Do you want to update your DNS when your IP changes? Are you using a router running OpenWRT and Cloudflare? Then this short guide is perfect for you!
Let’s dive right into it. The OpenWRT router needs to modify your DNS settings on Cloudflare, so we need to create an API token. We could use the global API token, but we’ll use an API token with more limited access instead.
Creating a token on Cloudflare
Head to Cloudflare and go to My profile -> API Tokens -> Create Token -> Create custom token.
Give your token a name, e.g., OpenWRT DDNS and add the following permissions:
- Zone, Zone: Read
- Zone, DNS: Edit
Under Zone Resources, select Include, then Specific Zone and choose your domain, e.g., example.com. Hit Continue to summary and then Create Token.
Remember to take note of this token as you’ll need it later.
Next up is configuring OpenWRT to work with Cloudflare. We’ll mostly use the Web GUI, but we’ll also SSH into the router to make a small change to how authentication is done with Cloudflare.
In the Web GUI, do the following:
- Go to System -> Software and press Update lists.
- Enter “ddns” into the filter field, and press Install on the
- Log out of the GUI and back in. You should now have a Services -> Dynamic DNS option. Go to it.
- Press Edit on
- Set DDNS Service provider to
cloudflare.com-v4and confirm the change.
- Then set Lookup Hostname and Domain to the domain you want to update, e.g.,
example.com. Check the Enable and the Use HTTP Secure checkbox.
- Finally, paste the Cloudflare token you created into the Password field and hit Save and Apply. The username doesn’t matter.
If you want to update a subdomain instead, use the following format in the Domain field:
[email protected] and
sub.example.com in the Lookup field.
The settings should now look something like this:
Great work. We’re almost done.
Next up, we’ll have to make a minor change to the Cloudflare script as it doesn’t support authentication by using a token out of the box.
SSH into your router using, e.g., Putty. Use the same username and password that you have set up on your router. Then edit the script by running:
Enter insert mode by pressing I and find these lines:
__PRGBASE="$__PRGBASE --header 'X-Auth-Email: $username' "
__PRGBASE="$__PRGBASE --header 'X-Auth-Key: $password' "
Comment them out by adding a # at the beginning and add a new line below them, so it looks like this:
#__PRGBASE="$__PRGBASE --header 'X-Auth-Email: $username' "
#__PRGBASE="$__PRGBASE --header 'X-Auth-Key: $password' "
__PRGBASE="$__PRGBASE --header 'Authorization: Bearer $password' "
The Authorization header is the new line. Cloudflare uses this header that will contain your token to identify you. Press Escape -> Type :wq -> hit Enter to save and quit. You can exit SSH now and go back to the GUI.
Change how your current IP is determined
If you head to Network -> Interfaces and you can see an IPV4-address under WAN, then OpenWRT knows what your current IP is, and you can skip this step.
However, if you don’t see an IP address there, you’ll have to go to Services -> Dynamic DNS -> press Edit on myddns_ipv4 -> Go to Advanced Settings tab and change IP address source to something else.
Start using it
Now, head to Services -> Dynamic DNS and press Start.
Congratulations! 🎉 It should now be up and running. You can press Edit -> Log file viewer to view the log of what it’s doing.
If you have any questions, feel free to ask! 🙂
Questions and answers
Not all situations are the same, so here are some hopefully helpful answers where the problem is slightly different.
What if I’m using Cloudflare to proxy traffic for the domain I’m using with DDNS?
The setup above works by using DNS to check what IP the domain
example.com points to. If the domain doesn’t point to your current IP, then it’s updated.
But what if you’re also using Cloudflare to proxy requests? When Cloudflare is proxying the requests,
example.com no longer points at your IP address directly. Instead,
example.com points to Cloudflare, and Cloudflare becomes a middleman between your IP and the user.
Proxying can be helpful for multiple things: It hides your IP address from the user, and Cloudflare can cache things like images for you.
The issue arises when you now compare the IP of
example.com with your IP. Since you’ll no longer get your own IP when checking the DNS record of
example.com, OpenWRT will think that the IP for the domain is wrong and start interacting with Cloudflare to update it.
The thing is that the IP is most likely correct, but it can’t know for sure without using Cloudflare’s API to check.
It goes something like this:
- OpenWRT gets the IP of
example.com, and Cloudflare returns its own IP’s as the real IP is hidden behind Cloudflare.
- OpenWRT thinks that DNS needs to be updated as you got Cloudflare’s IP and not your own.
- It connects to Cloudflare using the API and gains access to see the real IP the domain points to through Cloudflare.
- If the real IP is wrong, it’s updated to your current IP.
So, as you can see, it will still work, but you’ll have unnecessary interactions with the Cloudflare API.
So you might wonder: How do we avoid unnecessary interactions with Cloudflare?
There is a clever solution to this problem that is possible thanks to Cloudflare supporting CNAME flattening. Let me show you how.
First, create a new subdomain that is mostly random by going to DNS settings for your domain on Cloudflare. If you want to hide your IP, the domain should not be guessable. I’m going to use the subdomain
top-secret.example.com in this example. Replace it with your own.
Press the Add record -> choose Type A -> enter
top-secret.example.com in the Name field -> enter a incorrect IP like
188.8.131.52 in the IPv4 field. Make sure it’s not proxied and press Save.
Next, remove the record for the proxied domain. In my case, that’s
example.com. Now, create a new DNS record, for
example.com, but this time with the Type CNAME. Point it to
top-secret.example.com and enable proxying, then Save.
Adding this CNAME will make Cloudflare redirect
top-secret.example.com internally, without exposing the actual IP of your server.
You’re now done with the Cloudflare part. The only thing you need to do now is to make two small changes to your DDNS settings in OpenWRT.
Go to the Basic settings for DDNS, change the Lookup Hostname to
top-secret.example.com, and set the Domain to
[email protected] (note the @). Click Save and Apply.
Now, head to Services -> Dynamic DNS and press the Start/Stop button twice to restart the service.
This way, DDNS will interact with the secret subdomain(
top-secret.example.com) to keep your DNS updated, while the actual domain(
example.com) points to the subdomain without exposing the domain or real IP.
You should now have a setup that only talks to Cloudflare when the IP has changed, even if you’re using proxying. Congratulations!⭐
Note that it, by default, might take up to 10 minutes to update the IP. You can view the logs to see what’s going on. (Dynamic DNS -> Log File Viewer tab)😊