Linux Firewall (Part 4) : DDNS and TLS
Intro
In the previous parts we setup up firewall and nftables. In this post, we will setup DDClient to keep track of our dynamic IP address and ACME script to issue, renew and install TLS certificates.
Dynamic DNS
Dynamic DNS (DDNS) is a method of updating DNS with the correct IP address even when the IP address keeps changing. I am using a dynamic IP address, and if I want to access my network/devices from the internet, I will need to use a domain name and use DDNS to set the domain name to the IP address of my network. I am using Cloudflare name servers, but the steps should be very similar for other providers too. I am going to use DDclient, a perl client which supports Cloudflare.
Install DDclient
dnf install ddclient
Create a configuration file for DDClient
nano /etc/ddclient.conf
Add the global configuration in /etc/ddclient.conf
daemon=900 # check every 900 seconds
syslog=yes # log update msgs to syslog
pid=/run/ddclient/ddclient.pid
ssl=yes
use=if, if=enp1s0 # use the WAN interface (enp1s0)
We can add multiple domain name configuration. The two examples below both use Cloudflare. login
is usually the email address used to log into the Cloudflare account. password
is an API key that can be generated for a specific zone with read and edit permissions in the Cloudflare dashboard.
# CloudFlare (example1.com)
protocol=cloudflare, \
zone=example1.com, \
ttl=1, \
login=<CF_EMAIL>, \
password=<CF_API_KEY> \
example1.com
# CloudFlare (example2.com)
protocol=cloudflare, \
zone=example2.com, \
ttl=1, \
login=<CF_EMAIL>, \
password=<CF_API_KEY> \
example2.com
We need to fix permissions for DDclient or it will give us the following warning
WARNING: file /etc/ddclient.conf: file /etc/ddclient.conf must be accessible only by its owner.
Change the owner of the configuration file and set the read and write permissions to only the owner (user ddclient)
chown ddclient:ddclient /etc/ddclient.conf
chmod 600 /etc/ddclient.conf
Finally, enable and run the service
systemctl enable --now ddclient.service
ACME Script
We are going to use Let’s Encrypt for getting TLS certificates. Let’s Encrypt uses ACME protocol to verify ownership of domain name and issuing certificates. We can use ACME script to automate the process of getting, renewing and installing the certificates.
Install ACME script. The email address is used for Let’s Encrypt account
curl https://get.acme.sh | sh -s email=<EMAIL_ADDRESS>
We can safely ignore the warnings about standalone mode.
Create environment variables for Cloudflare Account ID and Cloudflare API Token (generated in Cloudflare dashboard)
export CF_Account_ID="id"
export CF_Token="token"
Issue certificate for base domain example.com
and wildcard *.example.com
. This will also automatically renew certificates every 60 days.
acme.sh --issue --server letsencrypt -d example.com -d '*.example.com' --dns dns_cf
Let’s install the certificates to HAProxy now (should have HAProxy installed)
export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy
export DEPLOY_HAPROXY_RELOAD="systemctl reload haproxy"
acme.sh --deploy -d '*.example.com' --deploy-hook haproxy
Once the certificates are installed, HAProxy will reload.
Thank you for reading. Check out the other parts in the series below.