Messages

Thanks, I'll see what I can do with the API.

Greetings,

I have a Letsencrypt wildcard certificate that is updated every 60 days.  I'm using this cert in all my SSL web applications including my open sense router.  I have to manually install it through the open sense UI whenever the cert is updated, every 60 days.  I would like to automate this, is there a tool available for this?  I'd like to copy in the new cert, private key and then restart the UI automatically.  I run the acme protocol elsewhere and am not looking to run it on my router.

thanks
John

You should be able to access other resources as long as allowed IPs are set to 192.168.2.0/24 and 192.168.1.0/24.  Now you also might want to consider altering your subnets on your home network.  Most coffee shops and hotels use 192.168.1.0/24 as their wifi network.  This has caused me issues in the past with routing to my home network when using OpenVPN so, I switched my networks to use a /24 in the middle of the 10.0.0.0 range.  For example, 10.130.1.0/24 and 10.130.2.0/24 and I no-longer have the routing issues while out and about.  With that said though, I've since switched from using OpenVPN to wireguard.  Since wireguard uses tunneling and routes the allowed IP's via the tunnel, the subnet routing may not really be an issue.  Just thought I'd mention it though.

I'm on 24.7.1 and have two GeoIP aliases that are working fine.  I created the aliases while on 24.1 though and upgraded to 24.7.  Are you trying to create a new alias now that you're on 24.7 and that's failing?

Eisai, my hostnames are all DNS A records and no CNAME's.  Also, I had to manually create the A records beforehand as ddclient will not create them.

I'm on OPNsense 24.7.1 and I have os-ddclient 1.23 installed.  I only have two hostnames that I'm checking with dd-client.

Never mind the JSON strings, mine looks the same with multiple hostnames.  Yeah, I'm using ddclient also with cloudflare and mine are working fine.  I have multiple hostnames as well and it looks like yours.

That hostnames looks like a JSON string.  Shouldn't it be an array of strings?

I'm running 24.7 with port forwarding to my internal apache WebDAV server.  My MacOS laptop users use the WebDAV server to mount a NAS share and they need to do that from wherever they are, on the local lan or when they're out and about.  The port forwarding from the public IP works fine and I have the NAT reflection with hairpin NAT working as well, it never causes my OPNsense server to lock up, it works fine.

Now with all that said, I've found that I really don't need the NAT reflection if I use split horizon DNS.  I'm with Cloudflare and I'm using DDNS to register my public IP with the CloudFlare DNS servers using www.mydomain.com.  Internally, I run unbound on my OPNsense box and I register www.mydomain.com there using the Internal private IP.  The OPNsense DHCP server tells everyone on the LAN to use the unbound DNS.  So, when the laptop users are on the LAN, www.mydomain.com points directly to the internal WeBDAV servers IP.  When they are out and about, www.mydomain.com points to the public IP which gets port forwarded to the internal WebDAV server.  This works fine and I really don't need the NAT reflection. 

My mistake, I checked the OPNsense documentation and the hostname setting is supposed to be the fully qualified hostname, I missed that.  Anyway, I have it working now, that's the main thing :)

Ok, I got it debugged and now have it working.  I saw in the ddclient latest.log, that it queried using query parameters to specify the particular A and AAAA record.  So I ran the query manually using curl

curl --request GET \
  --url https://api.cloudflare.com/client/v4/zones/REDACTED ZONE_ID/dns_records?type=A&name=www\
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer REDACTED API TOKEN"

Note the query parameters, ?type=A&name=www.  When I ran the query no A record was returned in the JSON.  When I left out the query parameters, I saw that my A record name was the FQDN, ie hostname.domainname.  I updated the ddclient settings in the OPNsense UI and changed my 'www' hostname to the FQDN, and now it's working.

This doesn't seem right to me or it's my misunderstanding.  Why would an A or AAAA record name need to be the specified using the entire FQDN?  Am I making a mistake in my A/AAAA record creation by using only the hostname?

I'm using the ddclient backend with the API token.  I believe there is a bug in the ddclient perl script. 

I haven't tracked it down yet but here is the API call to cloud flare using a curl script that I verified is returning
my A and AAAA records in the JSON response.

#!/usr/local/bin/bash

set -x
curl --request GET \
  --url https://api.cloudflare.com/client/v4/zones/REDACTED ZONE_ID/dns_records \
  --header "Content-Type: application/json" \
  --header "Authorization: Bearer REDACTED API TOKEN"

I've looked at the /var/log/ddclient/latest.log and I see the query being made, the URL looks correct and I see the Authorization header in the log is set correctly using my API token but when the script examines the decoded JSON, it fails to get the A and AAAA records from the response.  To be clear, ddclient is sending the exact same query as the curl above but when examining the response, it does not resolve the records from the JSON response.

I'm currently trying to debug the script.

I do not recall anything in the release notes stating that there were changes to this functionality. The complete configuration was identical to earlier versions (meaning I didn't modify anything), and it worked without issue. In fact, I brought up the prior version and verified that it worked correctly. So, something changed somewhere in the latest version of OPNsense. If Cloudflare is selected as the service, it seems to me that it should completely ignore the username field if it is indeed superfluous. (Or better still, do not display the field if it's not appropriate to the service selected.)

Thank you all for your suggestions.

I tried your suggestion and left the username blank and just populated the password with my API key.  I have my zone and hostname populated and am using the WAN interfaces as the IP lookup method.  I now get errors that say it's unable to update my IP addresses as the A and AAAA records do not exist in Cloudflare.  I created the A and AAAA records for my host at my Cloudflare DNS before I even configured os-ddclient and they still exist so, I do not understand why I'm getting these errors.  Any ideas?

I have OPNsense 24.7_9 installed and am trying to get DDNS working using os-ddclient.  My provider is Cloudflare.
I've created the required API key in Cloudflare an am using that key as my password in the os-ddclient settings on OPNsense.  os-ddclient is reporting the following errors when it runs:

Account 22dfa802-939a-436c-b7a1-6bdbe6e03ac4 [cloudflare - Cloudflare ddns] error receiving ZoneID [[{"code": 6003, "message": "Invalid request headers", "error_chain": [{"code": 6103, "message": "Invalid format for X-Auth-Key header"}]}]]

Not sure what is wrong and hoping to get some help fixing this.

thanks
John

Thanks for your help!  I got it working by adding the outbound NAT rule on the LAN.