Linux Firewall (Part 4) : DDNS and TLS

Intro

In the previous parts we setup up firewall and nftables. In this post, we will setup DDClient to keep track of our dynamic IP address and ACME script to issue, renew and install TLS certificates.

Dynamic DNS

Dynamic DNS (DDNS) is a method of updating DNS with the correct IP address even when the IP address keeps changing. I am using a dynamic IP address, and if I want to access my network/devices from the internet, I will need to use a domain name and use DDNS to set the domain name to the IP address of my network. I am using Cloudflare name servers, but the steps should be very similar for other providers too. I am going to use DDclient, a perl client which supports Cloudflare.

Install DDclient

dnf install ddclient

Create a configuration file for DDClient

nano /etc/ddclient.conf

Add the global configuration in /etc/ddclient.conf

daemon=900              # check every 900 seconds
syslog=yes              # log update msgs to syslog
pid=/run/ddclient/ddclient.pid
ssl=yes
use=if, if=enp1s0				# use the WAN interface (enp1s0)

We can add multiple domain name configuration. The two examples below both use Cloudflare. login is usually the email address used to log into the Cloudflare account. password is an API key that can be generated for a specific zone with read and edit permissions in the Cloudflare dashboard.

# CloudFlare (example1.com)
protocol=cloudflare,        \
zone=example1.com,          \
ttl=1,                      \
login=<CF_EMAIL>,           \
password=<CF_API_KEY>       \
example1.com

# CloudFlare (example2.com)
protocol=cloudflare,        \
zone=example2.com,          \
ttl=1,                      \
login=<CF_EMAIL>,           \
password=<CF_API_KEY>       \
example2.com

We need to fix permissions for DDclient or it will give us the following warning

WARNING:  file /etc/ddclient.conf: file /etc/ddclient.conf must be accessible only by its owner.

Change the owner of the configuration file and set the read and write permissions to only the owner (user ddclient)

chown ddclient:ddclient /etc/ddclient.conf
chmod 600 /etc/ddclient.conf

Finally, enable and run the service

systemctl enable --now ddclient.service

ACME Script

We are going to use Let’s Encrypt for getting TLS certificates. Let’s Encrypt uses ACME protocol to verify ownership of domain name and issuing certificates. We can use ACME script to automate the process of getting, renewing and installing the certificates.

Install ACME script. The email address is used for Let’s Encrypt account

curl https://get.acme.sh | sh -s email=<EMAIL_ADDRESS>

We can safely ignore the warnings about standalone mode.

Create environment variables for Cloudflare Account ID and Cloudflare API Token (generated in Cloudflare dashboard)

export CF_Account_ID="id"
export CF_Token="token"

Issue certificate for base domain example.com and wildcard *.example.com. This will also automatically renew certificates every 60 days.

acme.sh --issue --server letsencrypt -d example.com -d '*.example.com' --dns dns_cf

Let’s install the certificates to HAProxy now (should have HAProxy installed)

export DEPLOY_HAPROXY_PEM_PATH=/etc/haproxy
export DEPLOY_HAPROXY_RELOAD="systemctl reload haproxy"
acme.sh --deploy -d '*.example.com' --deploy-hook haproxy

Once the certificates are installed, HAProxy will reload.

Thank you for reading. Check out the other parts in the series below.