OpenVPN not working through Cloudflare DNS


#1

I’ve set up a hostname on my domain to point back to my IP so that I could use the DDNS functionality to keep connectivity for my VPN when my IP changes. From what I’m able to work out so far there’s no reason why this shouldn’t work. the DNS record is up to date in the cloudflare console. the IP is not being proxied through cloudflare. The updater is reporting everything’s up to date in my router’s console and pings/nslookups also resolve to the correct IP, albeit with a non authoritative answer for some reason. However whenever I try to connect the client reports “waiting for server” until the connection times out. I’m sure that the openvpn connection itself is working as it worked just fine before I tried setting this up, and it also worked just once when I was doing testing after the setup, though I’ve never been able to replicate it after I fixed the unrelated issue that was keeping me from connecting that time. Any ideas on other places I can look to get this up and running?


#2

If the record is gray clouded (and not a CNAME to a record which is orange clouded) then Cloudflare itself shouldn’t be in the mix at all. Just to clarify, when you do a DNS lookup externally for the server name you’re using for VPN you get the true address of the VPN server correct?

If that’s the case you can eliminate Cloudflare and look at your network settings. And also, please test using just the bare IP to see if that works (it shouldn’t).

Re: non-authoritative answer. When you ask a standard DNS resolver it recurses to the authoritative server to get the answer (or pulls if from cache if it has it). All that response means is the server you asked got it’s answer from another server because it isn’t the authoritative server for that zone. It’s normal/expected in most scenarios.


#3

I have the same problem, openvpn not connecting through cloudflare.

Even when going “grey cloud” and DNS only, the request to xxx.x.xx.xxx:1194 times out and gives TLS handshake error:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

How to route the port 1194 through to the webserver? OpenVPN is working on the local 192.168.xx.x LAN, firewall on openvpn server is open, router is set to forward port 1194 to static ip server.

Anyone successful at getting a dynamic IP host with openvpn working through cloudflare?


#4

Are you gray clouded directly to the host IP address? Or to an another orange clouded record? It needs to be directly to the source host. Does OpenVPN work when you just use the source IP address?


#5

Its working now, thanks.

My solution was to create a C-name subdomain (openvpn.mydomain.com http://openvpn.mydomain.com/) pointing to the A-name (mydomain.com http://mydomain.com/, which hosts an HTTPS web server through Cloudflare) with the public DDNS IP, then “grey cloud” the CNAME to remove Cloudflare from the mix. Using the VPN client tools (using Mac, Tunnelblick) I could simply point it to the CNAME “openvpn.mydomain.com:1194 http://openvpn.mydomain.com:1194/” exposing the public IP and it worked properly (assuming properly configured…). I also changed the server and client DNS settings to point to xxx.NS.cloudflare.com http://xxx.ns.cloudflare.com/ servers so any IP change was quickly reflected to the client.

It was helpful also to know which ports Cloudflare is configured to forward:
https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with- https://support.cloudflare.com/hc/en-us/articles/200169156-Which-ports-will-Cloudflare-work-with-
just in case I would need to use those ports or know they won’t forward through Cloudflare.

Also, once you can get connected via OpenVPN (or other VPN) working on the local network (client configured for 192.168.x.x:1194) so you know your server software configuration of .crt/.key/etc works & ports are forwarded etc. THEN you can move up to navigating ISP/router port forwarding and seeing if nslookup, ping, dig, etc. work with DNS. Personally I connected laptop client configured for “openvpn.mydomain.com http://openvpn.mydomain.com/” through phone hotspot through the public internets (not using the home LAN wifi) and it worked properly. Job done, Cloudflare DNS points to my server, the port 1194 requests make it through the ISP/router/server firewall, and reaches OpenVPN, and it can get back out to the remote client.

it was likely more my “wetware/software” issue with OpenVPN configuration than a Cloudflare issue in the end. CNAME and Grey Cloud are your friend for this task.

Thanks for the great customer support and responding quickly.

Regards,
Kevin Sullivan