# OpenVPN via Cloudflare Tunnel (`vpn.bhatfamily.in`)

This repository documents the VPN setup hosted on this machine.

## What this provides
- OpenVPN server on this host
- Cloudflare Tunnel exposure via `vpn.bhatfamily.in`
- Client access using `cloudflared access tcp` + OpenVPN

## Quick client connect
0. Ensure `vpn.bhatfamily.in` is routed to this tunnel:
   ```bash
   cloudflared tunnel route dns --overwrite-dns 6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0 vpn.bhatfamily.in
   dig +short vpn.bhatfamily.in CNAME
   ```
   Expected CNAME target:
   - `6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.cfargotunnel.com.`
1. Ensure `cloudflared` and `openvpn` are installed on the client machine.
2. Use the provided client profile (`rbhat-client-cloudflared.ovpn`).
3. Update the profile remote to local forwarder:
   - `remote 127.0.0.1 21194`
4. Start local forwarder:
   ```bash
   cloudflared access tcp --hostname vpn.bhatfamily.in --url localhost:21194
   ```
5. In another terminal, start OpenVPN:
   ```bash
   sudo openvpn --config rbhat-client-cloudflared.ovpn
   ```
6. Confirm success via:
   - `Initialization Sequence Completed`

## Important
- `21194` is a **local client-side** port, not a public internet port on `vpn.bhatfamily.in`.
- If `cloudflared access tcp` fails with `address already in use`, choose another free local port and match it in the `.ovpn` `remote` line.
- If `dig +short vpn.bhatfamily.in CNAME` does not return `6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.cfargotunnel.com.`, rerun the DNS route command above.

## Full operational runbook
See `docs/operations.md` for:
- Service configuration details
- Firewall/NAT settings
- File paths and artifacts
- Verification and troubleshooting commands