We have a Pritunl VPN server running on 192.168.0.201. It uses OpenVPN and has one network, 192.168.243.0/24.
On 192.168.0.251, an nginx reverse proxy is running to expose some websites running in Docker.
Our goal is to be able to connect to these services only when on the local network (192.168.0.0/16). Hence, in Nginx, an access control list is configured to only allow connections from 192.168.0.0/16. This works for a device on the local network.
However, when a remote device connects through the Pritunl VPN, Nginx does not see the server ip 192.168.0.201 nor a local ip 192.168.243.0/24 as the Client IP, but rather it sees the original device’s IP:
[30/Nov/2024:13:06:46 +0000] - - 403 - GET https [...] "/" [Client 188.65....]
As such, nginx is returning 403 Forbidden responses as the IP is not allowed by access lists. But then, if I google “what is my ip” when connected through the VPN, it does show the VPN server’s public IP address.
Now we could solve this by not proxying the local service through nginx and instead just publishing the port through Docker, but we’d like to be able to use a domain name to connect rather than an IP address, which is made much easier with nginx.
So the question is, is this behaviour configurable? Can we make it so that any request going through the VPN has Client IP 192.168.0.201 or 192.168.243.0/24?
EDIT: FYI, I’m using a generic OpenVPN client to connect, not the pritunl client.