Enabling dynamic DNS is too convoluted, difficult


TL;DR See Step 9 for the actual request for this feature request

Needed to setup dynamic dns, I was surprised that it I hadn't previously made it work.

During setup I realized I had given up on it last time I tried it.

So I'm using freedns.afraid.org and here is what the setup looks like

Step 1

Go to System -> Software
Click on Updates lists, wait a little and then click dismiss
In the filter type "ddns"

Now choose among this list the appropriate software that needs to be installed

In my specific case that was


Click on each, click install, the dependencies are fine

Step 2 setup

Refresh interface a few times until

Services -> Dynamic DNS

appears, and click on it

Delete the two examples IPv4 and IPv6, they cannot help you

Step 3 get special URL

Go to freedns.afraid.org, the dynamic dns section, specifically

You must already have created your A and AAAA records, if not, do that first

For the revelant record get your "Direct URL", it will look something like this


Step 4 final setup

Now return to your router configuration page


Click "add new services..."

In Name, DON'T write your domain name, that will make an error that it already exists, maybe, just write something with no space or punctuation that isn't your domainname exactly

Next choose your "DDNS Service provider"

The list is not in alphanumeric order, select this one

Now click Create service, it will make an error, don't worry about it, it's an error of success

Dismiss the other error, it's fine, it means it works

Here you will need to read the docs


and specifically

There are four options for setup, the fourth option is the correct one ! The other will save plaintext password to your DNS on the device, don't use them, unless option four doesn't actually work

In Lookup Hostname write your actual dynamic domain name

DDNS Service provider should already be afraid.org-keyauth

In domain, write your actual dynamic domain name

In username, you don't have anything to write here, but you also HAVE to write something here, write any nonsense, for instance "BLABLBLABLBLABLA"

Next password, this isn't your password, this is your key

So remember the direct URL from before


Your key is everything after the ? character


Don't check "Use HTTP Secure", that will probably break it,

If you click it anyway you will have to answer the Sphinx's following riddle

Path to CA-Certificate

And it's a trick question, you don't have that, the answer is literally to write IGNORE in that textbox

Your settings panel should now look like something like this

Click Save

Step 5 Using it

Now it doesn't work, click restart

You should see this friendly error message

And the line of your service should look something like this

Step 6 testing it

Now everything looks like it should work, let's try to ping our domain


If you get this message it means you have followed my instructions perfectly !

Now your results might look different, something about receiving a ping reply
This is probably because when you created your A record, the DNS server automatically filled in your current IP address already. In this case, wait several weeks for your IP address to randomly change, then you should see the message from the above command line, at this point you can proceed to Step 7

Step 7 Give up

Find a dark secluded area and lie down, wait until your breathing ceases

Step 8 Ask for divine intervention from the machine

Step 9 Write feature request to make setup easier

This that could be improved to make setting this up easier

  1. It should be easier to find what packages to install in software
  2. The DDNS service provider should be in alphanumeric sort order
  3. There should be a link to the openwrt wiki page for the chosen DDNS Service provider (https://openwrt.org/docs/guide-user/services/ddns/client#freednsafraidorg)
  4. If the user already has an update URL, there should be a very obvious place he can paste it in, this URL probably would have most of the required information to auto-fill the rest of the settings page,
  5. The Username, for DDNS Service provider where it does not matter, it should not be visible, if it has to be visible, it should be acceptable to leave it blank.
  6. If the setting HTTP Secure is checked then, it should be acceptable to leave Path to CA-Certificate blank or pre-fill the textbox with "IGNORE", or have a button that will download the appropriate certificate file, place it in the appropriate location and fill in the Path in this textbox. If the certificate is autodownloaded, the signature should be presented to the user with the message "We cannot verify the signature of this certificate, show signature, do you accept it ? Yes/No
  7. HTTP Secure should probably be on by default, but it probably should "just work" by default, without requiring further user input or else the user will probably skip this security feature entirely while he is hunting for the solution for his other problems.
  8. Fixing, well I don't know what my current problem is, it's very weird but I'm out of ideas

And to anyone struggling with the exact same specific issue I was having

Which was that my WAN port is connected into another mandatory router from the GPON ISP with no bridge capability

Go to edit and check the "Log File Viewer" for clues

And then set for external URL IP checking

Of course now an IP change will translate into up to 10 minutes of downtime but I don't see a better option until I managed to reprogram my GPON SFP

who not add all this to the Wiki, via Applying for OpenWrt wiki account ?

