Update Cloudflared configuration and documentation
Co-Authored-By: Oz <oz-agent@warp.dev>
This commit is contained in:
Raghav
@ -8,6 +8,13 @@ This repository documents the VPN setup hosted on this machine.
|
|||||||
- Client access using `cloudflared access tcp` + OpenVPN
|
- Client access using `cloudflared access tcp` + OpenVPN
|
||||||
|
|
||||||
## Quick client connect
|
## Quick client connect
|
||||||
|
0. Ensure `vpn.bhatfamily.in` is routed to this tunnel:
|
||||||
|
```bash
|
||||||
|
cloudflared tunnel route dns --overwrite-dns 6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0 vpn.bhatfamily.in
|
||||||
|
dig +short vpn.bhatfamily.in CNAME
|
||||||
|
```
|
||||||
|
Expected CNAME target:
|
||||||
|
- `6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.cfargotunnel.com.`
|
||||||
1. Ensure `cloudflared` and `openvpn` are installed on the client machine.
|
1. Ensure `cloudflared` and `openvpn` are installed on the client machine.
|
||||||
2. Use the provided client profile (`rbhat-client-cloudflared.ovpn`).
|
2. Use the provided client profile (`rbhat-client-cloudflared.ovpn`).
|
||||||
3. Update the profile remote to local forwarder:
|
3. Update the profile remote to local forwarder:
|
||||||
@ -26,6 +33,7 @@ This repository documents the VPN setup hosted on this machine.
|
|||||||
## Important
|
## Important
|
||||||
- `21194` is a **local client-side** port, not a public internet port on `vpn.bhatfamily.in`.
|
- `21194` is a **local client-side** port, not a public internet port on `vpn.bhatfamily.in`.
|
||||||
- If `cloudflared access tcp` fails with `address already in use`, choose another free local port and match it in the `.ovpn` `remote` line.
|
- If `cloudflared access tcp` fails with `address already in use`, choose another free local port and match it in the `.ovpn` `remote` line.
|
||||||
|
- If `dig +short vpn.bhatfamily.in CNAME` does not return `6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.cfargotunnel.com.`, rerun the DNS route command above.
|
||||||
|
|
||||||
## Full operational runbook
|
## Full operational runbook
|
||||||
See `docs/operations.md` for:
|
See `docs/operations.md` for:
|
||||||
|
|||||||
@ -9,6 +9,6 @@ ingress:
|
|||||||
- hostname: ssh.bhatfamily.in
|
- hostname: ssh.bhatfamily.in
|
||||||
service: ssh://localhost:22
|
service: ssh://localhost:22
|
||||||
- hostname: vpn.bhatfamily.in
|
- hostname: vpn.bhatfamily.in
|
||||||
service: tcp://localhost:1194
|
service: tcp://127.0.0.1:1194
|
||||||
- service: http_status:404
|
- service: http_status:404
|
||||||
|
|
||||||
|
|||||||
@ -2,7 +2,7 @@
|
|||||||
|
|
||||||
## Architecture
|
## Architecture
|
||||||
- OpenVPN server listens locally on TCP `1194`
|
- OpenVPN server listens locally on TCP `1194`
|
||||||
- Cloudflare Tunnel ingress routes `vpn.bhatfamily.in` to `tcp://localhost:1194`
|
- Cloudflare Tunnel ingress routes `vpn.bhatfamily.in` to `tcp://127.0.0.1:1194`
|
||||||
- Clients connect through local `cloudflared access tcp` forwarding, then OpenVPN to localhost
|
- Clients connect through local `cloudflared access tcp` forwarding, then OpenVPN to localhost
|
||||||
|
|
||||||
## Service and Config Locations
|
## Service and Config Locations
|
||||||
@ -32,12 +32,22 @@ Expected key settings in `/etc/openvpn/server/server.conf`:
|
|||||||
|
|
||||||
## Cloudflared Ingress Baseline
|
## Cloudflared Ingress Baseline
|
||||||
Expected entries in `/etc/cloudflared/config.yml`:
|
Expected entries in `/etc/cloudflared/config.yml`:
|
||||||
- `vpn.bhatfamily.in -> tcp://localhost:1194`
|
- `vpn.bhatfamily.in -> tcp://127.0.0.1:1194`
|
||||||
- Existing routes:
|
- Existing routes:
|
||||||
- `web.bhatfamily.in -> http://localhost:8080`
|
- `web.bhatfamily.in -> http://localhost:8080`
|
||||||
- `ecom.bhatfamily.in -> http://localhost:8081`
|
- `ecom.bhatfamily.in -> http://localhost:8081`
|
||||||
- `ssh.bhatfamily.in -> ssh://localhost:22`
|
- `ssh.bhatfamily.in -> ssh://localhost:22`
|
||||||
|
|
||||||
|
## DNS Route Baseline
|
||||||
|
Expected DNS route for this tunnel:
|
||||||
|
- `vpn.bhatfamily.in CNAME 6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.cfargotunnel.com`
|
||||||
|
|
||||||
|
Repair/verify commands:
|
||||||
|
```bash
|
||||||
|
cloudflared tunnel route dns --overwrite-dns 6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0 vpn.bhatfamily.in
|
||||||
|
dig +short vpn.bhatfamily.in CNAME
|
||||||
|
```
|
||||||
|
|
||||||
## Firewall / Routing (UFW)
|
## Firewall / Routing (UFW)
|
||||||
Expected system settings for VPN egress:
|
Expected system settings for VPN egress:
|
||||||
- `/etc/default/ufw`
|
- `/etc/default/ufw`
|
||||||
@ -100,3 +110,4 @@ sudo journalctl --no-pager -u cloudflared -n 120
|
|||||||
- `cloudflared access tcp --url localhost:1194` may fail with `address already in use` if local OpenVPN server is already bound to `1194` on that machine.
|
- `cloudflared access tcp --url localhost:1194` may fail with `address already in use` if local OpenVPN server is already bound to `1194` on that machine.
|
||||||
- Use another local forwarder port (e.g. `21194`) and set OpenVPN client `remote 127.0.0.1 21194`.
|
- Use another local forwarder port (e.g. `21194`) and set OpenVPN client `remote 127.0.0.1 21194`.
|
||||||
- `vpn.bhatfamily.in:21194` is not meant to be publicly reachable; it is client-local forwarding endpoint semantics.
|
- `vpn.bhatfamily.in:21194` is not meant to be publicly reachable; it is client-local forwarding endpoint semantics.
|
||||||
|
- If DNS resolves to `bhatfamily.in` (or any non-`cfargotunnel.com` CNAME), Cloudflare will not route traffic to this tunnel; repair the DNS route with `cloudflared tunnel route dns`.
|
||||||
|
|||||||
Reference in New Issue
Block a user