I am setting up Pritunl VPN on an EC2 instance in a private subnet and want to use both an Application Load Balancer (ALB) for HTTPS access to the web console and a Network Load Balancer (NLB) for VPN traffic (UDP 1194, TCP 443).

Here’s my current setup:

ALB (HTTPS 443) → Target Group (Instance) → Pritunl Web Console NLB (UDP 1194, TCP 443) → Target Group (Instance) → Pritunl VPN

Route 53 DNS records: vpn.teste.example → ALB for the web console

tunnel.teste.example → NLB for VPN traffic

Issue:

In Pritunl settings, should I set the Public Address for VPN to the NLB DNS name?

Since NLB does not support SSL termination, should I configure TCP 443 on NLB to directly forward to the instance?

Is there any additional configuration required in Pritunl, Route 53, or security groups to ensure clients connect correctly via the NLB?

Would it be better to use an Elastic IP on NLB to avoid potential DNS resolution issues?

Has anyone successfully set up Pritunl behind both ALB and NLB on AWS? Any insights would be greatly appreciated!