1 Like

I have a wiki account, but that wiki page is already 50 pages long and I have already spent my sunday evening figuring out and documenting my attempt. Sorry but I'm spent.

Also I believe that much of this documentation could be dispensed with, if the UI of luci-ddns could be make a bit more user friendly and resilient.

The points that need attention, I have highlighted near the end of my post and I would add, for my specific case, make ddns script parse the log file, and automatically (or ask user) switch to URL resolving of the external address when the WAN IP is a invalid or private address.

This writeup will help many... in the meantime I added a spot for additional forum threads for configuration to the wiki: https://openwrt.org/docs/guide-user/services/ddns/client#additional_forum_threads_for_configuration

On another note I also use freedns and just have an hourly cron setup with the update URL that works fine without all of this. I don't need an immediate change so this works for me.

I think after installing the ca-certificates package first the answer should be: /etc/ssl/cert.pem

Well it requires certificates and needs to find them to work... on my system the certificates take >700 KB which is heavy enough to cause problems on routers with little free storage...

Your router will experience no downtime, even if the DDNS provider might take a while to reflect the new IP address...

Honestly, I feel your frustration, but I am not sure that this write-up is the documentation you wished to have found/pointed to/read when setting out to install DDNS.

Yes, I also only have 16MB of storage so 700kb is too much.

However in this case it is not the whole internet of certificates that is required but just the one with the ddns web interface.

I think there is a way to make an openssl query to download the full chain of certificates for just one address.

This would be less than 1kb of data total.

Ideally when you create the ddns service entry, it should download only this certificate and put it in a known location.

When this certificate reaches it's date of expiration, the new certificate should be automatically accepted inside of a certain time delay and from the same IP address so as not to create an administrative burden of updating that certificate all the time.

What I meant by that is that when the IP address changes, whatever remote computer who depends on this dns entry to be up to date, will experience service downtime for the duration until the next update + the dns entry time to live in their dns cache.

Maybe there's could be another way to determine our external IP address that does not depend on external services.

For instance maybe something related to doing a traceroute. Maybe doing a traceroute to openwrt.org and then sending a packet to each of the addresses, starting from the closest, until we get that packet back, indicating that this address is our own.

Back in the padt on my 16 MB wnder3700v2 I accepted the cost as more secure DDNS was worth it for me, but I tended to run my routers relatively lean back then, so 700KB was no showstopper abd since then I upgraded to a router with ample storage. But that is not universal... and if storage is tight then 700KB is qiote a lot.

I am sure that the maintainer of the DDNS package is open for patvhes implementig something like that. Which is the beauty of open source, if you have an idea you can help to get this fixed not only for yourself but for many users. I would guess most maintainers prefer a tested implementation over a pure feature request, but even a decent feature request has value if directed to the right person.

I don't think that would work, coming from the inside you only see the LAN side address of the NAT router that causrs your problems in the first place, and to perform this test from the outside you already need to know your public address.

Anuway, what I do is to use either X2Go or screen over mosh/ssh so if my sessions get affected by an address change, I can reconnect later and find my existing state... in my case, due to forced pppoe reconnects by my ISP every 24 hours, this strategy is needed even without the DDNS issue.

Thanks for your write-up.

I am coming from another third party firmware (DDWRT) and agree that there is room for improvement of the web interface.

I am a reasonable experienced user but it took me 30 minutes of reading, trying and tinkering before I got my freedns.afraid.org running.

I knew I had to do an "externa"l IP check as my router is a secondary router but it was not obvious at first that I could find that under URL.

1 Like