Automatic failure for that network will not be available but other link locations can use automatic failover. When running pritunl-link on a network with an IPsec router only one host can be used. This will ensure the same link client is active between us-east-office and us-west-office while still having fast and automatic failover to link1 if link0 were to fail. To solve this link0 in unifi-office should be given a higher priority then link1 in both us-east-office and us-west-office.
If this were to happen both clients would continue to update the port forwarding preventing the other client from connecting.
Without setting a priority it would be possible for both link0 and link1 to become active at the same time. Port forwarding is needed for the clients in the unifi-office location because the clients are behind a Unifi Security Gateway with only one public IP address. This configuration is useful if the unifi-office location needs access to both aws-us-east and aws-us-west but aws-us-east can not access aws-us-west. In the example below the unifi-office location has a primary and failover client in both us-east-office and us-west-office. It is also necessary for some use cases such as the one shown below. This allows using a more powerful server as the primary and a less powerful server for failover to reduce costs. The host with the highest priority that is available will always be used. The pritunl-link client will handle further restricting the access to these ports from the Linux system firewall.Įach host has a priority that defaults to 1. When enabling this option all external firewalls such as the instance or VCN firewall should allow ports UDP/500, UDP/4500 and TCP/9790 from 0.0.0.0/0. Run the command sudo pritunl-link firewall-on on the link host to enable the firewall.
This option is not intended to replace an instance/external firewall, it will only control access to the ports used by pritunl-link. Any application that interferes with iptables such as firewalld cannot be used with this option. This option is useful for configurations where a host IP address can change frequently. This allows configuring the instance/external firewall to allow all IP addresses to access these ports without reducing the security of the system. The link will automatically adjust the allowed IP addresses when hosts are added or removed or when a host IP address changes. The link automatic firewall will configure iptables to only allow other link hosts to access ports UDP/500, UDP/4500 and TCP/9790.