Blocking IP's using AWS WAF so that only users connected to a VPN can access CloudFront

Question

Goal: Use AWS WAF to filter out traffic that hits CloudFront so that only users connected to the OpenVPN network can access the web application.

OpenVPN assigns any connected user to an IP in the network range of 172.xx.yyy.z/a.
I therefore whitelisted this range via aa WAF rule to a Web ACL, and blacklisted any other IP's.
However, I cannot access the site.

Looking through CloudWatch, it becomes clear that this is because the VPN assigned IP is not actually being used to hit the web application. It is a modified IP that is very similar to the Public IP of my device.

As far as I can see, there is no way for me to determine a range for these 'custom' ip's. Given this, how do I ensure only VPN connected users can access the site?

Have I missed something important? Any help solving this issue is appreciated.

Thanks!

Answer 1

172.16.0.0/12 IP addresses are private addresses (172.16.0.0 -- 172.31.255.255) and are not routable on the public internet.

If the IP you refer to is in this range then that's an address on a private network, ie the VPN Tunnel. The device on the far end of the VPN will have internet access and will have a public IP Address, which is routable on the public internet, and what CloudFront sees.

You'd need to know all of the Public IP CIDR blocks of the VPN services that your visitors use, otherwise you can't block by IP.

Though you may be able to restrict by a HTTP-header. If you examine the connections coming through (without WAF) you can learn this from the requests.

Answer 2

This is an "okay" - or good enough solution and certainly better than none. I don't know who down-voted but I understand why.

Please note, it would be preferable to route the traffic internally .

Per the comment above:

sounds like you are using a 3rd party service. "It is a modified IP that is very similar to the Public IP of my device."

It seems like this is because the VPN users are hitting an external addressing of the resource (via CloudFront or otherwise) and that external address may be resolved through a 3rd party, like Cloudflare or masked through AWS services themselves. It is probably through AWS services (so technically "3rd" party) BUT the result is the same => masked addressing.“第三”方）但结果是相同的 => 掩码寻址。 I believe this is why the problem OP pointed out exists.

AWS just introduced in the last few weeks the CloudFront-Viewer-Address header which helps solve that problem depending on your options.

Instead of using the public IP for the exit node for your VPN network, what I suggest ( strongly ) is to look into improving the routing for your VPN and related resources so that the "internal" traffic doesn't hit the open internet by introducing or improving your routing and moving to a largely VPC-based approach. Perhaps start here with an introduction to the VPC from Amazon.

Hope this helps! (someone) ;)

Answer 3

The end solution was to make sure all traffic was forced through OpenVPN.

This would mean anyone connecting to the VPN would have the public IP that was assigned to the VPN server.

Hence, this IP was the only one allowed to access the site via the WAF.