Search code examples
dockernginxhttp-status-code-403pleskopenvpn

SOLVED Forbidden 403: access private web site from and to openvpn network (client use public ip instead openvpn ip)

I'm trying to access a private web site from/to an openvpn network. But, nginx tells, in the access.log, that the client use his public IP instead of his private openvpn ip.

Here you can see my network:

OpenVPN server (tun mode): 
     10.10.10.1 (server public ip)
          172.17.0.1 (docker bridge)
               172.17.0.2 (openvpn server container)
               192.168.255.1 (openvpn server private ip)

My client :
     10.10.10.2 (public ip)
          192.168.255.10 (openvpn private ip)

mywebsite.domain.com : this is my private web site i'm trying to access.

nginx conf : (the allow line of this nginx conf does'nt work...). "The location param is not important here".

allow 192.168.255.10/32;
deny all;
location / {
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_pass http://localhost:9000;
}

I'have a 403 forbidden when i'm trying to connect with "My client".

If I use this nginx conf :

allow 10.10.10.2;

Then, the mywebsite.domain.com works properly.

So... Why "My client" doesn't use the internal openvpn IP ? (which is 192.168.255.10). In the nginx access.log, I can see that My client use his public ip.

I'm clarifying, except this point, my openvpn server seems to work properly. For example, when I navigate to Internet with my client, the external web sites see the public ip of the server (10.10.10.1). I used mon-ip.io to check.

Anyone have an idea?

Thank you in advance!

Solution

  • Solved! https://serverfault.com/questions/858657/openvpn-and-website-on-the-same-server-ip

    This is a routing problem.

    In order to establish and maintain a connection to your VPN, your VPN client must have a route route to the address you are using on the server for incoming VPN connections. Assuming standard routing, this means anything destined for the same IP used VPN server will directly cross the Internet.

    Options.

    • The short basic answer is get and use separate IP address for your VPN server. Don't use the same IP you use for your VPN for anything else.

    • Setup some a DNS server on your VPN host and and deliver records for the hosted sites map to internal IP addresses when you are connected.

    • If you are running Linux as your client then you could mess around with policy routing and multiple tables, and send only 1194 traffic through the standard table, and port http/https traffic over the VPN.