#openvpn-ddns
Maintain dns records for connecting openvpn clients
- generate PTR/AAAA/A records using
common_name
of the client certificate and both internal or external IP addresses usingnsupdate
- support for private key
- supports multiple forward and reverse zones and
pick the first matching IP address or
common_name
The following text assumes an openvpn server with client certificates, as described in the openvpn documentation and a name server which supports update via nsupdate such as bind.
-
Install Ruby and nsupdate
-
Clone Project
$ cd /etc/openvpn
$ git clone https://github.com/Mic92/openvpn-ddns.git ddns
- Edit Configuration
$ cp /etc/openvpn/ddns/openvpn-ddns.json.example /etc/openvpn/openvpn-ddns.json
In case you have multiple openvpn server you can also create a configuration per profile:
$ cp /etc/openvpn/ddns/openvpn-ddns.json.example /etc/openvpn/server1.openvpn-ddns.json
$ cp /etc/openvpn/ddns/openvpn-ddns.json.example /etc/openvpn/server2.openvpn-ddns.json
where server1
or server2
is the name of the openvpn configuration files without the
.config/.ovpn
extension.
the configuration takes the following following keys:
- name_server:
- string
- required
- hostname or IP address to name server |
- nsupdate_executable:
- string
- optional
- path or name of nsupdate (Defaults to "nsupdate") |
- private_key:
- string
- optional
- If set, this will be used by nsupdate to authenticate against name server, use the format
algorithm:keyname key
, wherekeyname
is the name used in name server configuration andalgorithm
the used TSIG key algorithm. - example:
hmac-sha512:ddns-key NTc1ODVmNDk5NzgwMDgyODQ2ZTAzMGNlZmI0YTkwN2M5ZTg1MzNiN2UxMWQyNjZhNjg2YWQ1MDc4Y2NlZjU0Mw==
- reverse_zones
- object/hash
- optional
- key is the subnet and value is the associated reverse zone. public/private openvpn client IP is matched against these subnets. If the IP is contained in one of the provided reverse zones, the PTR records will be updated using the common_name as value.
- private_zones:
- array
- optional
- list of zones, which are matched against the common_name field of the client certificate. If one zone is a suffix of the common_name, t a A or AAAA records are updated using the internal IP address as value.
- private_search_domain
- string
- optional
- if set and non of the private zones matched, openvpn-ddns will fallback to this domain.
The record will be build from the host part of
common_name
.
- public_zones:
- array
- optional
- list of zones, which are matched against the common_name field of the client certificate. If one zone is a suffix of the common_name, a A or AAAA records are updated using the public IP address as value.
- public_search_domain
- string
- optional
- if set and non of the public zones matched, openvpn-ddns will fallback to this domain.
The record will be build from the host part of
common_name
.
A dnssec-key can be obtained like this:
$ ddns-confgen -q -a hmac-sha512 -k openvpn
key "openvpn" {
algorithm hmac-sha512;
secret "NTc1ODVmNDk5NzgwMDgyODQ2ZTAzMGNlZmI0YTkwN2M5ZTg1MzNiN2UxMWQyNjZhNjg2YWQ1MDc4Y2NlZjU0Mw==";
};
- Run openvpn
Add the following lines to you openvpn server configuration.
learn-address /etc/openvpn/ddns/openvpn-ddns
script-security 2
At the moment only tun
mode of openvpn is supported.