Add OpenVPN and cloudflared setup documentation and configs

Co-Authored-By: Oz <oz-agent@warp.dev>
2026-04-15 02:28:47 +05:30
commit c37af441a9
7 changed files with 346 additions and 0 deletions
--- a/docs/operations.md
+++ b/docs/operations.md
@ -0,0 +1,102 @@
+# Operations Runbook: OpenVPN + Cloudflare Tunnel
+
+## Architecture
+- OpenVPN server listens locally on TCP `1194`
+- Cloudflare Tunnel ingress routes `vpn.bhatfamily.in` to `tcp://localhost:1194`
+- Clients connect through local `cloudflared access tcp` forwarding, then OpenVPN to localhost
+
+## Service and Config Locations
+- OpenVPN service: `openvpn-server@server`
+- OpenVPN config: `/etc/openvpn/server/server.conf`
+- PKI root: `/etc/openvpn/easy-rsa`
+- Server cert/key files: `/etc/openvpn/server/`
+- Cloudflared service: `cloudflared`
+- Cloudflared config: `/etc/cloudflared/config.yml`
+- Tunnel credentials: `/etc/cloudflared/6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.json`
+- Tunnel ID: `6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0`
+
+## OpenVPN Server Baseline
+Expected key settings in `/etc/openvpn/server/server.conf`:
+- `port 1194`
+- `proto tcp-server`
+- `dev tun`
+- `server 10.8.0.0 255.255.255.0`
+- `push "redirect-gateway def1 bypass-dhcp"`
+- `push "dhcp-option DNS 1.1.1.1"`
+- `push "dhcp-option DNS 1.0.0.1"`
+- `tls-crypt /etc/openvpn/server/tls-crypt.key`
+- `dh none`
+- `ecdh-curve prime256v1`
+- `data-ciphers AES-256-GCM:AES-128-GCM`
+- `auth SHA256`
+
+## Cloudflared Ingress Baseline
+Expected entries in `/etc/cloudflared/config.yml`:
+- `vpn.bhatfamily.in -> tcp://localhost:1194`
+- Existing routes:
+  - `web.bhatfamily.in -> http://localhost:8080`
+  - `ecom.bhatfamily.in -> http://localhost:8081`
+  - `ssh.bhatfamily.in -> ssh://localhost:22`
+
+## Firewall / Routing (UFW)
+Expected system settings for VPN egress:
+- `/etc/default/ufw`
+  - `DEFAULT_FORWARD_POLICY="ACCEPT"`
+- `/etc/ufw/sysctl.conf`
+  - `net/ipv4/ip_forward=1`
+- `/etc/ufw/before.rules`
+  - `-A POSTROUTING -s 10.8.0.0/24 -o wlp2s0 -j MASQUERADE`
+
+## Client Artifacts
+- Generated profile: `/home/rbhat/rbhat-client-cloudflared.ovpn`
+- Generated cert/key source:
+  - `/etc/openvpn/easy-rsa/pki/issued/rbhat-client.crt`
+  - `/etc/openvpn/easy-rsa/pki/private/rbhat-client.key`
+
+## Service Operations
+Start/enable services:
+```bash
+sudo systemctl enable --now openvpn-server@server
+sudo systemctl enable --now cloudflared
+```
+
+Stop/start OpenVPN only:
+```bash
+sudo systemctl stop openvpn-server@server
+sudo systemctl start openvpn-server@server
+```
+
+Status checks:
+```bash
+systemctl is-enabled openvpn-server@server cloudflared
+systemctl is-active openvpn-server@server cloudflared
+sudo systemctl --no-pager status openvpn-server@server --lines=30
+sudo systemctl --no-pager status cloudflared --lines=30
+```
+
+## Verification
+Listener checks:
+```bash
+ss -tulpen | grep -E ':1194\b|:21194\b'
+```
+
+DNS checks:
+```bash
+dig +short vpn.bhatfamily.in CNAME
+dig +short vpn.bhatfamily.in
+```
+
+OpenVPN server logs:
+```bash
+sudo journalctl --no-pager -u openvpn-server@server -n 120
+```
+
+Cloudflared logs:
+```bash
+sudo journalctl --no-pager -u cloudflared -n 120
+```
+
+## Troubleshooting Notes
+- `cloudflared access tcp --url localhost:1194` may fail with `address already in use` if local OpenVPN server is already bound to `1194` on that machine.
+- Use another local forwarder port (e.g. `21194`) and set OpenVPN client `remote 127.0.0.1 21194`.
+- `vpn.bhatfamily.in:21194` is not meant to be publicly reachable; it is client-local forwarding endpoint semantics.