I know the basics but I am trying to get a deeper understanding of how they work and how I can improve upon my setup.
So here's the back-story which is relevant just so that you know how my current setup is...
It all started with me getting into self-hosting. Next thing I know I had 19 different URLs (nextcloud, bitwarden, emby, IPMI etc etc.) that I had to remember the IPs and the ports. So I thought of getting a reverse-proxy. Obvious choices, Apache & Nginx. But then I thought, why not get proper SSL Certs from Lets-Encrypt along with the reverse proxy so that it avoids the browsers from screaming about it and my wife calling me over whenever she is accessing bitwarden or emby etc.
Enter Caddy2 which had easy integration with Lets-Encrypt DNS challenges. I needed the easy button because this was all very new to me. I bought a domain name for myself from Namecheap. Unfortunately, Caddy2 only had the Cloudflare plugin available for DNS challenges during 2.0 Beta. So, I created a Cloudflare account and then used those nameservers as my "Custom DNS" in the Namecheap account instead of using the Namecheap BasicDNS.
I set up
19 different A records – all pointing to my public WAN address (say XX:XX:XX:252) and using Cloudflare as the Proxy. I used DNS challenge and everything works as expected. I can use the sub-domains I defined in the
A records instead of remembering the IPs and ports.
I use Opnsense as my firewall. I also have a road-warrior VPN server that I connect to from the road. I also have a dynamically assigned IP address. If my WAN IP changes, I would still want my certs and my VPN to continue functioning. Enter DDNS. I enabled DDNS service in Opnsense, and used the Namecheap option – put in my domain name (that I had purchased), my user/password and it immediately listed my WAN IP (XX:XX:XX:252) as the Cached IP. So here's where I am confused
- How did it cache my WAN IP for my domain name instead of the actual public IP of the domain name? In my Cloudflare account, my base domain points to a completely different IP (I am not hosting anything on that domain though)
Then my WAN IP changed when I rebooted the modem and the Opnsense firewall
- However, all the A records that I created for the 19 services still point to the old WAN IP address (XX:XX:XX:252). This will be a problem whenever my current LE certs expire, wouldn't it? Is there a way to auto-update these records whenever my WAN IP changes?
- Is there a way to create a wildcard cert for my domain name so that I can use the same cert for all my LAN services?
- How do I use the DDNS service in Opnsense such that my WAN IP is always tied to a particular domain name that I can use for all my VPN clients – so that I don't have to manually change the IP address in each client's VPN config?
Hi
So all your DNS A records are now set up at namecheap or cloudflare?
Quote from: lfirewall1243 on March 25, 2021, 09:01:48 PM
Hi
So all your DNS A records are now set up at namecheap or cloudflare?
On Cloudflare. I used Cloudflare only because caddy2 didn't have a DNS challenge plugin for Namecheap. I am willing to move completely over to Cloudflare if that simplifies things.
I probably did what I did due to a lack of complete understanding of DNS vs Namespace at that time. I am still learning....
Quote from: Inxsible on March 25, 2021, 09:04:54 PM
Quote from: lfirewall1243 on March 25, 2021, 09:01:48 PM
Hi
So all your DNS A records are now set up at namecheap or cloudflare?
On Cloudflare. I used Cloudflare only because caddy2 didn't have a DNS challenge plugin for Namecheap. I am willing to move completely over to Cloudflare if that simplifies things.
I probably did what I did due to a lack of complete understanding of DNS vs Namespace at that time. I am still learning....
So you just have to set up Cloudflare dyndns
Quote from: lfirewall1243 on March 25, 2021, 09:06:39 PM
So you just have to set up Cloudflare dyndns
I see. What is the difference between Cloudflare, Cloudflare(v6), Cloudflare API Token, Cloudflare API Token (v6) ?
EDIT : I tried creating DDNS for a few of my sub-domains, but all I get is N/A as the Cached IP no matter which option I choose from the 4 listed above.
Quote from: Inxsible on March 25, 2021, 09:17:31 PM
Quote from: lfirewall1243 on March 25, 2021, 09:06:39 PM
So you just have to set up Cloudflare dyndns
I see. What is the difference between Cloudflare, Cloudflare(v6), Cloudflare API Token, Cloudflare API Token (v6) ?
