.
  • Make that discovery part of the process, take advantage of those simplified and elegant changes as they present themselves.
  • Look for the consequences several steps ahead for each decision.
    • How locked into a design does it make you?
    • Can you live with that?
    • Is there a less restrictive/simpler/better/more elegant decision in design that can be made that doesn’t block off avenues?
    • Can you solve a problem once and reuse that solution?
    • Is there a modular or plugin design that would keep a flexibility?
  • Use open source tooling where that is practical.
  • Use best of breed. Build the interconnections and tooling passing from one system to another.
  • Customize as little as possible. Write bespoke code as little as possible.

I live in the Northeast and I am currently employed by Toast, Inc., as a Staff Devops/Infrastructure/Cloud Engineer (the titles keep changing).

—doug

Toolbelt

Toolbelt Image

I was a cabinetmaker and finish carpenter in Los Angeles for 17 years before working as a UNIX Systems Administrator.

I used an IBM 386 clone desktop with a green monochrome terminal monitor and a dot matrix printer to manage contracts, correspondence, and write promotional letters to prospective clients. I kept diving under the hood to tweak and optimize the system, adding a whopping 1 MB RAM and editing himem.sys in DOS to get it used.

The clone had a 20 MB hard drive. It backed up onto 5-1/2" floppy disks. It needed to be physically reformatted and rebuilt from backups about every six months. More often as it aged.

I fell in love with the command line, and only reluctantly installed Windows 3.1 when an application, I think it was a dog-slow CAD program, required it.

From there I went to an x86 Linux machine, back when Linux was a university play toy and no one expected it to become a serious operating system, except a few of us. From there, Solaris and Sun machines, IBM mainframes and IRIS, and eventually back to Linux, Ubuntu, Gentoo, Debian, Redhat, Amazonlinux.

I completed a UNIX & Systems Admin course, a one year certificate program at WPI that could be done in 8 weeks full time if you were committed to learning. I was.

From that point I’ve been employed as a systems administrator, firewall engineer (Fidelity Investments), network engineer (Egenera), hardware support engineer (Crossbeam Systems), devops engineer (the title most used since), and recently cloud and infrastructure engineer (Toast).

It used to be I actually saw physical hardware. At this point, it’s been maybe 7 years since I’ve been in a datacenter.

I still love the command line…

Command Line

License

MIT License

This covers any and all code snippets I’ve authored and included here.

MIT License Logo

© 2025 by Doug Munsinger

Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the “Software”), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
copies of the Software, and to permit persons to whom the Software is
furnished to do so, subject to the following conditions:

The above copyright notice and this permission notice shall be included in
all copies or substantial portions of the Software.

THE SOFTWARE IS PROVIDED “AS IS”, WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER
DEALINGS IN THE SOFTWARE.

Good luck  ;^)

Images

All images are excluded and are “All rights reserved.”

They are not licensed for reuse or redistribution unless explicitly stated.