• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Cloudflare DynDNS (DDNS) Proxied OpenVPN Issue

Scheduled Pinned Locked Moved DHCP and DNS
2 Posts 1 Posters 1.5k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • M
    MacOS
    last edited by MacOS Mar 29, 2022, 1:01 AM Mar 29, 2022, 12:54 AM

    Using Cloudflare as the DynDNS (DDNS) provider with their DNS Proxy enabled, OpenVPN Clients will not connect to pfsense.

    Test 1
    Cloudflare Proxy status= DNS Only (off)
    pfsense Cloudflare Proxy= uncheck (off)
    OpenVPN Clients connects.

    Test 2
    Cloudflare Proxy status= Proxied (on)
    pfsense Cloudflare Proxy= check (on)
    OpenVPN Clients fails to connect.

    These services could be incompatible with each other.

    https://developers.cloudflare.com/dns/manage-dns-records/reference/proxied-dns-records/

    Proxy status
    When you proxy an A, AAAA, or CNAME DNS record for your application (also known as orange-clouding), DNS queries for these records will resolve to Cloudflare Anycast IPs instead of their original DNS target.

    This means that all requests intended for proxied hostnames will go to Cloudflare first and then be forwarded to your origin server. This behavior allows Cloudflare to optimize, cache, and protect all requests for your application.

    Because requests to proxied hostnames go through Cloudflare before reaching your origin server (read pfsense), these requests will appear to be coming from Cloudflare’s IP addresses. You may need to adjust your server configuration to allow Cloudflare IPs.

    Bingo!

    By default, Cloudflare proxies traffic destined for the HTTP/HTTPS ports listed below
    HTTP ports supported by Cloudflare
    80
    8080
    8880
    2052
    2082
    2086
    2095
    HTTPS ports supported by Cloudflare
    443
    2053
    2083
    2087
    2096
    8443
    Caching is disabled for the following ports
    2052
    2053
    2082
    2083
    2086
    2087
    2095
    2096
    8880
    8443

    Did you notice that OpenVPN port 1194 is missing from Cloudflare above list? Its being BLOCK. Changing pfsenese OpenVPN to use port 2052 allowed VPN traffic to pass through Cloudflare and connect! NSLOOKUP verified the that my ip is hidden and resolved to Cloudflare IP address.

    Hope this helps!

    1 Reply Last reply Reply Quote 0
    • M
      MacOS
      last edited by Mar 29, 2022, 9:40 PM

      False alert. It stopped working. I think Cloudflare proxy took longer to engage on the backend even though their web UI showed differently.

      On the plus side, I know more about their services. "Zero Trust" and "Tunnels" free services maybe a good replacement for VPN.

      Hope this helps.

      1 Reply Last reply Reply Quote 0
      2 out of 2
      • First post
        2/2
        Last post
      Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
        This community forum collects and processes your personal information.
        consent.not_received