Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    NGINX Available from OpenVPN remote server

    Scheduled Pinned Locked Moved OpenVPN
    6 Posts 2 Posters 823 Views 2 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • 4 Offline
      4o4rh
      last edited by

      I have a 2nd instance of NGINX running to serve wpad.
      I am also running OpenVPN as a client to ExpressVPN.

      It seems the NGINX instance is available from the ExpressVPN remote address and returns a 403 on attempts to connect i have limited the IP address ranges. But i don't even want NGINX available to the WAN or VPN interfaces at all.

      1 Reply Last reply Reply Quote 0
      • jimpJ Offline
        jimp Rebel Alliance Developer Netgate
        last edited by

        If you can access it remotely, your rules on the VPN and/or WAN are far too permissive.

        But really, you should not be using the firewall as a web server anyhow. Find something else on the local network to serve content like that (such as a Pi) where it can be properly isolated.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        4 1 Reply Last reply Reply Quote 0
        • 4 Offline
          4o4rh @jimp
          last edited by

          @jimp far to permissive? i have block all ip4/6 on all interfaces and only allow out / in for what i need.
          i disabled the 2nd instance, so only the webconfigurator is running and i am still getting a 403 forbidden on port 80 (have not enabled port 80 redirector). it is not available via the wan interface, only the openvpn ones.
          (I have two up in fall back mode, but can get the 403 forbidden from both)

          1 Reply Last reply Reply Quote 0
          • jimpJ Offline
            jimp Rebel Alliance Developer Netgate
            last edited by

            Either your rules are wrong or your test methodology is wrong.

            If you are connecting to your interface IP address on the VPN from the LAN, then that's the LAN rules passing you through, and you have nothing to worry about.

            If you can actually connect from the Internet/remote side of the VPN, then your rules are wrong.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            4 1 Reply Last reply Reply Quote 0
            • 4 Offline
              4o4rh @jimp
              last edited by 4o4rh

              @jimp

              • i set the webconfig redirector back on
              • the only rule on the WAN, VPN1 and VPN2 interfaces is Block All Ipv4/6
              • OpenVPN remote host address is 37.48.x.x:1195 and 94.242.x.x:1195
              • i use my mobile phone browser from vodafone network and go http://37.48.x.x or http://94.242.x.x and get
                NGINX 403 Forbidden

              i should not be getting any NGINX response i would have thought let alone a response on port 80

              1 Reply Last reply Reply Quote 0
              • jimpJ Offline
                jimp Rebel Alliance Developer Netgate
                last edited by

                Check your floating rules, and check Status > Filter Reload to make sure your ruleset is loading properly.

                And are you certain you are hitting your own nginx? Is the logged by nginx on the firewall? Does it show in a packet capture?

                Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

                Need help fast? Netgate Global Support!

                Do not Chat/PM for help!

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.