When I turn off the orange switch on Cloudflare (proxied - means that all traffic will securely go through CF now)
Should this off be on since if you want to proxy your connection via Cloudflare, you should turn on the switch?
I can fix the trusted connection. But once I do that, the VPN functionality and the HTML rendering break (see details in my question).
Hence this part of the answer, should that off part of your question be on? Cloudflare proxied DNS entries should have orange switch enabled instead of disabled.
When I turn on the orange switch on Cloudflare (proxied - means that all traffic will securely go through CF now), the issuer is verified successfully and the pad on the browser shows as green. However, I got many weird redirections that eventually damage the server (both the VPN functionality and the HTML rendering)
If I turn off the orange switch, the site renders as expected, and the VPN functions as expected, however, the issuer becomes unknown (although traffic still encrypted)
One thing you should remember is that Cloudflare doesn't support forwarding OpenVPN protocol, only HTTP and HTTPS.
When you turn on the proxying feature of Cloudflare, your domain will point to Cloudflare servers instead of your server, so that all connections to the domain name will be handled by Cloudflare and forwarded to your server; hence why your OpenVPN won't work and website rendering failed.
When you turn off the proxying feature of Cloudflare, your domain will point to your server, so that all connections to the domain name are handled by your server; hence why your OpenVPN will work and your site will render just fine; but since you're using Cloudflare's Origin certificate (which is signed by Cloudflare Origin CA, which in turn is not trusted by any user-agent), your user-agent will warn you about untrusted certificate.
If I understand this correctly, then I'll have to bypass Cloudflare proxy?
Easy answer is yes, you should bypass Cloudflare and use other alternatives to do SSL/TLS, i.e. using Let's Encrypt (via its client implementations) or getting it from other SSL/TLS certificate vendors.
The harder answer is it depends: there's SRV discovery support baked in OpenVPN 2, but I have no idea if it's implemented on other OpenVPN clients. If you only use OpenVPN v2 clients, there's your alternative.
There's a patch for SRV discovery support but not yet merged to OpenVPN source.
bootstrap.min.js
). Both functionality and the admin panel stop working when the connection is going through CF (however, in this case, the connection will be secured).