git/vpn-cloudflared-repo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c37af441a9d57e6692b442109b922fb051994f1c
vpn-cloudflared-repo/docs/operations.md
Raghav c37af441a9 Add OpenVPN and cloudflared setup documentation and configs 
Co-Authored-By: Oz <oz-agent@warp.dev>
2026-04-15 02:28:47 +05:30

3.1 KiB
Raw Blame History

Operations Runbook: OpenVPN + Cloudflare Tunnel

Architecture

  • OpenVPN server listens locally on TCP 1194
  • Cloudflare Tunnel ingress routes vpn.bhatfamily.in to tcp://localhost:1194
  • Clients connect through local cloudflared access tcp forwarding, then OpenVPN to localhost

Service and Config Locations

  • OpenVPN service: openvpn-server@server
  • OpenVPN config: /etc/openvpn/server/server.conf
  • PKI root: /etc/openvpn/easy-rsa
  • Server cert/key files: /etc/openvpn/server/
  • Cloudflared service: cloudflared
  • Cloudflared config: /etc/cloudflared/config.yml
  • Tunnel credentials: /etc/cloudflared/6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.json
  • Tunnel ID: 6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0

OpenVPN Server Baseline

Expected key settings in /etc/openvpn/server/server.conf:

  • port 1194
  • proto tcp-server
  • dev tun
  • server 10.8.0.0 255.255.255.0
  • push "redirect-gateway def1 bypass-dhcp"
  • push "dhcp-option DNS 1.1.1.1"
  • push "dhcp-option DNS 1.0.0.1"
  • tls-crypt /etc/openvpn/server/tls-crypt.key
  • dh none
  • ecdh-curve prime256v1
  • data-ciphers AES-256-GCM:AES-128-GCM
  • auth SHA256

Cloudflared Ingress Baseline

Expected entries in /etc/cloudflared/config.yml:

  • vpn.bhatfamily.in -> tcp://localhost:1194
  • Existing routes:
    • web.bhatfamily.in -> http://localhost:8080
    • ecom.bhatfamily.in -> http://localhost:8081
    • ssh.bhatfamily.in -> ssh://localhost:22

Firewall / Routing (UFW)

Expected system settings for VPN egress:

  • /etc/default/ufw
    • DEFAULT_FORWARD_POLICY="ACCEPT"
  • /etc/ufw/sysctl.conf
    • net/ipv4/ip_forward=1
  • /etc/ufw/before.rules
    • -A POSTROUTING -s 10.8.0.0/24 -o wlp2s0 -j MASQUERADE

Client Artifacts

  • Generated profile: /home/rbhat/rbhat-client-cloudflared.ovpn
  • Generated cert/key source:
    • /etc/openvpn/easy-rsa/pki/issued/rbhat-client.crt
    • /etc/openvpn/easy-rsa/pki/private/rbhat-client.key

Service Operations

Start/enable services:

sudo systemctl enable --now openvpn-server@server
sudo systemctl enable --now cloudflared

Stop/start OpenVPN only:

sudo systemctl stop openvpn-server@server
sudo systemctl start openvpn-server@server

Status checks:

systemctl is-enabled openvpn-server@server cloudflared
systemctl is-active openvpn-server@server cloudflared
sudo systemctl --no-pager status openvpn-server@server --lines=30
sudo systemctl --no-pager status cloudflared --lines=30

Verification

Listener checks:

ss -tulpen | grep -E ':1194\b|:21194\b'

DNS checks:

dig +short vpn.bhatfamily.in CNAME
dig +short vpn.bhatfamily.in

OpenVPN server logs:

sudo journalctl --no-pager -u openvpn-server@server -n 120

Cloudflared logs:

sudo journalctl --no-pager -u cloudflared -n 120

Troubleshooting Notes

  • cloudflared access tcp --url localhost:1194 may fail with address already in use if local OpenVPN server is already bound to 1194 on that machine.
  • Use another local forwarder port (e.g. 21194) and set OpenVPN client remote 127.0.0.1 21194.
  • vpn.bhatfamily.in:21194 is not meant to be publicly reachable; it is client-local forwarding endpoint semantics.