DebianDebian Based

How To Install Pritunl on Debian 13

r00t
9 minutes read

Install Pritunl on Debian 13

Setting up a secure VPN infrastructure doesn’t have to be complicated. Pritunl offers an elegant solution for businesses and individuals seeking enterprise-grade VPN capabilities without the enterprise-level complexity. This open-source VPN server combines the reliability of OpenVPN and WireGuard protocols with an intuitive web-based management interface that simplifies configuration and user management.

Whether you’re securing remote access for your team, connecting multiple office locations, or establishing private cloud interconnections, Pritunl delivers professional-grade functionality. This comprehensive guide walks you through installing and configuring Pritunl on Debian 13 (Trixie), from initial system preparation to your first successful VPN connection.

What is Pritunl?

Pritunl stands out as a powerful VPN server solution that bridges the gap between simplicity and functionality. Built on proven OpenVPN and WireGuard technologies, it provides a polished management interface that eliminates the typical command-line complexity associated with VPN deployments.

The platform supports multiple authentication layers, including two-factor authentication, SSO integration, and certificate-based verification. Its MongoDB-backed architecture enables horizontal scaling to accommodate thousands of concurrent users while maintaining performance. Organizations benefit from multi-cloud VPN peering, allowing seamless connections across AWS, Google Cloud, Azure, and private infrastructure.

Common use cases include secure remote workforce access, site-to-site networking for distributed offices, and encrypted cloud resource connectivity.

Prerequisites and Requirements

Before diving into the installation, ensure your system meets these specifications:

  • Fresh Debian 13 (Trixie) server installation
  • Minimum 1GB RAM (512MB if using external database)
  • At least 1 vCPU and 10GB storage
  • Root or sudo privileges
  • Stable internet connection
  • Basic familiarity with Linux command line

Port requirements include 80 (HTTP), 443 (HTTPS), and your chosen VPN port (typically 1194 UDP). Having a registered domain name is optional but recommended for implementing Let’s Encrypt SSL certificates.

Update Your Debian 13 System

Starting with a fully updated system prevents compatibility issues and security vulnerabilities. Execute these commands to refresh your package repositories and upgrade installed software:

sudo apt update
sudo apt -y full-upgrade

The update command synchronizes your local package index with remote repositories, while full-upgrade intelligently handles package dependencies during upgrades. This process may take several minutes depending on your system’s current state and internet speed.

Check if a system reboot is required:

[ -f /var/run/reboot-required ] && sudo reboot -f

This command automatically reboots your server if kernel updates or critical system components were modified.

Install Required Dependencies

Pritunl installation relies on several utility packages for repository management and secure package verification. Install these essential dependencies:

sudo apt install gpg curl gnupg2 software-properties-common apt-transport-https lsb-release ca-certificates -y

Each package serves a specific purpose: GPG tools verify package signatures, curl fetches remote resources, apt-transport-https enables secure repository connections, and ca-certificates maintains trusted certificate authorities. The -y flag automatically confirms installation prompts.

Verify successful installation by checking package status:

dpkg -l | grep gnupg2

Add MongoDB Repository

MongoDB serves as Pritunl’s database backend, storing user credentials, server configurations, and connection logs. Debian 13 repositories may not include the optimal MongoDB version for Pritunl, so we’ll add the official MongoDB repository.

Import the MongoDB GPG signing key to verify package authenticity:

curl -fsSL https://www.mongodb.org/static/pgp/server-5.0.asc | sudo gpg --dearmor -o /etc/apt/trusted.gpg.d/mongodb-5.gpg

Add the MongoDB repository to your sources list. Note that Debian 13 (Trixie) users may need to reference the Buster repository due to MongoDB package availability:

echo "deb http://repo.mongodb.org/apt/debian buster/mongodb-org/5.0 main" | sudo tee /etc/apt/sources.list.d/mongodb-org-5.0.list

Update your package cache to register the new repository:

sudo apt update

MongoDB version 5.0 provides the stability and features Pritunl requires while maintaining compatibility with Debian-based systems.

Add Pritunl Repository

Pritunl maintains official repositories for Debian distributions, ensuring you receive tested packages optimized for your system. Begin by importing the Pritunl GPG key:

sudo gpg --keyserver hkp://keyserver.ubuntu.com --recv-keys 7AE645C0CF8E292A
sudo gpg --export --armor 7AE645C0CF8E292A | sudo tee /usr/share/keyrings/pritunl.asc

Add the Pritunl stable repository for Debian 13:

echo "deb [signed-by=/usr/share/keyrings/pritunl.asc] https://repo.pritunl.com/stable/apt trixie main" | sudo tee /etc/apt/sources.list.d/pritunl.list

Refresh your package database:

sudo apt update

You should see the Pritunl repository successfully processed in the update output. Any errors at this stage typically indicate GPG key issues or network connectivity problems.

