Configuring OpenWRT DDNS for freedns.afraid.org
R
Posted on October 26, 2024
Overview
freedns.afraid.org is a DNS provider that offers free registration of subdomains on a long list of "public" (shared) top-level domains.
This is a more friendly alternative for use with Dynamic DNS clients, than many similar services, because it does not require a periodic "manual" intervention to renew a registered subdomain just to keep it active. Other such services seem to use the "manual renewal" as a tactic to "inconvenience" people into paying for their service.
Setting up the DDNS client in OpenWRT to monitor for changes in a dynamic IP address, and update freedns.afraid.org, is a little confusing, because the DDNS scripts do NOT use their "Direct URL" approach for IP updates.
Official Docs
The freedns.afraid.org docs describe settings that might work with some OpenWRT/DDNS configurations, but the DDNS client parameters didn't exactly work in my case. The other option, which uses cron
and curl
, might work, but isn't the usual/proper way to have OpenWRT handle DNS updates, and anything non-standard ends up burning extra time to document it well, or extra time later trying to remember how it is working.
"Direct URL" vs. DDNS Client
"Direct URL"
The biggest source of confusion while setting this up came from what freedns.afraid.org calls the "Direct URL." This URL has the path /dynamic/update.php?{authtoken}
. It is intended to be called/fetched from anywhere within a NAT network, and the server extracts the "apparent" originating IP (outside all NAT layers) from the request, as the IP to associate with the subdomain name. The token embeds authentication information, and the reference to the subdomain, so the request requires no other parameters. This URL, and its "token" are NOT used by the OpenWRT DDNS client.
DDNS Client
freedns.afraid.org ALSO supports typical ddns client URLs with the path /nic/update
, which accepts various URL parameters like hostname
, and myip
. THIS is what the OpenWRT DDNS client update script generates and uses. Authentication for this update option at freedns.afraid.org is HTTP basic, and requires the username:password for the freedns.afraid.org account, NOT the token, and NOT the FQDN of the subdomain (as the line option username 'yourhostname'
in the docs incorrectly suggests).
DDNS IP resolution within NAT
One important aspect of the OpenWRT setup is whether the OpenWRT router is behind one or more NAT (network address translation) layers. If so, the default wan
option for IP address source
WON'T WORK, since it will discover an IP address that is still "hidden" within the private network. The DDNS client needs to reach outside the NAT/private network to get the "public facing" IP. See instructions below re: using the URL
option instead.
How To
Now, with some of the confusing bits cleared up (let's hope), here are the steps to get things going.
- Sign up an account at freedns.afraid.org
- Decide on a suitable subdomain name, and add it to the account under one of the public domains controlled by freedns.afraid.org.
- i.e. Click "Add" on https://freedns.afraid.org/subdomain/
- Note: There are other options (transfer domain, etc.) too, but establishing a "registered" FQDN is the goal for this step.
- If not already installed, add the DDNS client/service to OpenWRT.
- See: https://openwrt.org/docs/guide-user/services/ddns/client
- Optional: Also install the LuCI components to manage the DDNS service.
- Add a DDNS "service" for freedns.afraid.org (using an example FQDN of
mychosenname.example.com
) (names/values in parens are for directoption
entries in/etc/config/ddns
without LuCI UI)-
Lookup Hostname (
lookup_host
): mychosenname.example.com -
DDNS Service Provider (
service_name
): Choose "afraid.org-basicauth" -
Domain (
domain
): mychosenname.example.com -
Username (
username
): freedns.afraid.org account username -
Password (
password
): freedns.afraid.org account password
-
Lookup Hostname (
- Switch the DDNS service's
IP address source
fromNetwork
toURL
IP lookup (Advanced tab in LuCI). This uses the checkip.dyndns.com utility to reach all the way out from all internal network layers and echo back the "public" IP, instead of resolving the first-layer private address (i.e. when the "wan" side of an internal router is still within a NAT/private network).-
IP address source (
ip_source
): Choose "URL" (web
) -
URL to detect (
ip_url
):http://checkip.dyndns.com
-
IP address source (
Notes
Private IP Error
Either the DDNS scripts, or maybe the freedns.afraid.org update service rejected a private/"non-routable" (i.e. RFC-1918) IP address with:
WARN : Updating IP at DDNS provider failed...
...
ERROR : No or private or invalid IP '192.168.0.2' given! Please check your configuration
LuCI vs. afraid.org-v2-token
The DDNS client in OpenWRT has another DDNS Service provider
option named afraid.org-v2-token
. This sounds like it would support the "Direct URL" approach, but...
- Best guess for where to fill in the token is:
-
Optional Parameter (
param_opt
) - Or possibly Optional Encoded Parameter (
param_opt_encoded
) - These were generated by LuCI, but not documented here
-
Optional Parameter (
- LuCI still requires 'username' and 'password', which are not used (so, presumably, they could be filled in with anything like
notused
). - The server response on an update indicates the (local/LAN) IP is still being included in the request, so the
IP address source
option must still be changed fromNetwork
toURL
- Whatever request URL this configuration is constructing and sending to freedns.afraid.org, it does NOT seem to match the "Direct URL" format, and does not work.
Posted on October 26, 2024
Join Our Newsletter. No Spam, Only the good stuff.
Sign up to receive the latest update from our blog.
Related
November 27, 2024