"
I have just implemented it using the custom method which works well.
Documented here:
https://forum.opnsense.org/index.php?topic=50907.0
Documented here:
https://forum.opnsense.org/index.php?topic=50907.0
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
#2
Tutorials and FAQs / [HOWTO] - DynDNS with deSEC using preserve (A + AAAA without overwriting)
Today at 11:12:12 AM
Problem
When using OPNsense DynDNS with deSEC, updating IPv4 (A) and IPv6 (AAAA) separately can overwrite the other record.
This is confirmed behavior and documented in the deSEC API. The fix is to use the preserve parameter and the custom updater.
IPv4 DynDNS Configuration (A Record)
Create a DynDNS entry:
Service: custom
Protocol: Custom GET
Server:
Password: <DESEC_TOKEN>
Hostname(s):<FQDN>
Check IP Method: Interface IPv4
Interface: WAN
Important Notes
__MYIP__ must be included in the URL.
OPNsense only inserts the detected IP if the placeholder exists.
myipv6=preserve ensures the AAAA record is not deleted during IPv4 updates.
IPv6 should be configured as a separate DynDNS entry using:
Interface: <one of your internal v6 assigned interfaces>
When using OPNsense DynDNS with deSEC, updating IPv4 (A) and IPv6 (AAAA) separately can overwrite the other record.
This is confirmed behavior and documented in the deSEC API. The fix is to use the preserve parameter and the custom updater.
IPv4 DynDNS Configuration (A Record)
Create a DynDNS entry:
Service: custom
Protocol: Custom GET
Server:
Code Select
https://update.dedyn.io/?hostname=<FQDN>&myip=__MYIP__&myipv6=preserveUsername: <FQDN>Password: <DESEC_TOKEN>
Hostname(s):<FQDN>
Check IP Method: Interface IPv4
Interface: WAN
Important Notes
__MYIP__ must be included in the URL.
OPNsense only inserts the detected IP if the placeholder exists.
myipv6=preserve ensures the AAAA record is not deleted during IPv4 updates.
IPv6 should be configured as a separate DynDNS entry using:
Code Select
https://update6.dedyn.io/?hostname=<FQDN>&myipv6=__MYIP__&myipv4=preserveCheck IP Method: Interface IPv6Interface: <one of your internal v6 assigned interfaces>
#3
General Discussion / Re: ddclient and deSEC
February 13, 2026, 05:18:32 PM
The easiest fix would be to add "preserve" to both options, so you can individually update A and AAAA without deleting the other one.
I use the native backend, not sure if ddclient haves different
I use the native backend, not sure if ddclient haves different
#4
General Discussion / Re: ddclient and deSEC
February 13, 2026, 05:12:16 PM
Hello,
I just came across exactly the same issue.
Is this something being worked on? Did you open a FR ticket for it?
The only workaround I see right now is to create separate hosts for v4 and v6 in deSEC.
I would really love to have ab option to update both A and AAAA record in one go.
Did someone try to implement this as custom?
thanks, Till
I just came across exactly the same issue.
Is this something being worked on? Did you open a FR ticket for it?
The only workaround I see right now is to create separate hosts for v4 and v6 in deSEC.
I would really love to have ab option to update both A and AAAA record in one go.
Did someone try to implement this as custom?
thanks, Till
#5
26.1 Series / Re: udpbroadcastrelay do not start since upgrade to 26.1
January 30, 2026, 12:48:10 PM
It works on my system after upgrade.
#6
25.1, 25.4 Legacy Series / Re: [acme] Custom deploy hooks?
July 04, 2025, 01:10:09 PM
that works. Thanks for the hint.
#7
25.1, 25.4 Legacy Series / [acme] Custom deploy hooks?
July 03, 2025, 03:43:05 PM
Can I run my own automation script in the acme plugin? It seems to only have a list of commands to choose from.
thanks! Till
thanks! Till
#8
25.1, 25.4 Legacy Series / Re: API path /api/trust/cert/raw_dump not working?
July 03, 2025, 03:41:15 PM
I actually got this working by using trust/cert/get
#9
25.1, 25.4 Legacy Series / Re: API path /api/trust/cert/raw_dump not working?
July 03, 2025, 10:42:42 AM
Thank you Cedrik, this was a good hint.
It actually pointed me towards the generate_file action that can (according to the browser session dump) generate crt,prv and pkcs12 files.
However there are two things to notice:
- The documentation says it requires POST while the browser session uses GET
- Neither does work with cURL. CSRF issue? I only get {"status":"failed"} as a response.
Has anyone ever tried this outside of an authenticated browser session?
Thanks for your help and kind regards, Till
It actually pointed me towards the generate_file action that can (according to the browser session dump) generate crt,prv and pkcs12 files.
However there are two things to notice:
- The documentation says it requires POST while the browser session uses GET
- Neither does work with cURL. CSRF issue? I only get {"status":"failed"} as a response.
Has anyone ever tried this outside of an authenticated browser session?
Thanks for your help and kind regards, Till
#10
25.1, 25.4 Legacy Series / API path /api/trust/cert/raw_dump not working?
