You want a server block in nginx
like this
server {
server_name <your fqdn>;
root /usr/share/nginx/html;
# allow certbot
location /.well-known {
autoindex on;
root /opt/www-pub/;
}
location / {
allow <vpn IP>/24;
deny all;
...
}
}
Make sure /etc/hosts
has a block like:
<vpn IP> <your fqdn>
Make sure /etc/openvpn/server/server/conf
has a block like:
push "redirect-gateway def1"
And disable ipv6 in the same file:
# server-ipv6 ...
Note that you may need to flush DNS.
With this setup, you can have a certbot/SSL protected "private" site that is only accessible to clients of your OpenVPN vpn.