How can I only allow private VPN/local connection to a certain subdomain?

Anonymous · March 6, 2025, 9:05pm

Hi,

I have wireguard setup with wg-easy, like so:

  wg-easy:
    environment:
      - WG_HOST=vpn.stub.com
      - PASSWORD=notthistimelol
    image: weejewel/wg-easy
    container_name: wg-easy
    volumes:
      - ./config/wgeasy:/etc/wireguard
    ports:
      - "51820:51820/udp"
      - "51821:51821/tcp"
    restart: unless-stopped
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    sysctls:
      - net.ipv4.ip_forward=1
      - net.ipv4.conf.all.src_valid_mark=1

stub.com(not my actual domain) is a public domain registered under cloudflare.

I have a setup in caddy like so:

stub.com {
    root * /usr/share/caddy/dashboard
    file_server
}

vpn.stub.com {
    log default {
        output stdout
    }

    @internal {
        remote_ip 192.168.0.0/16 172.16.0.0/12 10.0.0.0/8 127.0.0.1/8 192.168.1.0/24 10.8.0.2 31.124.238.187
    }

    handle @internal {
        reverse_proxy wg-easy:51821
    }

    respond "Access to the local network is required. Possibly through wireguard."
}

My problem is that I cannot detect for local IPs as the IP which is given to is a public IP address like 32.123.234.187, and public IP addresses give no clue as to whether a device is connected by VPN or even is in the network. I really am not sure how to only accept local connections for certain subdomains with this.

{"level":"error","ts":1692290503.1930206,"logger":"http.log.access.default","msg":"handled request","request":{"remote_ip":"31.124.238.187","remote_port":"53069","client_ip":"32.123.234.187","proto":"HTTP/2.0","method":"GET","host":"vpn.stub.com","uri":"/","headers":{"Accept-Language":["en-GB,en;q=0.9"],"Sec-Fetch-Dest":["document"],"Accept":["text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8"],"Sec-Fetch-Site":["none"],"Cookie":[],"Accept-Encoding":["gzip, deflate, br"],"Sec-Fetch-Mode":["navigate"],"User-Agent":["Mozilla/5.0 (iPhone; CPU iPhone OS 17_0 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.0 Mobile/15E148 Safari/604.1"]},"tls":{"resumed":false,"version":772,"cipher_suite":4865,"proto":"h2","server_name":"vpn.stub.com"}},"bytes_read":0,"user_id":"","duration":3.001454656,"size":0,"status":502,"resp_headers":{"Server":["Caddy"],"Alt-Svc":["h3=\":443\"; ma=2592000"]}}

Sorry, if this is a badly formed question, but any help is really appreciated!

ishanjain28 · March 6, 2025, 9:05pm

You’ll have to run a DNS server some where and then route DNS traffic from client devices to that server. This DNS server should resolve vpn.stub.com to the private/vpn IP address of caddy and all the other queries should be proxied to some other DNS provider. Then, The rest of config in caddy will work like you are expecting it to work.

Another few options are,

Allow all traffic and filter it with basic auth. This may break some applications(because they may not offer a way to authenticate with caddy in this way)
Use mtls and configure caddy to block any traffic without mlts certificate