Using openvpn via cloudflare ddns proxied

Hello; i am trying to configured openvpn on my pfsense but in CF i have my subdomain as proxied and it is not allowing openvpn to connect. Is the only way to make this work to grey out the cloud? I was hoping not to expose my ISP IP. Thanks

Yes. Unless you spend a ton for Spectrum, which is Enterprise only.

You might want to look at Cloudflare for Teams, though. There is a sort of VPN substitute which you configure. TCP only, though.

Thank you for the quick response; is Teams a free solution or is that on the paid tier? Also do you think openVPN would be the better way to go? Or is the teams VPN just as quick and good?

Works well, but it has it’s own limitations. Read through the documentation.

It’s free-ish, it has there, as well, some limitations.

Also, depends what you have at home. I have devices always on at home, so I have Google Remote Desktop (also OpenVPN via a non proxied CF subdomain) setup for emergency remote access.

I guess what i am trying to say is; how can you protect your ISP IP from someone that pings your subdomain. We have to leave 1 open for VPN to work and with the one open, it defeats the purpose to hide the rest.

Hi @iptvcld,

Am I right in my understanding that you are hosting an application of some kind on your home network, that you want to expose to be able to expose to the web, without directly exposing your IP or opening ports?

Have you looked at Cloudflare Tunnel? You install it on the server and it directly connects with Cloudflare’s datacenters and means you don’t need to have open ports.

More info on what it is here:

Docs here:

If what you mean is RDP, as in your other topic, have a look at this:


I am using HAProxy via pfSense for my home applications/server and those work ok with CF. Its OpenVPN in which it wont work when CF is proxied, only works with it is grey clouded as it need to expose the ISP IP.

That’s correct, nothing you can do about this if you want to use OpenVPN.

Similar topic → OpenVPN: masking the original IP

1 Like

Also, even if CF isn’t announcing the source IP in the DNS, there’s still absolutely nothing stopping random bots out there from randomly cycling thru IP addresses and running port scans on them. Similar to how do-not-call lists don’t stop spam/scam calls

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.