CloudFlare Tunnel for OpenVPN

Based on what I’ve seen, this seems to be rarely used. I realize that Cloudflare Tunnel is intended to allow users to steer away from VPN, but I’m actually wanting VPN. My problem is that I use home internet through my cell-provider, and I do not have a public IP address to use to host a VPN server. When I heard that Cloudflare Tunnel allows TCP connections, it dawned on me that maybe this would be my solution… Register a domain and use a tunnel to point VPN clients to my pfSense-hosted OpenVPN server. I have created an OpenVPN server in pfSense to receive connections on my LAN IP address (because the Cloudflared docker container tunnels to inside my LAN) at port 1194; I originally tried my WAN address, but I switched to LAN after WAN was unsuccessful. I created a Private Hostname through my Cloudflare Tunnel to point TCP connections to my LAN IP address. However, when I adjust my OpenVPN configuration file to point to the remote 1194 TCP4 that I created, the connection times-out and never reaches the server. I’m not sure if my Cloudflare tunnel is unable to support the OpenVPN connection I’m hoping it would (I thought it would using TCP IPv4 connections), or if I have something misconfigured.

My end goal is that I am wanting to route all internet traffic from a remote device through my home network setup. I realize that Cloudflare Tunnel is well-documented for providing access to services like websites as an alternative to full VPN. I’ve briefly heard of Zero-Trust and WARP that might be able to be configured to route all traffic to my network like a VPN. However, I also realize WARP/Zero-Trust is intended to forward access to local resources, not all internet traffic, so I’m wondering if that would even work.

Looking for advice as to where I’m going wrong or better alternative solutions using the resources I have (registered domain, Cloudflare tunnel, no public IP address, etc.). I looked into Headscale, which could potentially work, but I was having some difficulties configuring this. I want to see if I can get OpenVPN working, or if Zero-Trust has an alternative for me. Thanks for your help in advance.


My name is Brandon, and I am glad to assist!

The tunnel does support TCP, but it’s restricted to HTTP/HTTPS traffic without the purchase of an Enterprise plan that opens up another service called Spectrum, which may be able to handle that.

However, the Tunnel product itself allows you to setup the access you need to internal resources. When you created a Public Hostname pointed at your internal router IP for OpenVPN, you did exactly what was needed for a simple Web proxy. If you go back in and change the Target URL to remove the port argument, then you should be able to reach the Web UI using that same public hostname.

Of course, you don’t want to leave this unprotected, so I suggest looking into the Access > Applications area, where you can setup authentication to access that public hostname. Cloudflare handles that before the traffic is allowed to reach the server, so you shouldn’t be seeing unauthorized connections!

If you require further details, please let me know!

Hello Brandon,

Thanks for the clarification. I see that the TCP tunnel cannot support OpenVPN TCP connections. Is there an alternative to what I am trying to accomplish? I am not just trying to host resources, but gain remote access to the network and tunnel all network traffic through my home network. I am making use of the ability to host services, like webservers, for my own personal use and securing them through the Applications, but I also would like full-VPN access.

Can Cloudflare do this using its own tools, or do you have any suggestions for free, open-source tools like Tailscale/Headscale?

Thanks in advance.

If you have your answer, good for you, otherwise maybe try zerotier. works okay for accessing things behind unopenable service providers.

Paid wise, I use wnidscribe vpn where you can sign up for static ip, and/or you can do port forward when client is connected to the vpn. (Static not necessary I think)

Have you tried configuring OpenVPN to share the TCP port with HTTPS? There’s a bit of a performance hit since it’s TCP-only but it’s also sneaky and doesn’t require exposing any other ports. Different scenarios are described in the “advanced option settings on the command line” article in the OpenVPN online documentation.

Hi @lewise2019

I have the exact solution to your problem. I’ve developed a Python script that runs every X minutes using cron jobs on your local server. The script checks your IP and then updates your chosen DNS record. This will resolve the dynamic IP address issue.

However, to route all internet traffic through a domain/subdomain, you will need to sacrifice the security of Cloudflare, as the proxied A record won’t work. You’ll need to expose your server’s IP address if you want to use your OpenVPN server. Therefore, I recommend installing a robust and strict firewall on your server before exposing its IP address to enhance security.

The python script is here —>

After installing the script you need to add it to cron jobs to run periodically.
It’s important to note that the interval for running the script should not be too short, as it might lead to being blocked by Cloudflare. In my experience, running the script every 30 minutes has proven effective and hasn’t triggered any issues with Cloudflare.

You also need to add your zone id, record id and your API key in the script. (check the script it is self explanatory)

Good luck.