Install Pritunl and MongoDB

With repositories configured, install both Pritunl and MongoDB simultaneously:

sudo apt install mongodb-org pritunl -y

This command downloads approximately 150-200MB of packages depending on existing system libraries. The installation process automatically handles dependencies and configures basic system integration.

Confirm successful installation by checking versions:

pritunl version
mongod --version

Both commands should return version numbers without errors. Pritunl typically installs the latest stable release, while MongoDB installs version 5.0.x as specified in the repository configuration.

Start and Enable Services

Pritunl requires both its own service and MongoDB to function. Start both services immediately:

sudo systemctl start pritunl mongod

Enable automatic startup on system boot:

sudo systemctl enable pritunl mongod

Verify services are running correctly:

sudo systemctl status pritunl
sudo systemctl status mongod

Active services display a green “active (running)” status. If either service fails to start, check logs for detailed error messages:

sudo journalctl -u pritunl -n 50
sudo journalctl -u mongod -n 50

Common startup issues include port conflicts, insufficient permissions, or MongoDB database initialization failures. The logs provide specific error codes that guide troubleshooting.

Configure Firewall Rules

Proper firewall configuration ensures VPN functionality while maintaining security. If you’re using UFW (Uncomplicated Firewall), configure these rules:

sudo ufw allow 80/tcp
sudo ufw allow 443/tcp
sudo ufw allow 1194/udp

Enable the firewall if not already active:

sudo ufw enable

Verify your rules:

sudo ufw status numbered

Port 80 handles Let’s Encrypt certificate challenges, 443 serves the HTTPS web interface, and 1194 is the default OpenVPN port. Adjust the VPN port number if you plan to use a custom configuration.

For iptables users, equivalent rules look like:

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT
sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
sudo iptables -A INPUT -p udp --dport 1194 -j ACCEPT

Remember to save iptables rules to persist across reboots.

Access Pritunl Web Interface

Navigate to your server’s IP address using a web browser:

https://your-server-ip

Or use your domain name if DNS is configured:

https://vpn.yourdomain.com

Your browser will display a security warning about the self-signed SSL certificate. This is expected on initial setup. Click “Advanced” and proceed to the site. Pritunl generates a temporary certificate that you’ll replace with Let’s Encrypt later.

The setup screen requests two pieces of information. Retrieve your setup key from the command line:

sudo pritunl setup-key

The default MongoDB URI is:

mongodb://localhost:27017/pritunl

Enter both values in the web interface and click Save. The system initializes the database connection and prepares the administrative interface.

Get Default Administrator Credentials

Pritunl generates random administrator credentials for security. Retrieve them with:

sudo pritunl default-password

Output displays:

Administrator default password:
  username: "pritunl"
  password: "random-generated-password"

Use these credentials to log in through the web interface. The dashboard loads, displaying server statistics, user counts, and system status.

Change the default password immediately after first login. Navigate to the user dropdown in the top-right corner, select “Change Password,” and set a strong password following best practices.

Configure Initial Settings

Access Settings from the left sidebar to configure essential parameters. Update the “Public Address” field with your server’s public IP or domain name. This address appears in VPN profile configurations.

Enable Let’s Encrypt for automatic SSL certificates if you’re using a valid domain:

  1. Enter your domain in the “Lets Encrypt Domain” field
  2. Click “Enable Lets Encrypt”
  3. Wait for automatic certificate generation

Let’s Encrypt requires port 80 accessible from the internet for domain verification. The certificate auto-renews before expiration.

Configure additional settings like email notifications, auditing, and regional preferences according to your requirements.

Create an Organization

Organizations logically group users by department, location, or access requirements. Navigate to the “Users” tab and click “Add Organization.”

Enter a descriptive name like “Engineering,” “Remote Employees,” or “Branch Office.” Organizations enable granular access control and simplify user management as your VPN deployment scales.

Create multiple organizations if users require different network access levels or geographic routing policies.

Add VPN Users

Within the Users section, click “Add User.” Provide:

  • Name: Username for authentication
  • Email: For notifications and password resets
  • PIN: Optional secondary authentication code
  • Organization: Select from dropdown

Enable “Two-factor Authentication” to require authenticator app codes during connection. This significantly enhances security by adding a second authentication layer beyond passwords.

For bulk user creation, Pritunl supports CSV imports. This feature streamlines deployment in organizations with dozens or hundreds of users.

Configure per-user settings like bandwidth restrictions, device limits, and network route exceptions based on individual requirements.

Create VPN Server

Click “Servers” in the left menu, then “Add Server.” Essential configuration includes:

Basic Settings

  • Name: Descriptive identifier (e.g., “Main VPN Server”)
  • Port: 1194 (UDP recommended for performance)
  • Protocol: UDP for speed, TCP for restrictive networks
  • Virtual Network: 10.200.0.0/16 or similar private range

DNS Settings

  • Primary: 8.8.8.8 (Google) or 1.1.1.1 (Cloudflare)
  • Secondary: 8.8.4.4 or 1.0.0.1

Advanced Options

  • Enable IPv6 if your network supports it
  • Allow “Inter-client Communication” for peer-to-peer connectivity
  • Enable “Multi-device” to permit simultaneous connections from one user

Choose your virtual network carefully to avoid conflicts with existing local networks. If users commonly connect from 192.168.1.0/24 networks, select a different range like 10.200.0.0/16.

