VPN + iptables. How do I drop traffic from specific IP outside VPN

  • So I’m running NGINX and a VPN server , on my cloud VPS,
  • VPN server IP on the VPN is 10.19.49.1.
  • Nginx redirects certain subdomain traffic to my VPN clients.
  • One of the VPN clients is running HA.
  • Client IP on the VPN is 10.19.49.2.
  • On the HA instance , how do I block incoming traffic originating from a specific public IP because my VPN client is receiving all traffic from the VPN server and thus will only “see” my VPN server IP.

Whats happening currently is that on the VPN client running HA I added an iptables rule to drop IP 1.2.3.4 to the INPUT chain (default filter table) .

iptables -A INPUT -s 1.2.3.4 -j DROP

However, I also added logging to INPUT chain and every incoming packet SRC was my VPN server 10.19.49.1 which is correct - but the “originating” IP was 1.2.3.4 which accessed my subdomain , went to my VPS, reverse proxied to my VPN client via my VPN server. All correct, but as SRC on my VPN client incoming packet is always 10.19.49.1 then traffic from 1.2.3.4 is not getting dropped.

This will be easy for a networking guru , but I am at the extent of my knowledge now and stuck.

i think it would be better to post this on a networking forum as this is not an issue related to Home Assistant.