Hello,
I guess I should try to post this issue on the Nginx forum first.
Simply put, in our case, one VPN client (an offsite laptop) would like to visit a web app (e.g., https://sub.example.com) that is only open to the IPs from the intranet IP range. We set this up by using the "allow/deny" directives.
However, the Nginx front-end node (provides reverse proxy) fails to detect the VPN private IP from the OpenVPN client. So the OpenClient got an error of "430 Fordidden". When the lap sits on the intranet, it can connect to the web app successfully, without OpenVPN obviously.
Here is some basic information:
1. we have a public IP
2. general traffic path: Internet ---> Router (DD-WRT v24 sp1) ---> Front-end Node (Nginx Reverse Proxy) ----> upstream web server (with the web apps as virtual hsots)
3. DD-WRT (v24 sp1) define the intranet size: 10.12.0.1/16
3. The dnsmasq service on the DD-WRT serves as the local DNS server (IP: 10.12.0.1, obviously)
4. The OpenVPN service on the DD-WRT serves as the OpenVPN server. Bridge mode is used. The OpenVPN server is configured to assign a private VPN IP to each OpenVPN client from the pool of 10.12.8.1 --10.12.8.100)
5. Behind the router sits a front-end node that uses Nginx for reverse proxy.
Everything seems work just fine from the OpenVPN side. For example, when connected from an offsite public Wi-Fi at Starbucks to the intranet via OpenVPN,
===========
1. the OpenVPN client can connect to the OpenVPn server on the router successfully. The private VPN IP assigned as expected, for example, 10.12.8.2
2. the OpenVPN client can use the local DNS server (10.12.0.1) on the DD-WRT router to resolve all the server hostnames on the intranet. Direct visit by the local intranet IP addresses works just fine.
3. computers on the Intranet physically can connect to the subdomain (https://sub.exmaple.com) successfully. This subdomain has the following access restriction on its reverse proxy confguration on the front-end node
allow 10.12.0.0/16;
deny all;
When an offsite computer connects to the intranet through OpenVPn from a public Wi-Fi, an error of "403 Forbidden" showed up on the web browser for https://sub.example.com.
The log on the front-end node show
2019/01/11 15:27:45 [error] 17942#17942: *2513 access forbidden by rule, client: 172.58.232.64, server: sub.example.com, request: "GET / HTTP/1.1", host: "sub.example.com"
where 17.58.232.64 is the IP assigned to the offsite laptop by the public Wi-Fi when the laptop connected to it.
Our request is to how to help Nginx to detected the VPN private IP of 10.12.8.2. assigned by the OpenVPN server, so that the access restriction on the Nginx front-end for this subdomain of https://sub.example.com can work.
If something is missed, please let me know and we can provide extra information.
Can someone here help?
Thanks.
Nginx version: 1.10.3
OpenVPN Server 2.3.2
I guess I should try to post this issue on the Nginx forum first.
Simply put, in our case, one VPN client (an offsite laptop) would like to visit a web app (e.g., https://sub.example.com) that is only open to the IPs from the intranet IP range. We set this up by using the "allow/deny" directives.
However, the Nginx front-end node (provides reverse proxy) fails to detect the VPN private IP from the OpenVPN client. So the OpenClient got an error of "430 Fordidden". When the lap sits on the intranet, it can connect to the web app successfully, without OpenVPN obviously.
Here is some basic information:
1. we have a public IP
2. general traffic path: Internet ---> Router (DD-WRT v24 sp1) ---> Front-end Node (Nginx Reverse Proxy) ----> upstream web server (with the web apps as virtual hsots)
3. DD-WRT (v24 sp1) define the intranet size: 10.12.0.1/16
3. The dnsmasq service on the DD-WRT serves as the local DNS server (IP: 10.12.0.1, obviously)
4. The OpenVPN service on the DD-WRT serves as the OpenVPN server. Bridge mode is used. The OpenVPN server is configured to assign a private VPN IP to each OpenVPN client from the pool of 10.12.8.1 --10.12.8.100)
5. Behind the router sits a front-end node that uses Nginx for reverse proxy.
Everything seems work just fine from the OpenVPN side. For example, when connected from an offsite public Wi-Fi at Starbucks to the intranet via OpenVPN,
===========
1. the OpenVPN client can connect to the OpenVPn server on the router successfully. The private VPN IP assigned as expected, for example, 10.12.8.2
2. the OpenVPN client can use the local DNS server (10.12.0.1) on the DD-WRT router to resolve all the server hostnames on the intranet. Direct visit by the local intranet IP addresses works just fine.
3. computers on the Intranet physically can connect to the subdomain (https://sub.exmaple.com) successfully. This subdomain has the following access restriction on its reverse proxy confguration on the front-end node
allow 10.12.0.0/16;
deny all;
When an offsite computer connects to the intranet through OpenVPn from a public Wi-Fi, an error of "403 Forbidden" showed up on the web browser for https://sub.example.com.
The log on the front-end node show
2019/01/11 15:27:45 [error] 17942#17942: *2513 access forbidden by rule, client: 172.58.232.64, server: sub.example.com, request: "GET / HTTP/1.1", host: "sub.example.com"
where 17.58.232.64 is the IP assigned to the offsite laptop by the public Wi-Fi when the laptop connected to it.
Our request is to how to help Nginx to detected the VPN private IP of 10.12.8.2. assigned by the OpenVPN server, so that the access restriction on the Nginx front-end for this subdomain of https://sub.example.com can work.
If something is missed, please let me know and we can provide extra information.
Can someone here help?
Thanks.
Nginx version: 1.10.3
OpenVPN Server 2.3.2