ngsrv

IP Security Policy

Control access to your tunnels based on IP addresses and CIDR ranges

Overview

IP Security policies allow you to whitelist or blacklist specific IP addresses and CIDR ranges. Perfect for restricting access to office networks, VPNs, or blocking known bad actors.

Key Features

  • • Whitelist mode: only allow specified IPs
  • • Blacklist mode: block specified IPs
  • • Support for CIDR notation (e.g., 192.168.1.0/24)
  • • Multiple IP ranges per policy

Configuration Schema

Create IP security policies in the Dashboard:

FieldTypeDescription
mode"allow" or "block""allow" = Whitelist mode: only allow IPs in the rules list
"block" = Blacklist mode: block IPs in the rules list, allow all others
rulesArray of objectsList of IP rules. Each rule has:
  • ip (required): IP address or CIDR range (e.g., "192.168.1.1" or "203.0.113.0/24")
  • description (optional): Human-readable description for this IP rule

How It Works

  • Allow mode: Only requests from IPs matching the rules are allowed. All others are blocked.
  • Block mode: Requests from IPs matching the rules are blocked. All others are allowed.
  • • Supports both single IPs (e.g., "192.168.1.1") and CIDR ranges (e.g., "192.168.1.0/24")
  • • Each rule can have an optional description to help identify what the IP is for

Configuration Examples

Example 1: Office Network Whitelist

Mode: allow
Rules:
  • IP: 203.0.113.0/24 (Office network)

Only employees on the office network can access the tunnel. All other IPs are blocked.

Example 2: Multiple Locations

Mode: allow
Rules:
  • IP: 203.0.113.0/24, Description: "San Francisco office"
  • IP: 198.51.100.0/24, Description: "New York office"
  • IP: 192.0.2.0/24, Description: "London office"

Allow access from multiple office locations worldwide. Each location has a descriptive label.

Example 3: VPN + Home IP Whitelist

Mode: allow
Rules:
  • IP: 198.51.100.10, Description: "VPN gateway"
  • IP: 203.0.113.45, Description: "Alice's home IP"
  • IP: 192.0.2.88, Description: "Bob's home IP"

Combine VPN and individual home IPs for remote team access. Each team member's IP is labeled for easy identification.

Example 4: Block Known Bad Actors

Mode: block
Rules:
  • IP: 192.0.2.100, Description: "Known scraper"
  • IP: 203.0.113.0/28, Description: "Spam network range"

Block specific IPs or ranges that are causing issues. All other IPs are allowed through.

Example 5: Cloud Provider IPs

Mode: allow
Rules:
  • IP: 54.240.0.0/12, Description: "AWS EC2 range"
  • IP: 52.95.0.0/16, Description: "AWS CodeBuild range"

Allow access from CI/CD runners in AWS. Only requests from these IP ranges will be allowed.

CIDR Notation Guide

CIDR (Classless Inter-Domain Routing) notation lets you specify IP ranges efficiently:

NotationIP Range# of IPs
192.168.1.0/32Single IP (192.168.1.0)1
192.168.1.0/24192.168.1.0 - 192.168.1.255256
192.168.0.0/16192.168.0.0 - 192.168.255.25565,536
10.0.0.0/810.0.0.0 - 10.255.255.25516,777,216

💡 Pro Tip

Use CIDR calculators to convert IP ranges to CIDR notation.

Common Use Cases

Corporate Network Access

Restrict tunnel access to employees on company networks or VPN.

Partner API Access

Whitelist specific partner IP addresses for API integration testing.

CI/CD Pipeline Access

Allow only your CI/CD runner IPs to access preview deployments.

Block Bad Actors

Blacklist IPs that are scraping, spamming, or attacking your tunnel.

Compliance Requirements

Meet security requirements by restricting access to approved IP ranges.

How to Use

Step 1: Create Policy

Go to Dashboard → Security → IP Security

  • Click "Create Policy"
  • Enter policy name and description
  • Choose whitelist or blacklist mode
  • Add IP addresses or CIDR ranges
  • Save the policy (you'll get a policy ID)

Step 2: Apply to Tunnel

ngsrv http 3000 --policy ngsrv_ips_ABC123

Step 3: Test Access

  • Try accessing from an allowed IP (should work)
  • Try from a blocked IP (should see 403 Forbidden)
  • Check Audit Logs for blocked requests

Best Practices

✅ Use CIDR When Possible

Instead of listing individual IPs, use CIDR ranges for networks.

✅ Descriptive Names

Name policies clearly: "SF Office Network", "VPN Gateway", etc.

⚠️ Dynamic IPs

Home IPs may change. Consider using VPN with static IP instead.

❌ Don't Whitelist 0.0.0.0/0

This allows all IPs and defeats the purpose of the policy.

Next Steps

→ Create your first IP security policy→ Add geographic restrictions→ Restrict to business hours→ Monitor blocked requests