git/vpn-cloudflared-repo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c37af441a9d57e6692b442109b922fb051994f1c
vpn-cloudflared-repo/docs/operations.md
Raghav c37af441a9 Add OpenVPN and cloudflared setup documentation and configs 
Co-Authored-By: Oz <oz-agent@warp.dev>
2026-04-15 02:28:47 +05:30

103 lines
3.1 KiB
Markdown
Raw Blame History

# Operations Runbook: OpenVPN + Cloudflare Tunnel
## Architecture
- OpenVPN server listens locally on TCP `1194`
- Cloudflare Tunnel ingress routes `vpn.bhatfamily.in` to `tcp://localhost:1194`
- Clients connect through local `cloudflared access tcp` forwarding, then OpenVPN to localhost
## Service and Config Locations
- OpenVPN service: `openvpn-server@server`
- OpenVPN config: `/etc/openvpn/server/server.conf`
- PKI root: `/etc/openvpn/easy-rsa`
- Server cert/key files: `/etc/openvpn/server/`
- Cloudflared service: `cloudflared`
- Cloudflared config: `/etc/cloudflared/config.yml`
- Tunnel credentials: `/etc/cloudflared/6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0.json`
- Tunnel ID: `6a2e99c2-ce2c-49a9-a3f2-8bf1ad3073b0`
## OpenVPN Server Baseline
Expected key settings in `/etc/openvpn/server/server.conf`:
- `port 1194`
- `proto tcp-server`
- `dev tun`
- `server 10.8.0.0 255.255.255.0`
- `push "redirect-gateway def1 bypass-dhcp"`
- `push "dhcp-option DNS 1.1.1.1"`
- `push "dhcp-option DNS 1.0.0.1"`
- `tls-crypt /etc/openvpn/server/tls-crypt.key`
- `dh none`
- `ecdh-curve prime256v1`
- `data-ciphers AES-256-GCM:AES-128-GCM`
- `auth SHA256`
## Cloudflared Ingress Baseline
Expected entries in `/etc/cloudflared/config.yml`:
- `vpn.bhatfamily.in -> tcp://localhost:1194`
- Existing routes:
- `web.bhatfamily.in -> http://localhost:8080`
- `ecom.bhatfamily.in -> http://localhost:8081`
- `ssh.bhatfamily.in -> ssh://localhost:22`
## Firewall / Routing (UFW)
Expected system settings for VPN egress:
- `/etc/default/ufw`
- `DEFAULT_FORWARD_POLICY="ACCEPT"`
- `/etc/ufw/sysctl.conf`
- `net/ipv4/ip_forward=1`
- `/etc/ufw/before.rules`
- `-A POSTROUTING -s 10.8.0.0/24 -o wlp2s0 -j MASQUERADE`
## Client Artifacts
- Generated profile: `/home/rbhat/rbhat-client-cloudflared.ovpn`
- Generated cert/key source:
- `/etc/openvpn/easy-rsa/pki/issued/rbhat-client.crt`
- `/etc/openvpn/easy-rsa/pki/private/rbhat-client.key`
## Service Operations
Start/enable services:
```bash
sudo systemctl enable --now openvpn-server@server
sudo systemctl enable --now cloudflared
```
Stop/start OpenVPN only:
```bash
sudo systemctl stop openvpn-server@server
sudo systemctl start openvpn-server@server
```
Status checks:
```bash
systemctl is-enabled openvpn-server@server cloudflared
systemctl is-active openvpn-server@server cloudflared
sudo systemctl --no-pager status openvpn-server@server --lines=30
sudo systemctl --no-pager status cloudflared --lines=30
```
## Verification
Listener checks:
```bash
ss -tulpen | grep -E ':1194\b|:21194\b'
```
DNS checks:
```bash
dig +short vpn.bhatfamily.in CNAME
dig +short vpn.bhatfamily.in
```
OpenVPN server logs:
```bash
sudo journalctl --no-pager -u openvpn-server@server -n 120
```
Cloudflared logs:
```bash
sudo journalctl --no-pager -u cloudflared -n 120
```
## Troubleshooting Notes
- `cloudflared access tcp --url localhost:1194` may fail with `address already in use` if local OpenVPN server is already bound to `1194` on that machine.
- Use another local forwarder port (e.g. `21194`) and set OpenVPN client `remote 127.0.0.1 21194`.
- `vpn.bhatfamily.in:21194` is not meant to be publicly reachable; it is client-local forwarding endpoint semantics.
Reference in New Issue View Git Blame Copy Permalink