Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Cloudflare DynDNS (DDNS) Proxied OpenVPN Issue

    Scheduled Pinned Locked Moved
    DHCP and DNS
    1
    2
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      MacOS
      last edited by MacOS

      Using Cloudflare as the DynDNS (DDNS) provider with their DNS Proxy enabled, OpenVPN Clients will not connect to pfsense.

      Test 1
      Cloudflare Proxy status= DNS Only (off)
      pfsense Cloudflare Proxy= uncheck (off)
      OpenVPN Clients connects.

      Test 2
      Cloudflare Proxy status= Proxied (on)
      pfsense Cloudflare Proxy= check (on)
      OpenVPN Clients fails to connect.

      These services could be incompatible with each other.

      https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records/

      Proxy status
      When you proxy an A, AAAA, or CNAME DNS record for your application (also known as orange-clouding), DNS queries for these records will resolve to Cloudflare Anycast IPs instead of their original DNS target.

      This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server. This behavior allows Cloudflare to optimize, cache, and protect all requests for your application.

      Because requests to proxied hostnames go through Cloudflare before reaching your origin server (read pfsense), these requests will appear to be coming from Cloudflare’s IP addresses. You may need to adjust your server configuration to allow Cloudflare IPs.

      Bingo!

      By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below
      HTTP ports supported by Cloudflare
      80
      8080
      8880
      2052
      2082
      2086
      2095
      HTTPS ports supported by Cloudflare
      443
      2053
      2083
      2087
      2096
      8443
      Caching is disabled for the following ports
      2052
      2053
      2082
      2083
      2086
      2087
      2095
      2096
      8880
      8443

      Did you notice that OpenVPN port 1194 is missing from Cloudflare above list? Its being BLOCK. Changing pfsenese OpenVPN to use port 2052 allowed VPN traffic to pass through Cloudflare and connect! NSLOOKUP verified the that my ip is hidden and resolved to Cloudflare IP address.

      Hope this helps!

      1 Reply Last reply Reply Quote 0
      • M
        MacOS
        last edited by

        False alert. It stopped working. I think Cloudflare proxy took longer to engage on the backend even though their web UI showed differently.

        On the plus side, I know more about their services. "Zero Trust" and "Tunnels" free services maybe a good replacement for VPN.

        Hope this helps.

        1 Reply Last reply Reply Quote 0
        • First post
          Last post