How to protect a tunnel with an IP allowlist
IP allowlists are the fastest way to shrink your attack surface. Only traffic from known networks reaches your local server.
Free plan: 1 IP policy (up to 5 CIDR rules). Pro: 10 policies, 50 rules each.
Step 1 — Create the policy
- Open Dashboard → Security → IP Security.
- Choose Allow mode (whitelist) or Block mode (blacklist).
- Add CIDRs, e.g.
203.0.113.10/32for a single IP or10.0.0.0/8for a VPN range. - Save and copy the policy ID (
ngsrv_ips_…).
Step 2 — Attach to a tunnel
ngsrv http 3000 --policy ngsrv_ips_office
Or in ngsrv.yml:
port: 3000
subdomain: admin
security_policies:
- ngsrv_ips_office
When to use allow vs block
| Mode | Use when |
|---|---|
| Allow | Small known audience (office, VPN, one client static IP) |
| Block | Public tunnel but you want to drop known bad ranges |
Common mistakes
- Forgetting your home IP changes — use a
/32and update the policy when your ISP rotates. - Whitelisting only IPv4 while testers hit you over IPv6 — add both if needed.
More: IP Security docs · Security overview