Making a website only accessible through a VPN

I just want to throw in that if you use wireguard or something else in a basic form there is no way you can prevent somebody to share his client info, including his private key (essentially the password) and having others Access the service without you knowing

I second that option. If I read your question correctly everyone needing to access the application will be in the same network, right?

Then just use the VM to VPN into your home network using wireguard - that way you don’t need VPN apps on all your client devices and then configure the VMs firewall to only allow connections to nginx on the wireguard interface

WireGuard is super easy to use, but I’m not sure how like the opening of the ports needed would go. I also recommend the Wireguard-UI docker container as it was much easier for me to setup

Ok. Then what you can do is run a VPN server on the same machine and clients need to connect to the server, before they can access your application. Wireguard is pretty straight forward.

I think I didn’t explain it well…

The users are all remote (different places, not the same network). The VM is in aws. I want the VPN to act like an extension of the network the VM is on. It would be as is the VM is on the end users local network.

Sorry if I didn’t make sense initially.

Well then you could use either Wireguard or Zerotier. Both fit the use case, matter of personal preference