How to setup a custom SSL certificate for the free version of Pritunl

I haven’t been able to find much information on this but from what I’ve found it looks like you have to pay in order to install a custom SSL certificate for the Pritunl web interface. You get a self signed certificate when you install Pritunl but I’m sure most people that do that want a valid certificate, even if it’s just for a small server running in a closet.

I’m using Pritunl just to access my internal network when I’m outside of my apartment, so I have one user and one server setup. Not a huge operation that could justify to pay what they are asking. But I still would like to use the web interface without SSL warnings. So I setup a reverse proxy in front of Pritunl and here is how I did it.

I’m going to assume some basic knowledge so I won’t go very deep on each step. If there is a step that you think needs clarification please leave a comment below.

I used Centos 7 when I wrote this guide.

  1. First you need to change which port Pritunl web listens on, you can do that by editing the following file: /etc/pritunl.conf
  2. Change bind_addr to localhost.
  3. Change port to a port number of your choosing and save the file. I’m going to use the port number 1234 as an example in this guide but you should replace it with whatever port you chose.
  4. Next restart Pritunl: systemctl restart pritunl
  5. You should now not be able to access the web interface anymore using your web browser. Even if you go to https://domain.name:1234
  6. But you should be able to access it using curl directly on the server with the following command: curl -k https://localhost:1234/login
  7. Install Nginx but don’t start it yet.
  8. When the installation is done add the following file (replace domain.name with your domain name): /etc/nginx/conf.d/domain.name.conf
  9. Add the following to the file and replace domain.name with your domain name.
    server {
        listen 80;
        server_name domain.name;
        return 301 https://$host$request_uri;
    }
    
    server {
    
        listen 443;
        server_name domain.name;
    
        ssl_certificate           /etc/nginx/ssl/cert.crt;
        ssl_certificate_key       /etc/nginx/ssl/cert.key;
    
        ssl on;
        ssl_session_cache  builtin:1000  shared:SSL:10m;
        ssl_protocols  TLSv1.2;
        ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
        ssl_prefer_server_ciphers on;
    
        access_log            /var/log/nginx/domain.name.access.log;
    
        location / {
    
          proxy_set_header        Host $host;
          proxy_set_header        X-Real-IP $remote_addr;
          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
          proxy_set_header        X-Forwarded-Proto $scheme;
    
          proxy_pass          https://localhost:1234;
          proxy_read_timeout  90;
        }
      }
    
  10. After proxy_pass replace 1234 with the port you chose for the Pritunl web interface.
  11. Create the directory: /etc/nginx/ssl
  12. Create the cert.crt and cert.key files in /etc/nginx/ssl and add the certificate and key for your domain name.
  13. Now start Nginx: systemctl start nginx
  14. And enable it so it will start when the server starts: systemctl enable nginx
  15. You should now be able to navigate to the Pritunl web interface again and this time with a valid SSL certificate!

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.