NGINX Available from OpenVPN remote server

  • I have a 2nd instance of NGINX running to serve wpad.
    I am also running OpenVPN as a client to ExpressVPN.

    It seems the NGINX instance is available from the ExpressVPN remote address and returns a 403 on attempts to connect i have limited the IP address ranges. But i don't even want NGINX available to the WAN or VPN interfaces at all.

  • Rebel Alliance Developer Netgate

    If you can access it remotely, your rules on the VPN and/or WAN are far too permissive.

    But really, you should not be using the firewall as a web server anyhow. Find something else on the local network to serve content like that (such as a Pi) where it can be properly isolated.

  • @jimp far to permissive? i have block all ip4/6 on all interfaces and only allow out / in for what i need.
    i disabled the 2nd instance, so only the webconfigurator is running and i am still getting a 403 forbidden on port 80 (have not enabled port 80 redirector). it is not available via the wan interface, only the openvpn ones.
    (I have two up in fall back mode, but can get the 403 forbidden from both)

  • Rebel Alliance Developer Netgate

    Either your rules are wrong or your test methodology is wrong.

    If you are connecting to your interface IP address on the VPN from the LAN, then that's the LAN rules passing you through, and you have nothing to worry about.

    If you can actually connect from the Internet/remote side of the VPN, then your rules are wrong.

  • @jimp

    • i set the webconfig redirector back on
    • the only rule on the WAN, VPN1 and VPN2 interfaces is Block All Ipv4/6
    • OpenVPN remote host address is 37.48.x.x:1195 and 94.242.x.x:1195
    • i use my mobile phone browser from vodafone network and go http://37.48.x.x or http://94.242.x.x and get
      NGINX 403 Forbidden

    i should not be getting any NGINX response i would have thought let alone a response on port 80

  • Rebel Alliance Developer Netgate

    Check your floating rules, and check Status > Filter Reload to make sure your ruleset is loading properly.

    And are you certain you are hitting your own nginx? Is the logged by nginx on the firewall? Does it show in a packet capture?

Log in to reply