-1

I have an OpenVPN server, hosted on an Azure VM.

I created an origin certificate on Cloudflare, and have imported the key and the certificate into OpenVPN successfully. The Origin CA was also copied to the VM. In the web server configurations, everything seems to be fine:

enter image description here

When I turn off the orange switch on Cloudflare (proxied - means that all traffic will securely go through CF now), the issuer is verified successfully and the pad on the browser shows as green. However, I got many weird redirections that eventually damage the server (both the VPN functionality and the HTML rendering):

enter image description here

If I turn off the orange switch, the site renders as expected, and the VPN functions as expected, however, the issuer becomes unknown (although traffic still encrypted):

enter image description here

What am I doing wrong?

Improve this question
6
  • What on earth is 'Orange switch'? What certificates do you have where? What is not working? OpenVPN or access to the http panel of your server? What are you trying to achieve? There's no information about your actual setup, and it's somewhat confusing what your problem is.
    – vidarlo
    Commented Sep 18, 2022 at 10:24
  • @vidarlo If you use Cloudflare you'll know what is it. It's the proxied DNS as stated in the parentheses. I mentioned that I created the certificates using Cloudflare itself (origin certificate). The problem is stated clearly as well. What exactly confuses you?
    – Maroun
    Commented Sep 18, 2022 at 11:24
  • I don't use CloudFlare, but I know a thing or three about both HTTP and DNS. And no, I don't think the problem is stated clearly at all. You have tagged this OpenVPN, and title is OpenVPN not functioning as expected - is it OpenVPN VPN that doesn't work, or the http(s) admin panel that doesn't work? If the latter (as indicated by your screenshots) - what HTTP error codes do you get? Why is relevant that you get a certificate warning when connecting direct, not going through CF?
    – vidarlo
    Commented Sep 18, 2022 at 15:48
  • @vidarlo Error codes are attached in the image above (many redirects, and failure to load bootstrap.min.js). Both functionality and the admin panel stop working when the connection is going through CF (however, in this case, the connection will be secured).
    – Maroun
    Commented Sep 19, 2022 at 5:54
  • I'm not asking these questions to piss you off. I'm asking because It's information that I believe is lacking. Feel free to insist that I'm wrong, but that probably doesn't increase the chances that someone will answer your question.
    – vidarlo
    Commented Sep 19, 2022 at 6:03

1 Answer 1

Reset to default
1
+100

When I turn off the orange switch on Cloudflare (proxied - means that all traffic will securely go through CF now)

Should this off be on since if you want to proxy your connection via Cloudflare, you should turn on the switch?

I can fix the trusted connection. But once I do that, the VPN functionality and the HTML rendering break (see details in my question).

Hence this part of the answer, should that off part of your question be on? Cloudflare proxied DNS entries should have orange switch enabled instead of disabled.

When I turn on the orange switch on Cloudflare (proxied - means that all traffic will securely go through CF now), the issuer is verified successfully and the pad on the browser shows as green. However, I got many weird redirections that eventually damage the server (both the VPN functionality and the HTML rendering)

If I turn off the orange switch, the site renders as expected, and the VPN functions as expected, however, the issuer becomes unknown (although traffic still encrypted)

One thing you should remember is that Cloudflare doesn't support forwarding OpenVPN protocol, only HTTP and HTTPS.

When you turn on the proxying feature of Cloudflare, your domain will point to Cloudflare servers instead of your server, so that all connections to the domain name will be handled by Cloudflare and forwarded to your server; hence why your OpenVPN won't work and website rendering failed.

When you turn off the proxying feature of Cloudflare, your domain will point to your server, so that all connections to the domain name are handled by your server; hence why your OpenVPN will work and your site will render just fine; but since you're using Cloudflare's Origin certificate (which is signed by Cloudflare Origin CA, which in turn is not trusted by any user-agent), your user-agent will warn you about untrusted certificate.

If I understand this correctly, then I'll have to bypass Cloudflare proxy?

Easy answer is yes, you should bypass Cloudflare and use other alternatives to do SSL/TLS, i.e. using Let's Encrypt (via its client implementations) or getting it from other SSL/TLS certificate vendors.

The harder answer is it depends: there's SRV discovery support baked in OpenVPN 2, but I have no idea if it's implemented on other OpenVPN clients. If you only use OpenVPN v2 clients, there's your alternative.

There's a patch for SRV discovery support but not yet merged to OpenVPN source.

Improve this answer
7
  • I can fix the trusted connection. But once I do that, the VPN functionality and the HTML rendering break (see details in my question).
    – Maroun
    Commented Sep 22, 2022 at 6:55
  • I've edited my answer.
    – mforsetti
    Commented Sep 22, 2022 at 9:43
  • Thanks for clarifying the issue. So I understand that it's best to turn proxying off and ignore the untrusted certificate (this is our own VPN server).
    – Maroun
    Commented Sep 22, 2022 at 10:07
  • why not use Certbot or acme.sh to get Let's encrypt's TLS certificate?
    – mforsetti
    Commented Sep 22, 2022 at 10:10
  • If I understand this correctly, then I'll have to bypass Cloudflare proxy?
    – Maroun
    Commented Sep 22, 2022 at 10:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .