# Operations Runbook: OpenVPN + Cloudflare Tunnel ## Architecture - OpenVPN server listens locally on TCP `1194` - Cloudflare Tunnel ingress routes `vpn.bhatfamily.in` to `tcp://localhost:1194` - Clients connect through local `cloudflared access tcp` forwarding, then OpenVPN to localhost ## Service and Config Locations - OpenVPN service: `openvpn-server@server` - OpenVPN config: `/etc/openvpn/server/server.conf` - PKI root: `/etc/openvpn/easy-rsa` - Server cert/key files: `/etc/openvpn/server/` - Cloudflared service: `cloudflared` - Cloudflared config: `/etc/cloudflared/config.yml` - Tunnel credentials: `/etc/cloudflared/6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.json` - Tunnel ID: `6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0` ## OpenVPN Server Baseline Expected key settings in `/etc/openvpn/server/server.conf`: - `port 1194` - `proto tcp-server` - `dev tun` - `server 10.8.0.0 255.255.255.0` - `push "redirect-gateway def1 bypass-dhcp"` - `push "dhcp-option DNS 1.1.1.1"` - `push "dhcp-option DNS 1.0.0.1"` - `tls-crypt /etc/openvpn/server/tls-crypt.key` - `dh none` - `ecdh-curve prime256v1` - `data-ciphers AES-256-GCM:AES-128-GCM` - `auth SHA256` ## Cloudflared Ingress Baseline Expected entries in `/etc/cloudflared/config.yml`: - `vpn.bhatfamily.in -> tcp://localhost:1194` - Existing routes: - `web.bhatfamily.in -> http://localhost:8080` - `ecom.bhatfamily.in -> http://localhost:8081` - `ssh.bhatfamily.in -> ssh://localhost:22` ## Firewall / Routing (UFW) Expected system settings for VPN egress: - `/etc/default/ufw` - `DEFAULT_FORWARD_POLICY="ACCEPT"` - `/etc/ufw/sysctl.conf` - `net/ipv4/ip_forward=1` - `/etc/ufw/before.rules` - `-A POSTROUTING -s 10.8.0.0/24 -o wlp2s0 -j MASQUERADE` ## Client Artifacts - Generated profile: `/home/rbhat/rbhat-client-cloudflared.ovpn` - Generated cert/key source: - `/etc/openvpn/easy-rsa/pki/issued/rbhat-client.crt` - `/etc/openvpn/easy-rsa/pki/private/rbhat-client.key` ## Service Operations Start/enable services: ```bash sudo systemctl enable --now openvpn-server@server sudo systemctl enable --now cloudflared ``` Stop/start OpenVPN only: ```bash sudo systemctl stop openvpn-server@server sudo systemctl start openvpn-server@server ``` Status checks: ```bash systemctl is-enabled openvpn-server@server cloudflared systemctl is-active openvpn-server@server cloudflared sudo systemctl --no-pager status openvpn-server@server --lines=30 sudo systemctl --no-pager status cloudflared --lines=30 ``` ## Verification Listener checks: ```bash ss -tulpen | grep -E ':1194\b|:21194\b' ``` DNS checks: ```bash dig +short vpn.bhatfamily.in CNAME dig +short vpn.bhatfamily.in ``` OpenVPN server logs: ```bash sudo journalctl --no-pager -u openvpn-server@server -n 120 ``` Cloudflared logs: ```bash sudo journalctl --no-pager -u cloudflared -n 120 ``` ## Troubleshooting Notes - `cloudflared access tcp --url localhost:1194` may fail with `address already in use` if local OpenVPN server is already bound to `1194` on that machine. - Use another local forwarder port (e.g. `21194`) and set OpenVPN client `remote 127.0.0.1 21194`. - `vpn.bhatfamily.in:21194` is not meant to be publicly reachable; it is client-local forwarding endpoint semantics.