Using OpenVPN to encrypt HTTP via Nginx proxy_pass

I have an Nginx server running at my local home network and it doesn’t have an SSL certificate I can use for HTTPS without having to buy another… since I don’t use this server enough to warrant another SSL certificate, I looked for a way around.

So I looked into OpenVPN to pass all the HTTP content through that to another server hosting Nginx (with HTTPS). On the backend (the HTTP server), is another Nginx server.

The process is fairly simple.

  1. First you need to install OpenVPN on both your server and the client and set it up. You can follow this handy guide by Justin Ellingwood at DigitalOcean: How To Set Up an OpenVPN Server on Ubuntu 16.04 (However, you should skip the section: (Optional) Push DNS Changes to Redirect All Traffic Through the VPN). You should set up the OpenVPN server as the one running the HTTP content and the client being the one you want to be the frontend (HTTPS), because you need to have a static OpenVPN IP otherwise you’ll be changing the configs all the time to reflect the new IPs between reconnections.
  2. On the HTTP server, set up a server block:

    server {
    	listen default_server;
    	access_log		/shares/www/logs/home.access.log;
    	error_log		/shares/www/logs/home.error.log;
    	root			/shares/www/home;
    	autoindex		on;
  3. Now on the HTTPS server, you need to create a server block and setup proxy_pass. It should be SSL-only. I personally use a location directive like so (this is a shortened version of my Nginx config) and is password protected for /home/:

    server {
            listen 443 default ssl;
            ssl_certificate ssl/;
            ssl_certificate_key ssl/;
            location /home/ {
    		access_log /home/nginx/;
    		error_log /home/nginx/;
    		auth_basic "Password needed. No public access.";
    		auth_basic_user_file auth/home;
    		proxy_redirect http://$host/ /home/;
    		include proxy_params;
  4. Now, connect to the VPN and verify it is connected:

    systemctl status [email protected]
  5. Finally, reload (or restart) the HTTP/HTTPS servers then visit your newly set up site to test it is working:

    systemctl reload nginx
  6. If everything is correct, you can now configure your firewall to deny connectivity to the Nginx server from outside IPs.

Once you’ve verified it is all working, you can have the VPN client auto connect by entering:

systemctl enable [email protected]

Then create a file called auth.conf in /etc/openvpn containing your username on one line, and the password on the next.

Finally, edit your OpenVPN client config and add:

auth-user-pass auth.conf

You’re good to go!

Leave a Comment

Skip to toolbar