V6 is for ipv6
API for accessing API Functions
Quote from: lfirewall1243 on March 25, 2021, 09:22:19 PM
Quote from: Inxsible on March 25, 2021, 09:17:31 PM
Quote from: lfirewall1243 on March 25, 2021, 09:06:39 PM
So you just have to set up Cloudflare dyndns
I see. What is the difference between Cloudflare, Cloudflare(v6), Cloudflare API Token, Cloudflare API Token (v6) ?
V6 is for ipv6
API for accessing API Functions
Ok. I was editing my earlier post right when you posted. I tried all 4 options but all I get is N/A for the Cached IP for all of my sub-domains.
Quote from: Inxsible on March 25, 2021, 09:24:04 PM
Quote from: lfirewall1243 on March 25, 2021, 09:22:19 PM
Quote from: Inxsible on March 25, 2021, 09:17:31 PM
Quote from: lfirewall1243 on March 25, 2021, 09:06:39 PM
So you just have to set up Cloudflare dyndns
I see. What is the difference between Cloudflare, Cloudflare(v6), Cloudflare API Token, Cloudflare API Token (v6) ?
V6 is for ipv6
API for accessing API Functions
Ok. I was editing my earlier post right when you posted. I tried all 4 options but all I get is N/A for the Cached IP for all of my sub-domains.
Have you set up the Dyndns plugin?
If yes show your config
Sorry. I was using the Global API Key when using the Cloudflare API token option. I created a new token for All Zones and using that token, it worked.
The Global API Key works when using it as a password in the Cloudflare option instead.
Sorry to bring this up again...
I am trying to use the FQDN that I set up in the DDNS to connect to my VPN server. But it seems to resolve to some other address than my WAN IP.
I set up the DDNS service to use Cloudflare API. I have an A record in my public DNS called home.domain.net. I manually changed the public DNS to be some random IP. Then I did a Save and Force Update on my DDNS in OPNsense and it correctly updated my WAN IP for the A record in Cloudflare. So that part works...
However, when I try to nslookup the FQDN using Unbound as the name server, I get a different IP
NOTE: I have changed all public IPs in the below logs to hide my domain name as it's personally identifiable
[~]── - nslookup home.domain.net 192.168.1.1
Server: 192.168.1.1
Address: 192.168.1.1#53
Non-authoritative answer:
Name: home.domain.net
Address: 101.87.98.110
Name: home.domain.net
Address: 172.33.25.119
Name: home.domain.net
Address: 2606:4700:zzzz::yyyy:ab77
Name: home.domain.net
Address: 2606:4700:wwww::xxxx:1d6e
[~]── -
If I try it again say with Google's DNS server, it will give me the other address that is listed :
[~]── - nslookup home.domain.net 8.8.8.8
Server: 8.8.8.8
Address: 8.8.8.8#53
Non-authoritative answer:
Name: home.domain.net
Address: 172.33.25.119
Name: home.domain.net
Address: 101.87.98.110
Name: home.domain.net
Address: 2606:4700:zzzz::yyyy:ab77
Name: home.domain.net
Address: 2606:4700:wwww::xxxx:1d6e
[~]── -
and it keeps switching between these 2 IPv4 addresses
When I try to ping the FQDN, it gives me the same result:
[~]── - ping -c2 home.domain.net
PING home.domain.net (172.33.25.119) 56(84) bytes of data.
64 bytes from 172.33.25.119 (172.33.25.119): icmp_seq=1 ttl=59 time=16.2 ms
64 bytes from 172.33.25.119 (172.33.25.119): icmp_seq=2 ttl=59 time=16.8 ms
--- home.domain.net ping statistics ---
[~]── -
Pinging again will sometimes give me the 172.33 address and at other times will give me the 101.87 address. But neither one is my actual WAN IP. So when I try to use home.domain.net as the FQDN to connect to (in the OpenVPN Connect app) it tries to connect to the IPv6 address which eventually times out.
How would I make sure that I can connect to my WAN IP and thereby my VPN server using the FQDN (home.domain.net) that I set up in the DDNS service?