July 02, 2025, 05:40:45 PM
Hi,
according to the docs:
https://docs.opnsense.org/development/api/core/trust.html
There is a raw_dump function. I assume it can be used to export a full certificate incl private key?
When I try to use it, it returns 404.
Does it exist?
I have a dedicated "api" user with the privileges: "System: Certificate Manager"
I have successfully tested it and parsed out the UUID by using:
Any hint?
I am running on 25.1.10.
thank you!
according to the docs:
https://docs.opnsense.org/development/api/core/trust.html
There is a raw_dump function. I assume it can be used to export a full certificate incl private key?
When I try to use it, it returns 404.
Does it exist?
I have a dedicated "api" user with the privileges: "System: Certificate Manager"
I have successfully tested it and parsed out the UUID by using:
Code Select
CERT_UUID=$(curl -s -u "$API_KEY:$API_SECRET" "$HOST/api/trust/cert/search" | jq -r '.rows[] | select(.commonname == "<my common name>") | .uuid')Now when I run: Code Select
curl -v -u "$API_KEY:$API_SECRET" "$HOST/api/trust/cert/raw_dump?uuid=$CERT_UUID"it returns 404. Any hint?
I am running on 25.1.10.
thank you!
#11
25.1, 25.4 Legacy Series / Sluggish Web UI - only reboot helps
April 28, 2025, 02:07:04 PM
I had a couple of situations recently where my firewall got very unresponsive on some services incl the Web UI. Logging into the Web UI then takes up to a minute.
The only thing that helped getting back to normal was a reboot then. How can I diagnose what'S going on?
Some logs on the CLI which I could monitor when it happens?
The system is a an Atom CPU C3558 @ 2.20GHz (4 cores, 4 threads) with 64Gb RAM and ZFS mirrored boot device, latest version installed, all updates.
It does run Zenarmor an I have seen mongod consuming quite some CPU cycles but normally that isn't an issue.
Any hint on how to track this down next time it happens is appreciated.
TIA!
The only thing that helped getting back to normal was a reboot then. How can I diagnose what'S going on?
Some logs on the CLI which I could monitor when it happens?
The system is a an Atom CPU C3558 @ 2.20GHz (4 cores, 4 threads) with 64Gb RAM and ZFS mirrored boot device, latest version installed, all updates.
It does run Zenarmor an I have seen mongod consuming quite some CPU cycles but normally that isn't an issue.
Any hint on how to track this down next time it happens is appreciated.
TIA!
#12
25.1, 25.4 Legacy Series / ACME client - send email after renewal?
February 06, 2025, 04:40:49 PM
Anyone got a hint for me?
I use the ACME client to manage a number of certificates.
I would like to have an automation that sends me an email when a particular certificate has been renewed.
Any idea how to do that?
I thought about using monit in any way for that but have no clue how.
Thanks for any hint.
-Till
I use the ACME client to manage a number of certificates.
I would like to have an automation that sends me an email when a particular certificate has been renewed.
Any idea how to do that?
I thought about using monit in any way for that but have no clue how.
Thanks for any hint.
-Till
#13
German - Deutsch / Re: Glasfaser Einrichtung / OpnSense / Modem notwendig?
November 22, 2024, 02:57:17 PMQuote from: meyergru on November 22, 2024, 01:26:39 PMGuter Punkt.
Das geht theoretisch - da muss normalerweise aber der ISP mitspielen, dass er die ONT-ID bei sich einträgt. Normal ist nur die ID des mitgelieferten ONT hinterlegt. Wegen Endgerätefreiheit müssen die ISPs das zwar zulassen, tun es aber sehr ungern.
Das ist auch insofern problematisch, weil Du so kein Backup hast (Highlander-Regel: es kann nur einen geben). Besser klappt es, wenn man die ID des originalen ONTs auslesen kann - das geht bei DG aber, je nach Ausbaugebiet und verbauter Technik, eventuell nicht.
Noch ein Nachteil dabei ist: Support macht DG nur für die eigene Technik.
Das ist m.E. den Stress nicht wert.
#14
German - Deutsch / Re: Glasfaser Einrichtung / OpnSense / Modem notwendig?
November 22, 2024, 01:05:57 PM
Am Rande bemerkt: in der c't war kürzlich ein Artikel wie man ein zyxel pmg3000 für openwrt am Telekom Glasfaser Anschluss verwendet. Das ist ein SFP Slot Modem. Ggf läuft das auch unter OPNsense und an anderen Glasfaser Anschlüssen. Ich fand das ganz sexy das man kein zusätzliches externes Modem braucht.
#15
24.1, 24.4 Legacy Series / Re: Not a smooth upgrade this time...
February 13, 2024, 05:49:44 PM
That doesn't look related to my problem. Did you check you can resolve these addresses?
I can:
So it might be a DNS problem on your end.
I can:
Code Select
> set q=AAAA
> mirror.sfo12.us.leaseweb.net
Server: 2003:e6:7744:8501:242:43ff:feae:1c
Address: 2003:e6:7744:8501:242:43ff:feae:1c#53
Non-authoritative answer:
mirror.sfo12.us.leaseweb.net has AAAA address 2605:fe80:2100:b001::5187
So it might be a DNS problem on your end.
