NC via VPN. Need help with .conf files

Hello. Please help with apache2 and nextcloud configuration files for isolated work in vpn. I set it up and connect via VPN without any problems, but I can also easily log in without it. I want to hide a virtual network from the global network.


  1. VPS:
  • Debian 11
  • OpenVPN server
  • Apache2 proxy
  1. Rpi4B:
  • Debian 12
  • OpenVPN client
  • apache2
  • NC 28.0.3

The domain is registered, SSL certificates are configured. Everything works great. But how can you restrict NC access to VPN clients only? Also keep access to it over the local network.
I think also my configs are too simple. Tell me where I can find a solution or maybe you can help right here. Thank you.

Configs from apache, which is located on the vps:

<VirtualHost *:80>
        ServerName "my.sub.domain"
        RewriteEngine On
        RewriteCond %{HTTPS} off
        RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
<VirtualHost *:443>
        SSLEngine On
        RequestHeader set X-Forwarded-Proto "https"
        SSLCertificateFile /etc/letsencrypt/live/my.domain/fullchain.pem
        SSLCertificateKeyFile /etc/letsencrypt/live/my.domain/privkey.pem

        Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"

        ServerName "my.sub.domain"
        ProxyPreserveHost On
        ProxyPass  /
        ProxyPassReverse /

NC config.php on Rpi4B:

$CONFIG = array (
  'instanceid' => '**********',
  'passwordsalt' => '************************',
  'secret' => '*****************************************',
  'trusted_domains' =>
  array (
          0 => '',
          1 => 'my.sub.domain',
  'datadirectory' => '/srv/nextcloud-data',
  'dbtype' => 'mysql',
  'version' => '',
  'overwrite.cli.url' => '',
  'overwriteprotocol' => 'https',
  'dbname' => '*******',
  'dbhost' => '*******',
  'dbport' => '',
  'dbtableprefix' => 'oc_',
  'mysql.utf8mb4' => true,
  'dbuser' => '**********',
  'dbpassword' => '***********',
  'installed' => true,

# ip of Pi4B in local network.

You will need this, if you want to keep a way to access from outside.

From a VPN client, you should be able to open a connection via the VPN address: (perhaps add the VPN-address to the trusted domains as well).

shoud be '', only.

What might be a bit more tricky, if you want to use a hostname all the time and not an ip address. You would need an official ip address to update the certificate, and then have local DNS resolvers that give you the correct local ip.