Mautic Behind VPN - email links, sms links, tracking - how does it work

We have a client that is running their instance of Mautic behind a VPN.

The issue is that all links generated from emails, text messages, unsubscribe links are being generated with the local IP which is obviously not accessible from outside.

Any suggestions on how to overcome this ?

Hi @mikew,

Can you explain a bit more what you mean by “Mautic behind a VPN”?
Clearly, Mautic itself will have to be accessible from the outside, or else there is no chance for it to ever work.
Or maybe you mean load balancer?


Hey @ekke

So this is the issue I have. Client mautic is only accessible once connected to a VPN. So for example I can access their mautic only once I have connected through their VPN. Example I go to http://10.102.455.32 and if I am not connected I do not get there obviously. However when I connect to their VPN I am able to access it.

So my initial thought was for serving email images we could use Amazon S3 Bucket, which there is a native Mautic plugin and this works, however when an email is generated the link obviously needs to contain the mautic base url (in this case

I was thinking of using joey’s plugin for multi domain but am not sure this would work either.

So my thought is like you say "clearly mautic itself will have to be accessible from the outside.

Security question here: is it possible to lock it down behind a VPN and for somehow to tell Mautic to generate different tracking links ?

Hmm, so you want Mautic to
(a) send outbound messages → feasable from a VPN’d sytem
(b) serve anything (trackable links, local or remote assets, …) → impossible if no access from outside

somehow to tell Mautic to generate different tracking links ?

The tracking can only be done by Mautic, the tracking link has to be the Mautic system!
Even if you had the same functionality somewhere on the outside, e.g. a lean & secure & performant redirector on the outside, that one would still need a lot of data (tokens, …) from Mautic, and would also need ways to feed it back into Mautic. Not realistic, imho… sorry :wink:

Maybe you could proxy certain URL patterns to the secure system? (i.e. have a proxy on the outside which has well-filtered VPN access on the backend and thus could talk to your Mautic)

Hey @ekke

Those were my thoughts as well. Thanks for the feedback. I am going to get the client to move it outside the VPN.


Personally, I don’t use VPN. I trust the proxy server more. In other words, the user is identified using an IP address while surfing the network. Sanctions may be imposed on IP, an example of such restrictions may be blocking access to a certain resource. If the user uses a proxy, then all information is received not directly by the network, but through a proxy server. That is, the network identifies the user not by his real IP, but by the proxy address. Personally, I use indian proxies. This is a great solution for everyone!