Make syncthing listen only when user is connected to server using VPN

Hello, I’m trying to make a syncthing listen only to a user connected to the server via vpn. I’m using a reverse proxy via nginx like this:

server {                                                                        
        listen 80;                                                              
        server_tokens        off;                                               
        server_name sync.domain.com;                                     
        return 301 https://$host$request_uri;                                   
} 
server {                                                                                                                             
        listen 443 ssl http2;
...
...
        location / {                                                                 
          proxy_set_header        Host $host;                                   
          proxy_set_header        X-Real-IP $remote_addr;                       
          proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;   
          proxy_set_header        X-Forwarded-Proto $scheme;                                                                          
          proxy_pass              http://localhost:8384/;                       
        }                                                                       
}  

However, this works currently without a vpn. When i change the listen address in the syncthing conf to the vpn address (WAN IP), and connect to it using the vpn, it doesn’t work and i’m not sure what to do here. It shows a 502 Bad Gateway when I do this.

Can someone help me?

Edit: I had used https://github.com/Nyr/openvpn-install to install the vpn Edit: Should I be using some sort of allow/deny in nginx instead? Edit: Would I need something in the hosts file?

If you set syncthing to listen only on the vpn address, then nginx cannot connect, as it uses the local / loopback address.

One solution could be to use the vpn address for the proxy_pass instead of localhost.

I would do the config the other way around. Set the remote device address inside syncthing on the “clients” to the internal address of the “server” so it can only be reached when connected to the vpn.

You could probably also set a require (or how it is called in nginx; this is from apache) for your local / vpn subnet.

Thanks! I don’t really understand your suggested solution - did you mean that I could use this?

<gui>
<address>10.x.x.x:8384</address>
</gui>

I got the 10.x.x.x address under tun0 from doing a ifconfig -a Edit: No, I definitely misunderstood or did something wrong! Edit: I tried all addresses which ‘hostname -I’ gave me with the same nginx configuration in the first post. All gave me a 502 Error

If you want syncthing to be behind nginx, then syncthing needs to listen to 127.0.0.1 or localhost only, as all “external” connections need to go through nginx.

My first suggestion is invalid, as is wouldn’t result in what you want (if it even works).

My second suggestion is invalid, as it was about other syncthing instances connecting, not about Web GUI ;).

Restricting nginx to only VPN IPs should go like this inside your / block:

allow   10.x.x.0/24;

This worked! Thank you so much wweich! It makes more sense now that you mention that it required listening to localhost!

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.