Skip to content
Klutch.sh Docs

Deploying a Pritunl App

Introduction

Pritunl is an open-source VPN server with a web-based admin console, multi-organization support, and OpenVPN/WireGuard gateways. Deploying Pritunl with a Dockerfile on Klutch.sh keeps builds reproducible, secrets managed, and storage persistent—all configured from klutch.sh/app. This guide uses two apps to respect single-port routing: one for the web console and one for TCP VPN ingress.

Prerequisites

  • A Klutch.sh account (sign up)
  • A GitHub repository containing your Pritunl Dockerfile (GitHub is the only supported git source)
  • External MongoDB cluster (required by Pritunl)
  • TLS certificate and a domain for the admin UI; VPN clients able to use TCP

For onboarding, see the Quick Start.

Architecture and ports

  • Klutch.sh allows one port per app. Use two apps (same repo/image):
    • Admin UI/API: HTTP on internal port 9700; choose HTTP traffic and set internal port to 9700.
    • VPN TCP gateway: TCP on internal port 1194 (OpenVPN TCP mode). Choose TCP traffic and set internal port to 1194. Clients connect to example-app.klutch.sh:8000 externally (Klutch TCP) mapped to internal 1194.
  • UDP is not available; configure TCP OpenVPN profiles for this deployment.

Repository layout

pritunl/
├── Dockerfile              # Must be at repo root for auto-detection
└── README.md

Keep secrets out of Git; store them in Klutch.sh environment variables.

Installation (local) and starter commands

Build and run locally (requires MongoDB reachable from the container):

Terminal window
docker build -t pritunl-local .
docker run -p 9700:9700 -p 1194:1194 \
  -e MONGODB_URI=mongodb://user:pass@localhost:27017/pritunl \
  -e PRITUNL_MONGODB_URI=mongodb://user:pass@localhost:27017/pritunl \
  -e PRITUNL_PORT=9700 \
  -e PRITUNL_VPN_PORT=1194 \
  pritunl-local

Dockerfile for Pritunl (production-ready)

Place this at the repo root; Klutch.sh auto-detects Dockerfiles.

FROM ghcr.io/pritunl/pritunl:latest


ENV PRITUNL_PORT=9700
ENV PRITUNL_VPN_PORT=1194


EXPOSE 9700 1194
CMD ["/usr/bin/pritunl", "start"]

Notes:

  • Pin to a stable tag (e.g., ghcr.io/pritunl/pritunl:1.32.3537.69) for predictable upgrades.
  • The image listens on the admin port and VPN port defined above; align them with Klutch.sh app ports.

Environment variables (Klutch.sh)

Set these before deploying:

  • PRITUNL_PORT=9700 (admin UI)
  • PRITUNL_VPN_PORT=1194 (TCP OpenVPN)
  • PRITUNL_MONGODB_URI=mongodb://<user>:<password>@<host>:27017/pritunl
  • MONGODB_URI=mongodb://<user>:<password>@<host>:27017/pritunl (compat alias)
  • Optional: PRITUNL_DEBUG=true, license key variables if you use enterprise features

If deploying without the Dockerfile and relying on Nixpacks:

  • NIXPACKS_START_CMD=/usr/bin/pritunl start

Attach persistent volumes

Add storage in Klutch.sh (path and size only):

  • /var/lib/pritunl — server configuration, keys, and certificates.

Ensure the path is writable inside the container.

Deploy Pritunl on Klutch.sh (split-port workflow)

  1. Push your repository—with the Dockerfile at the root—to GitHub.
  2. Create the admin app: choose HTTP traffic, set the internal port to 9700, add MongoDB and Pritunl env vars, and attach a volume at /var/lib/pritunl.
  3. Deploy the admin app and note its URL (e.g., https://example-app.klutch.sh); complete initial setup and create organizations/users.
  4. Create the VPN app: choose TCP traffic, set the internal port to 1194, reuse the same repo and env vars, and attach the same storage path/size.
  5. Deploy the VPN app. Configure clients to use example-app.klutch.sh on external port 8000 with TCP OpenVPN profiles generated from the admin UI.

Sample checks

Admin UI reachability:

Terminal window
curl -I https://example-app.klutch.sh

VPN TCP port check (from a TCP-capable client):

Terminal window
nc -vz example-app.klutch.sh 8000

Health checks and production tips

  • Use an HTTP readiness probe on / for the admin app.
  • Keep MongoDB credentials and any license keys in Klutch.sh secrets; rotate regularly.
  • Remember this deployment serves TCP OpenVPN only; WireGuard and UDP OpenVPN are not available in this model.
  • Pin image versions and test upgrades in staging before production.
  • Monitor /var/lib/pritunl volume usage and back up configuration regularly; back up MongoDB as your source of truth.

Pritunl on Klutch.sh provides a reproducible Docker workflow, split admin and VPN endpoints to match single-port routing, managed secrets, and persistent storage—without extra YAML or CI steps. Configure ports, MongoDB, and storage, then onboard users with TCP OpenVPN profiles.