Attach Server to Organization

Servers must attach to organizations before users can connect. On your newly created server, click “Attach Organization.”

Select the organization from the dropdown and confirm. The attachment appears below the server configuration. A single server supports multiple organizations, each with independent user groups and routing policies.

This separation enables complex network architectures where different user groups access different network segments through the same VPN infrastructure.

Start the VPN Server

Click the green start button on your server. The indicator turns green and displays “online” when successful. The server log panel shows initialization messages and confirms successful port binding.

Verify the server is listening:

sudo netstat -tulpn | grep pritunl

You should see entries for your configured port. If the server fails to start, check for port conflicts or review server logs for specific error messages.

Download User Profiles

Return to the Users section and locate your user. Click the download icon to obtain the profile package (.tar file). This archive contains OpenVPN configuration files, certificates, and keys required for connection.

Alternative distribution methods include:

  • Profile Links: Generate temporary URLs users can access directly
  • URI Import: Display QR codes for mobile client import

Send profiles to users through secure channels. Avoid unencrypted email for sensitive environments. Consider using encrypted messaging platforms or secure file sharing services.

Profile links expire after a configured duration for security. Users must import profiles before expiration or request new downloads.

Install and Configure Pritunl Client

Pritunl provides native clients for all major platforms. Download from https://client.pritunl.com.

For Debian 13 client installation:

sudo tee /etc/apt/sources.list.d/pritunl.list << EOF
deb https://repo.pritunl.com/stable/apt trixie main
EOF

sudo apt-key adv --keyserver hkp://keyserver.ubuntu.com --recv 7AE645C0CF8E292A
sudo apt update
sudo apt install pritunl-client-electron

Launch the client application and import your profile:

  1. Click “Import Profile”
  2. Navigate to downloaded .tar file
  3. Enter PIN if configured
  4. Click “Connect”

The client displays connection status and assigns your virtual IP address. Verify connectivity by pinging internal resources or checking your public IP address.

Alternative clients include the official OpenVPN Connect client and command-line OpenVPN for automated deployments.

Troubleshooting Common Issues

Cannot Access Web Interface

Verify firewall rules allow port 443. Check if Pritunl service is running with systemctl status pritunl. Review logs for binding errors indicating port conflicts.

MongoDB Connection Failures

Confirm MongoDB service status: systemctl status mongod. Check MongoDB logs at /var/log/mongodb/mongod.log. Verify the MongoDB URI in Settings matches your configuration.

VPN Connection Timeouts

Ensure proper port forwarding if behind NAT. Check server logs for authentication errors. Verify client and server versions are compatible.

Authentication Problems

Reset user passwords through the web interface. Regenerate user profiles if certificates expired. Confirm user is attached to an organization linked to the server.

Performance Issues

Monitor server resources with htop. Check bandwidth statistics in the dashboard. Consider upgrading server resources or implementing load balancing for high user counts.

For persistent issues, enable debug logging in Settings and analyze detailed log output.

Monitoring and Maintenance

The Pritunl dashboard provides real-time insights into VPN operations. Monitor active connections, bandwidth consumption per user, and server uptime statistics.

Configure email alerts for critical events:

  • Server startup failures
  • High CPU or memory usage
  • Failed authentication attempts exceeding threshold

Backup MongoDB Database Regularly:

mongodump --out /backup/pritunl-$(date +%F)

Automate backups using cron jobs to prevent data loss. Store backups off-server for disaster recovery.

Update Pritunl:

sudo apt update
sudo apt upgrade pritunl mongodb-org

Review release notes before major version upgrades. Test updates in development environments for mission-critical deployments.

Optimize MongoDB performance by maintaining indexes and purging old log entries periodically.

Congratulations! You have successfully installed Pritunl. Thanks for using this tutorial for installing the latest version of Pritunl VPN on Debian 13 “Trixie” system. For additional help or useful information, we recommend you check the official Pritunl website.

VPS Manage Service Offer
If you don’t have time to do all of this stuff, or if this is not your area of expertise, we offer a service to do “VPS Manage Service Offer”, starting from $10 (Paypal payment). Please contact us to get the best deal!
Tags
r00t
9 minutes read
Photo of r00t

r00t

r00t is an experienced Linux enthusiast and technical writer with a passion for open-source software. With years of hands-on experience in various Linux distributions, r00t has developed a deep understanding of the Linux ecosystem and its powerful tools. He holds certifications in SCE and has contributed to several open-source projects. r00t is dedicated to sharing her knowledge and expertise through well-researched and informative articles, helping others navigate the world of Linux with confidence.
Copyright © 2026 idroot.us | All Rights Reserved | Follow us for more Linux tutorials!
Back to top button