OpenVPN not working through Cloudflare DNS

I’ve set up a hostname on my domain to point back to my IP so that I could use the DDNS functionality to keep connectivity for my VPN when my IP changes. From what I’m able to work out so far there’s no reason why this shouldn’t work. the DNS record is up to date in the Cloudflare console. the IP is not being proxied through Cloudflare. The updater is reporting everything’s up to date in my router’s console and pings/nslookups also resolve to the correct IP, albeit with a non authoritative answer for some reason. However whenever I try to connect the client reports “waiting for server” until the connection times out. I’m sure that the openvpn connection itself is working as it worked just fine before I tried setting this up, and it also worked just once when I was doing testing after the setup, though I’ve never been able to replicate it after I fixed the unrelated issue that was keeping me from connecting that time. Any ideas on other places I can look to get this up and running?

If the record is gray clouded (and not a CNAME to a record which is orange clouded) then Cloudflare itself shouldn’t be in the mix at all. Just to clarify, when you do a DNS lookup externally for the server name you’re using for VPN you get the true address of the VPN server correct?

If that’s the case you can eliminate Cloudflare and look at your network settings. And also, please test using just the bare IP to see if that works (it shouldn’t).

Re: non-authoritative answer. When you ask a standard DNS resolver it recurses to the authoritative server to get the answer (or pulls if from cache if it has it). All that response means is the server you asked got it’s answer from another server because it isn’t the authoritative server for that zone. It’s normal/expected in most scenarios.

I have the same problem, openvpn not connecting through Cloudflare.

Even when going “grey cloud” and DNS only, the request to times out and gives TLS handshake error:

TLS Error: TLS key negotiation failed to occur within 60 seconds (check your network connectivity)
TLS Error: TLS handshake failed

How to route the port 1194 through to the webserver? OpenVPN is working on the local 192.168.xx.x LAN, firewall on openvpn server is open, router is set to forward port 1194 to static ip server.

Anyone successful at getting a dynamic IP host with openvpn working through Cloudflare?

Are you gray clouded directly to the host IP address? Or to an another orange clouded record? It needs to be directly to the source host. Does OpenVPN work when you just use the source IP address?

Its working now, thanks.

My solution was to create a C-name subdomain ( pointing to the A-name (, which hosts an HTTPS web server through Cloudflare) with the public DDNS IP, then “grey cloud” the CNAME to remove Cloudflare from the mix. Using the VPN client tools (using Mac, Tunnelblick) I could simply point it to the” exposing the public IP and it worked properly (assuming properly configured…). I also changed the server and client DNS settings to point to servers so any IP change was quickly reflected to the client.

It was helpful also to know which ports Cloudflare is configured to forward:
just in case I would need to use those ports or know they won’t forward through Cloudflare.

Also, once you can get connected via OpenVPN (or other VPN) working on the local network (client configured for 192.168.x.x:1194) so you know your server software configuration of .crt/.key/etc works & ports are forwarded etc. THEN you can move up to navigating ISP/router port forwarding and seeing if nslookup, ping, dig, etc. work with DNS. Personally I connected laptop client configured for “” through phone hotspot through the public internets (not using the home LAN wifi) and it worked properly. Job done, Cloudflare DNS points to my server, the port 1194 requests make it through the ISP/router/server firewall, and reaches OpenVPN, and it can get back out to the remote client.

it was likely more my “wetware/software” issue with OpenVPN configuration than a Cloudflare issue in the end. CNAME and Grey Cloud are your friend for this task.

Thanks for the great customer support and responding quickly.

Kevin Sullivan


+1 to the above solution posted by “kts” in a slightly different application.

I have a main site “” hosted via an external blog hosting company with a CNAME record pointing to (DNS Only, flattened and not gray clouded due to the offsite management). There is also has a CNAME record for www that is proxied via Cloudflare (orange clouded) to the CNAME record above, “”.

I then wanted another subdomain to a different IP address that can handle protecting request traffic AND vpn access, so I split it into 2 subdomains:

  • I setup a subdomain “subdomain” with an A record to a bare IP that is proxied (orange clouded) via Cloudflare for protection and optimization on that hostname.
  • I setup another subdomain “vpnsubdomain” for vpn access, setting it up as a CNAME record pointing to the above, “” that is gray clouded and not proxied via Cloudflare.

I can now access this different IP’s web services via and access the same IP’s VPN server via

The point of this is to provide some optimization and management for the IP behind “” while allowing the same IP to work as an openvpnserver using Cloudflare as a pseudo ddns provider via a script. Of course the real IP is exposed via the vpn route, but that vpn domain isn’t advertised publicly only the “” is.

Seems to work and the examples above helped quite a bit. Thank you.