How to give access to the site only via VPN?

A

aravindo2019-10-27 02:07:11

linux

aravindo, 2019-10-27 02:07:11

I have a virtual machine with OpenVPN and Nginx installed.
You need to make sure that Nginx gives the user "from the Internet" 403 forbidden, and if the user is connected to the VPN server - 200 OK.
The Nginx setup is as follows:

server {
    listen       80;
    server_name  localhost;

    location / {
        add_header "Content-Type" "text/html";

        if ( $remote_addr !~ ^10\.6\. ) {
                return 403 "($remote_addr) Forbidden\n"
        }

        return 200 "($remote_addr) Hello from internal network\n";
    }
}

And the OpenVPN setup:

mode server
tls-server

server 10.6.0.0 255.255.255.0

ifconfig 10.6.0.254 10.6.0.253
route 10.6.0.0 255.255.255.0
push "route 192.168.0.0 255.255.255.0"

dev tun
verb 3
duplicate-cn
key key.pem
ca cert.pem
cert cert.pem
dh dh.pem
keepalive 10 60
persist-key
persist-tun
proto tcp-server
port 1194

Unfortunately, if I connect to the VPN and make a request to the real IP address of the server, then $remote_addrmy real address will be in, and not the one in the VPN network. And Nginx believes 403. How to make it so that when accessing the public IP, 200 is returned?
curl <public_ip_of_vps> # Получаю 403
curl 10.6.0.1 # Получаю 200

Reply

Answer the question

In order to leave comments, you need to log in

3 answer(s)

M

Markus Saar, 2019-10-27
@markus_saar

Perhaps this solution will be the simplest: if the users of your VPN have access to the Internet and an external IP address, you can use htaccess htaccess.ru/info/ip-filtering to allow access to the site only from this IP address.

V

ValdikSS, 2019-10-27
@ValdikSS

Add VPN users a route to the site's external IP address via VPN. This will not work if the site and the VPN server are located on the same IP address.

V

Val, 2019-10-27
@Desem

in server { add
satisfy all;
allow 10.6.0.0/24;
deny all;