Geographic Restrictions
Control tunnel access based on client geographic location
Overview
Geographic Restriction policies allow you to control access based on the visitor's country. Essential for GDPR compliance, regional restrictions, and security requirements.
Key Features
- • Allow mode: only allow specified countries
- • Block mode: block specified countries
- • ISO 3166-1 alpha-2 country codes
- • Multiple countries per policy
Configuration Schema
| Field | Type | Description |
|---|---|---|
| mode | "allow" or "block" | "allow" = Whitelist mode: only allow requests from countries in the list "block" = Blacklist mode: block requests from countries in the list, allow all others |
| countries | Array of strings | List of ISO 3166-1 alpha-2 country codes (e.g., "US", "CA", "GB", "DE"). The system uses GeoIP2 database to determine the country of each request based on the client's IP address. |
How It Works
- • Allow mode: Only requests from countries in the list are allowed. All others are blocked.
- • Block mode: Requests from countries in the list are blocked. All others are allowed.
- • Country detection uses the GeoIP2 database (MaxMind GeoLite2) based on the client's IP address
- • Uses standard ISO 3166-1 alpha-2 country codes (2-letter codes like "US", "CA", "GB")
Configuration Examples
Example 1: GDPR Compliance (EU Only)
{
"name": "EU Countries Only",
"mode": "allow",
"countries": [
"AT", "BE", "BG", "HR", "CY", "CZ", "DK", "EE",
"FI", "FR", "DE", "GR", "HU", "IE", "IT", "LV",
"LT", "LU", "MT", "NL", "PL", "PT", "RO", "SK",
"SI", "ES", "SE"
]
}Restrict access to EU member states for data protection compliance.
Example 2: US and Canada Only
{
"name": "North America",
"mode": "allow",
"countries": ["US", "CA"]
}Restrict to North American users.
Example 3: Block Sanctioned Countries
{
"name": "Compliance Block List",
"mode": "block",
"countries": ["KP", "IR", "SY", "CU"]
}Block access from countries under international sanctions.
Example 4: Block High-Risk Regions
{
"name": "Block Abuse Sources",
"mode": "block",
"countries": ["CN", "RU"]
}Block countries with high abuse/spam rates (if appropriate for your use case).
Example 5: Asia-Pacific Region
{
"name": "APAC Access",
"mode": "allow",
"countries": ["AU", "NZ", "JP", "KR", "SG", "HK", "TW"]
}Allow access from key Asia-Pacific markets.
Common Country Codes
Use ISO 3166-1 alpha-2 country codes (two-letter codes):
North America
- US - United States
- CA - Canada
- MX - Mexico
Europe
- GB - United Kingdom
- DE - Germany
- FR - France
- ES - Spain
- IT - Italy
Asia-Pacific
- JP - Japan
- CN - China
- IN - India
- AU - Australia
- SG - Singapore
💡 Full List
See the complete list at ISO 3166-1 alpha-2 codes
Common Use Cases
GDPR Compliance
Restrict data processing to EU/EEA countries for GDPR compliance.
Regional Beta Testing
Launch new features in specific markets before global rollout.
Licensing Restrictions
Comply with content licensing agreements for specific regions.
Fraud Prevention
Block countries with high fraud rates for payment processing.
Sanctions Compliance
Block access from countries under international sanctions.
How to Use
Step 1: Create Policy
Go to Dashboard → Security → Geographic Restrictions
- Click "Create Policy"
- Enter policy name and description
- Choose allow or block mode
- Select countries from dropdown
- Save the policy
Step 2: Apply to Tunnel
ngsrv http 3000 --policy ngsrv_geo_ABC123Step 3: Test with VPN
- Use a VPN to connect from different countries
- Verify access is granted/denied correctly
- Check Audit Logs for geo-blocked requests
Best Practices
✅ Use Allow Mode for Compliance
For regulatory compliance, use "allow" mode to explicitly whitelist approved countries.
✅ Test with VPN
Always test your geo restrictions using VPN services before going live.
⚠️ Consider API Partners
If you have API partners, ensure their server locations are whitelisted.
❌ Don't Block Your Own Team
Make sure your team's locations are allowed, or combine with IP whitelisting.