Be part of JetBrains PHPverse 2026 on June 9 – a free online event bringing PHP devs worldwide together.

lechicken's avatar

How to keep multi-server setup only accessible via private vpn?

Hi there,

I was checking our nginx access log and it is scary to see what people try to do all the time.

Our laravel app is only to be used by max 10 people. Is there a way I can set up a vpn that users need to be connected to before they can connect to the server?

Our current set-up is 1 app server, 2 worker servers, 1 Redis server, 1 DB server. They are all sitting in a private network in Hetzner and they communicate with eachother via the private IP address.

Our worker servers do communicate a lot with external API's, so I would need to make sure that this new set-up wouldnt interfere with that.

We are using Laravel 8 and use Envoyer for the app and worker servers.

Any tips or comments are highly appreciated!

0 likes
3 replies
LaryAI's avatar
LaryAI
AI
2 years ago
Level 58

To restrict access to your servers so that they are only accessible via a private VPN, you can follow these steps:

  1. Set Up a VPN Server: You need to set up a VPN server that your users will connect to. There are several VPN solutions available, such as OpenVPN or WireGuard. You can set up a VPN server on a separate machine or one of your existing servers.

  2. Configure VPN Clients: Configure the VPN clients on the devices of the 10 users who need access to the application. They will need to connect to the VPN before they can access any of the servers.

  3. Firewall Configuration: Configure the firewall on each of your servers to only allow incoming connections from the VPN's private IP range. This ensures that only devices connected to the VPN can communicate with the servers.

  4. Nginx Configuration: If necessary, you can also configure Nginx to only allow requests from the VPN's private IP range. This can be done by updating the server block configuration to include an allow directive for the VPN's IP range and deny all others.

Here's an example of how you might configure your Nginx server block:

server {
    listen 80;
    server_name yourdomain.com;

    # Allow only VPN IP addresses
    allow 10.8.0.0/24; # Replace with your VPN's private IP range
    deny all;

    # ... the rest of your configuration
}

  1. External API Communication: Since your worker servers need to communicate with external APIs, you should ensure that the VPN configuration allows for outbound connections to the internet. This is typically allowed by default, but you should verify that the VPN's routing and firewall rules do not block these outbound connections.

  2. Testing: After setting up the VPN and updating your firewall and Nginx configurations, test the setup thoroughly. Ensure that you can access the application via the VPN and that all external API communications work as expected.

  3. Monitoring and Maintenance: Regularly monitor your VPN and server logs to ensure that everything is functioning correctly and that there are no unauthorized access attempts.

Remember to keep your VPN server and all other software up to date with security patches to prevent vulnerabilities.

Here's a basic outline of the steps you would take to set up OpenVPN on a server:

  1. Install OpenVPN and Easy-RSA.
  2. Set up the CA directory using Easy-RSA and build the CA.
  3. Generate server certificates and keys.
  4. Generate client certificates and keys for each user.
  5. Configure the OpenVPN server.
  6. Start the OpenVPN server and enable it to start on boot.
  7. Distribute client configuration files and certificates to your users.

Please note that setting up a VPN can be complex and may require a good understanding of networking and security. If you're not familiar with these concepts, you might want to consider hiring a professional to ensure that your VPN is secure and configured correctly.

Snapey's avatar

have a look at cloudflare's offerings. They can dump a lot of traffic for you with very simple controls. For instance, if all your users are in one country you can white list requests from that country and dump everything else.

1 like
Meissgenry's avatar

Since your worker servers need to communicate with external APIs, you might want to configure the VPN to allow that traffic while still restricting access to the app server. You can achieve this by setting appropriate firewall rules or using split tunneling.

Please or to participate in this conversation.