NGINX block country yet still allow local 10.x.x.x to access [duckdns, letsencrypt]

the country blocking is working, but it’s also locking me out of my local 10.x.x.0/24 subnet. i added the geo/monkey and if/monkey lines but it’s still not working.

any ideas?

here is my sites-enabled/default

map $http_upgrade $connection_upgrade {
    default upgrade;
    ''      close;

geoip_country /usr/share/GeoIP/GeoIP.dat;
map $geoip_country_code $allowed_country {
    default no;
    US yes;

geo $remote_addr $monkey {
    default         no;
    10.x.x.0/24      yes;       yes;

server {

    listen 80;
    listen [::]:80 ipv6only=on;
    return 301 https://$server_name$request_uri;

server {
    listen [::]:443 default_server ipv6only=off;
    add_header Strict-Transport-Security "max-age=31536000; includeSubdomains";
    ssl on;
    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;
    ssl_session_cache shared:SSL:10m;

    ssl_certificate /etc/letsencrypt/live/; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/; # managed by Certbot

    proxy_buffering off;

    if ($monkey = yes) {
            set $allowed_country yes;

    if ($scheme = http) {
            return 301 https://$server_name$request_uri;

    if ($allowed_country = no) {
            return 444;

    location / {
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_redirect http:// https://;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;