Cloudflare DynDNS (DDNS) Proxied OpenVPN Issue
-
Using Cloudflare as the DynDNS (DDNS) provider with their DNS Proxy enabled, OpenVPN Clients will not connect to pfsense.
Test 1
Cloudflare Proxy status= DNS Only (off)
pfsense Cloudflare Proxy= uncheck (off)
OpenVPN Clients connects.Test 2
Cloudflare Proxy status= Proxied (on)
pfsense Cloudflare Proxy= check (on)
OpenVPN Clients fails to connect.These services could be incompatible with each other.
https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records/
Proxy status
When you proxy an A, AAAA, or CNAME DNS record for your application (also known as orange-clouding), DNS queries for these records will resolve to Cloudflare Anycast IPs instead of their original DNS target.This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server. This behavior allows Cloudflare to optimize, cache, and protect all requests for your application.
Because requests to proxied hostnames go through Cloudflare before reaching your origin server (read pfsense), these requests will appear to be coming from Cloudflare’s IP addresses. You may need to adjust your server configuration to allow Cloudflare IPs.
Bingo!
By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below
HTTP ports supported by Cloudflare
80
8080
8880
2052
2082
2086
2095
HTTPS ports supported by Cloudflare
443
2053
2083
2087
2096
8443
Caching is disabled for the following ports
2052
2053
2082
2083
2086
2087
2095
2096
8880
8443Did you notice that OpenVPN port 1194 is missing from Cloudflare above list? Its being BLOCK. Changing pfsenese OpenVPN to use port 2052 allowed VPN traffic to pass through Cloudflare and connect! NSLOOKUP verified the that my ip is hidden and resolved to Cloudflare IP address.
Hope this helps!
-
False alert. It stopped working. I think Cloudflare proxy took longer to engage on the backend even though their web UI showed differently.
On the plus side, I know more about their services. "Zero Trust" and "Tunnels" free services maybe a good replacement for VPN.
Hope this helps.