diff --git a/README.md b/README.md index 9221c16..d4b6dd4 100644 --- a/README.md +++ b/README.md @@ -8,6 +8,13 @@ This repository documents the VPN setup hosted on this machine. - Client access using `cloudflared access tcp` + OpenVPN ## Quick client connect +0. Ensure `vpn.bhatfamily.in` is routed to this tunnel: + ```bash + cloudflared tunnel route dns --overwrite-dns 6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0 vpn.bhatfamily.in + dig +short vpn.bhatfamily.in CNAME + ``` + Expected CNAME target: + - `6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.cfargotunnel.com.` 1. Ensure `cloudflared` and `openvpn` are installed on the client machine. 2. Use the provided client profile (`rbhat-client-cloudflared.ovpn`). 3. Update the profile remote to local forwarder: @@ -26,6 +33,7 @@ This repository documents the VPN setup hosted on this machine. ## Important - `21194` is a **local client-side** port, not a public internet port on `vpn.bhatfamily.in`. - If `cloudflared access tcp` fails with `address already in use`, choose another free local port and match it in the `.ovpn` `remote` line. +- If `dig +short vpn.bhatfamily.in CNAME` does not return `6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.cfargotunnel.com.`, rerun the DNS route command above. ## Full operational runbook See `docs/operations.md` for: diff --git a/configs/cloudflared/config.yml b/configs/cloudflared/config.yml index f41d5b9..d10f0cd 100644 --- a/configs/cloudflared/config.yml +++ b/configs/cloudflared/config.yml @@ -9,6 +9,6 @@ ingress: - hostname: ssh.bhatfamily.in service: ssh://localhost:22 - hostname: vpn.bhatfamily.in - service: tcp://localhost:1194 + service: tcp://127.0.0.1:1194 - service: http_status:404 diff --git a/docs/operations.md b/docs/operations.md index 48ca15e..13f54e3 100644 --- a/docs/operations.md +++ b/docs/operations.md @@ -2,7 +2,7 @@ ## Architecture - OpenVPN server listens locally on TCP `1194` -- Cloudflare Tunnel ingress routes `vpn.bhatfamily.in` to `tcp://localhost:1194` +- Cloudflare Tunnel ingress routes `vpn.bhatfamily.in` to `tcp://127.0.0.1:1194` - Clients connect through local `cloudflared access tcp` forwarding, then OpenVPN to localhost ## Service and Config Locations @@ -32,12 +32,22 @@ Expected key settings in `/etc/openvpn/server/server.conf`: ## Cloudflared Ingress Baseline Expected entries in `/etc/cloudflared/config.yml`: -- `vpn.bhatfamily.in -> tcp://localhost:1194` +- `vpn.bhatfamily.in -> tcp://127.0.0.1:1194` - Existing routes: - `web.bhatfamily.in -> http://localhost:8080` - `ecom.bhatfamily.in -> http://localhost:8081` - `ssh.bhatfamily.in -> ssh://localhost:22` +## DNS Route Baseline +Expected DNS route for this tunnel: +- `vpn.bhatfamily.in CNAME 6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.cfargotunnel.com` + +Repair/verify commands: +```bash +cloudflared tunnel route dns --overwrite-dns 6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0 vpn.bhatfamily.in +dig +short vpn.bhatfamily.in CNAME +``` + ## Firewall / Routing (UFW) Expected system settings for VPN egress: - `/etc/default/ufw` @@ -100,3 +110,4 @@ sudo journalctl --no-pager -u cloudflared -n 120 - `cloudflared access tcp --url localhost:1194` may fail with `address already in use` if local OpenVPN server is already bound to `1194` on that machine. - Use another local forwarder port (e.g. `21194`) and set OpenVPN client `remote 127.0.0.1 21194`. - `vpn.bhatfamily.in:21194` is not meant to be publicly reachable; it is client-local forwarding endpoint semantics. +- If DNS resolves to `bhatfamily.in` (or any non-`cfargotunnel.com` CNAME), Cloudflare will not route traffic to this tunnel; repair the DNS route with `cloudflared tunnel route dns`.