Whitelisting VPN in htaccess to secure app
-
Is there a way to use the htaccess to add an ip whitelist to wordpress which includes the local vpn/openvpn?
I got the htaccess working with one static ip, but including a rule to allow openvpn connections seems impossible to me. Is there a way?
-
Hi @JUVOJustin
in the end these openvpn connections also come from a single ip or an ip range. Where exactly are you stuck?
-
@fbartels Thanks for your feedback. Actually i dont actually know how to find the openvpn ip/range . I assumed it is always the same but allowing the one visible in the wordpress app log does not work
-
@JUVOJustin Is your intent to allow access to the WordPress app only when a user is connected via OpenVPN which is also installed on Cloudron ?
-
@girish Exactly. Only one other static ip needs to be whitelisted additionally
-
I did not totally understand the question, but you can check this page: https://whattheserver.com/securing-wordpress-login/ and take this part if feet for your needs
#whitelist office IP Address allow from 1.2.3.5Let me know
-
@p44 Thanks a lot. I already have set up access rules like the one you posted. It works with one static ip. What i need is to whitelist one static ip and the OpenVPN which runs on the same cloudron install as the wordpress installation.
Since i do not know where to find the OpenVPN IP with which clients connected to the vpn connect to the wordpress install i have no clue which ip to add to the htaccess.
-
@JUVOJustin if you open a terminal to the OpenVPN app, it should list all active interfaces set up for the clients.
The white list should also allow for a range instead of just single IP.
-
@robi Feeling stupid right now, but i dont see a a list with interfaces when opening a terminal to the OpenVPN app.
In the logs of the WordPress App i saw an ipv6 ip which represented by local internet connections ipv6. This seems to be caused due to a misconfiguration in OpenVPN after activating ipv6 for cloudron. However now a can see my private ipv4 address in the logs. Not the internal one of the VPN or the external one of the server.
I assumed i can see the external ip of the server in the logs and simply whitelist that. To achieve this do i have to work with the Forwarded header? Is there an example somewhere? I am a bit lost to be honest.
-
@JUVOJustin I don't think you're looking for the external IP as that would be your connecting IP from home.
While the VPN is in use, the private IP in use inside the tunnel can be used, which you already found in your logs.
If every time you connect, it stays the same, that is all you need.
-
@robi Hi, i validated. The ips shown in the wordpress app log are indeed my private ones, despite being connected to the vpn. I also validated my private ips are not leaked and validated only my vpn ips are visible outside the cloudron context.
For me this seems to be something cloudron specific. I have read this thread: https://forum.cloudron.io/topic/1541/wordpress-restrict-access-by-ip-wp-admin-and-wp-login-php/3 This seems to tackle the same problem. However i am not able to configure my htaccess to use X-Forwarded-For if thats even what i need.
-
@JUVOJustin Have you tried just putting the public IP of the server in htaccess? When openvpn channels the request to wordpress, it will see the public IP of the server itself and not the private/tunnel IP.
