Wireguard not working, domain >not< proxied

I want to vpn to my home machine. I use wireguard.
If I configure wireguard to connect to my ip address, it works. If I configure it to connect to my domain managed by cloudflare, it doesn’t seem to connect. I use the A record ‘blah.com’, not ‘www.blah.com’. I use what’s exactly in the first record shown in the attached (blacked out but you get the idea).
My domain is not being proxied; it’s set as a ‘grey cloud’ (see attached).

Do I need to configure something differently?


Cloudflare proxies IPv6 to IPv4 and vice versa for proxied records. Could you make a DNS lookup to see what IPs are being returned for your domain? I’m betting that will return both Cloudflare IPs and your origin IP which could explain why it doesn’t work.

I would probably create a seperate A record for a subdomain like wireguard.example.com and connect to it instead. That way you’re ensuring your WireGuard client won’t try to connect to a Cloudflare IP.

I tried that DNS loopup. It’s showing 2 IP addresses, I’ll call them ‘A’ and ‘B’, for every country except Canada (where I am), which is showing a different one, ‘C’.
None of them are my actual IP as shown by my router and by whatsmyip, which is IP address ‘D’.

(I don’t use IPv6 and have it disabled wherever possible. My ISP is still going through the multi-year investigation phase in that area so it’s extremely challenging to try to get it working.)

When I use ‘D’ in my wireguard, it works fine. Using A or B doesn’t. (I assume C is cloudflare’s locally optimized address or something).
A and B (and probably C) are of course cloudflare trapping (routing?) and keeping my IP safe, which is fine and understood. I just thought that if my A record was a grey cloud and not proxied, it would pass everything through transparently.

I’ve gone ahead and added a new ‘A’ record for ‘wireguard.blah.com’ using my direct IP address, and it works now. I find that confusing though because the IP address I used for it is the same one shown for the only other ‘A’ record, namely my ‘blah.com’ domain. And they’re both not proxied (“DNS only”). So they look identical but act differently. I’ll put that down to my lack of understanding on things.
At any rate, it works now. I just now have to install a script on my server to keep the IP address current as I’m not on a home ‘business’ plan and it changes occasionally.
Thanks for the help!

OK I’ve learned a bit more (or got myself deeper into a mess? lol)
I think I had my first ‘A’ record wrong. It was “blah.com”, and I added ‘wireguard.blah.com’.
But that’s not right I think. The first one isn’t necessary (and I think it creates a weird “blah.com.blah.com” record). I don’t need to get to blah.com, or even www.blah.com. There’s no website there. I just use it to get direct access to some of my apps through an encrypted tunnel.
I’ve removed that first ‘blah.com’ record and will leave ‘wireguard.blah.com’ and see if things continue to work.

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.