IP Whitelist & VPNs

Hi there - I've successfully set up traefik the way I want it over my docker containers. Most containers are only visible on my internal network via IP whitelisting. I've also set up OpenVPN on my router. When I connect via OpenVPN, I'd like to be able to access those containers. Instead, I'm still blocked.

From my config.yml:

        - ""        <- My openvpn assigned IPs
        - ""    <- My internal IPs

If I add to the whitelist the origin IP of, say, my phone, then I'm golden - it works fine and allows my phone to access those containers while VPNd - but also allows access while not on the VPN, and also presumably anyone else who gets assigned that IP either through NAT or dynamic IPs for the phone.

So the question is; how do I configure traefik to look not at the original IP, but rather whether the request comes via another ip (in the range)? Or is this something that needs to be changed at the VPN level?

Thanks for any help!

1 Like

This has more to do with how you are reaching your endpoint. If you resolve the hostname to an internet ip. Then your phone is going to use an internet route to get there and the treafik router will see an external ip.

The key will be to resolve your service to an internal ip, so that when your phone accesses it it uses the vpn assigned ip address.

You can test this by resolving the endpoint while vpn is enabled an disabled.

I should have mentioned - I've configured the VPN to pipe all traffic via the tunnel, so if I connect my VPN on my phone then visit https://www.whatsmyip.org/ I get the same result as if I do so from my desktop on my internal network - does that change anything?

I am using a hostname which resolves to my WAN IP, but (I think!) opnsense is rewriting that in NAT reflection to the internal IP. I can't use a direct 192.168.* IP to access the services as they're all on an internal docker network and only enter & exit via Traefik.

It is likely you are not accessing with the IP address you think you are. Setting up a container with containous/whoami can help. Might be you need to be using an IP in the X-Forwarded-For header and thus need to use the depth option for ipWhitelist.

You are entirely correct and whoami showed it - turns out pushing everything through openvpn didn't work the way I thought it did, and it's tunneling as expected, but as you say still using the original WAN IP of the phone. Will play around with DNS to force resolve to a local IP; thanks for your help.

Hi @danieljmiles. Just curious, did you ever make any progress with this? I have the same use case and haven't been able to get anywhere on my openvpn options (server or client-side). if you solved the puzzle it'd be great to know how please!