Goal: Use AWS WAF to filter out traffic that hits CloudFront so that only users connected to the OpenVPN network can access the web application.
OpenVPN assigns any connected user to an IP in the network range of 172.xx.yyy.z/a.
I therefore whitelisted this range via a a WAF rule to a Web ACL, and blacklisted any other IP's.
However, I cannot access the site.
Looking through CloudWatch, it becomes clear that this is because the VPN assigned IP is not actually being used to hit the web application. It is a modified IP that is very similar to the Public IP of my device.
As far as I can see, there is no way for me to determine a range for these 'custom' ip's. Given this, how do I ensure only VPN connected users can access the site?
Have I missed something important?
The end solution was to make sure all traffic was forced through OpenVPN.
This would mean anyone connecting to the VPN would have the public IP that was assigned to the VPN server.
Hence, this IP was the only one allowed to access the site via the WAF.