{"id":63037,"date":"2022-05-20T11:00:00","date_gmt":"2022-05-20T15:00:00","guid":{"rendered":"https:\/\/jumpcloud.com\/?p=63037"},"modified":"2023-01-11T12:59:47","modified_gmt":"2023-01-11T17:59:47","slug":"create-a-jumpcloud-managed-vpn-using-pritunl","status":"publish","type":"post","link":"https:\/\/jumpcloud.com\/blog\/create-a-jumpcloud-managed-vpn-using-pritunl","title":{"rendered":"How to Create a JumpCloud-Managed VPN Using Pritunl"},"content":{"rendered":"\n

It\u2019s the worst-kept secret in IT: small and medium-sized enterprises (SMEs) must use their budgets judiciously<\/a>. The cost of network hardware, in particular, can be a major obstacle that places constraints on what IT admins can accomplish. The domainless enterprise<\/a> presents a solution, minus the expensive hardware to manage your directory and access control (and especially your VPN). This makes strong perimeter security achievable at sustainable costs.<\/p>\n\n\n\n

JumpCloud provides identity and access management (IAM) infrastructure through the cloud that you can configure to manage Pritunl<\/a>, an open source VPN that\u2019s based on OpenVPN<\/a>. JumpCloud provides your directory of users and devices or will extend your existing directory. OpenVPN is a mature, widely used solution<\/a> that\u2019s been available for over two decades. It\u2019s functionally the same as VPN appliances that you\u2019d pay a reseller to obtain at high cost<\/em>.<\/p>\n\n\n\n

The benefits extend beyond connectivity: JumpCloud layers on additional Zero Trust security<\/a> controls that are transparent to the end user beyond being prompted to authenticate themselves when they\u2019re accessing IT resources. This solution protects your confidential information and systems while reducing the costs that are traditionally associated with remote IT access.<\/p>\n\n\n\n

JumpCloud Manages and Secures<\/h2>\n\n\n\n

JumpCloud\u2019s LDAP directory underpins access control and has integrated Zero Trust security features that continuously authenticates and authorizes users. The cloud directory extends to single sign-on (SAML SSO) to direct users to the JumpCloud portal for authentication. JumpCloud then layers on security features, including environment wide multi-factor authentication<\/a> (MFA) and conditional access, to determine which devices may access your VPN and from where.<\/p>\n\n\n\n

Other features manage and secure your devices, cross-OS, with patching and pre-built policies<\/a> that act to harden systems against common security exploits. Conditional access<\/a> leverages these capabilities so that only compliant devices are granted access to your VPN. This added security is accomplished without installing and maintaining additional software or hardware.<\/p>\n\n\n\n

Streamlined User Lifecycle Management<\/h3>\n\n\n\n

The JumpCloud directory handles permissions differently than traditional on-premise solutions such as Microsoft\u2019s Active Directory. They\u2019re similar in that access to your VPN is determined by group membership(s), but JumpCloud\u2019s user management is designed for the modern era. JumpCloud utilizes attribute-based access control<\/a> (ABAC), which suggests membership changes when a user should (or shouldn\u2019t) have access to IT resources. Attributes such as \u201cmanager\u201d are actively polled to verify memberships, which saves time managing users and helps IT admins avoid potential security issues from internal and external threat actors.<\/p>\n\n\n\n

This capability isn\u2019t limited to the JumpCloud directory. Our platform integrates and extends existing directories such as Active Directory, Azure AD, or Google Workspace. JumpCloud\u2019s platform provides vital cross-OS Zero Trust management and security that those systems lack.<\/p>\n\n\n\n

Now, let\u2019s discuss how to get started with integrating JumpCloud and Pritunl. Detailed guidance about how to install<\/a> or subscribe to Pritunl managed services can be found on its website.<\/p>\n\n\n\n

JumpCloud Setup<\/h2>\n\n\n\n

The initial step is to create a custom SSO connector for Pritunl. JumpCloud provides hundreds of free connectors as part of your subscription, and is routinely adding more, so search for it before you move ahead with this project. Continue to the next section if one isn\u2019t available.<\/p>\n\n\n\n

Create a SAML Connector<\/h4>\n\n\n\n

Click the SSO button in the left frame of the administrative console and hit the \u201cplus\u201d sign to start a new SSO connection. Select \u201cCustomer SAML App\u201d and begin by filling in the requisite information to label your connector and choose a color scheme and logo. More context is available in JumpCloud\u2019s SAML how-to article<\/a> should you have any additional requirements.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Then, navigate to the SSO tab and enter an Entity ID that\u2019s unique to your organization\u2019s environment. The settings on this screen are case-sensitive on both systems; any typo will result in errors and the integration will fail. Your Pritunl FQDNs and JumpCloud IDs may differ, but the fields should be formatted as outlined below:<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Follow the URL\/URI formats precisely<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The redirect endpoint ensures that JumpCloud\u2019s console will be used to log users into the VPN<\/em><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Pritunl requires the \u201corg\u201d attribute for group memberships<\/em><\/p>\n\n\n\n

Activate the JumpCloud SSO connector once you\u2019re finished and download the certificate. You\u2019ll be required to copy the key into Pritunl\u2019s GUI in a later step.<\/p>\n\n\n\n

Setup Groups and Permissions<\/h4>\n\n\n\n

Click on the User Groups tab and add the group(s) that should have access to the VPN service. The link below is a detailed guide for admins who are unfamiliar with using JumpCloud.<\/p>\n\n\n\n

Getting Started: User Groups<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Group membership grants access rights to the VPN<\/em><\/p>\n\n\n\n

<\/em>Pritunl VPN will be available within the JumpCloud User Console<\/em><\/p>\n\n\n\n

Pritunl SSO Setup<\/h2>\n\n\n\n

Pritunl has JumpCloud listed as an authentication provider. Pull down the list, select JumpCloud, and select \u201cadd provider\u201d to start the process of filling in Identity Provider settings.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

The settings will be identical to what you entered into the JumpCloud admin console. Cut and paste the certificate from a text editor when you open the certificate on your PC. This integration also requires a JumpCloud API key from your console, which will be outlined in the next section. Both of these entries are confidential and should be kept private and carefully controlled.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

Your JumpCloud API key may be reviewed by clicking on your user icon at the top right of your console. Note: Generating a new key will revoke prior keys and could break prior integrations.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

You\u2019re now ready to test your configuration.<\/p>\n\n\n\n

Add Zero Trust Security from JumpCloud<\/h2>\n\n\n\n

Strongly consider adding Zero Trust security controls with JumpCloud Conditional Access<\/a> Policies. These policies extend security beyond strong passwords and MFA alone.<\/p>\n\n\n\n

Policies are assigned to existing groups or you may create dedicated groups for your requirements. Different groups may have different policies (or no policies). Policies include:<\/p>\n\n\n\n