How to set a local tld resolving for addressing NAS and Router by name

This requirement is new for my. until now I worked with IP adress in my local LAN. Currently I played with settings (and may misconfigurated more) but I even do not understand basics here.

Cause of this new requirement is, that I need SSL certificate for some apps on my NAS (and an RPI also) because browser seems do not allow some features on non encrypted connection.

At first I do not have a public domain. As nearly every howto I found assume I should have. I need a self signed certificate. But that seems need a domain. As several websites told, I tested the name of the nas and with .local .lan. home .test.
Non of them work. So I assume I have to setup my openWRT router correct so DNS requests are resolved and redirected to my NAS.

Is there a how-to I could follow here?
If I could choose I would like using .home as tld

Not sure if it is important. But i use wireguard so It should be possible to connect also over wireguard.

By default, OpenWrt uses *.lan. as domain, so your hostname.lan. should resolve to your individual systems, under two conditions:

  • the clients provide their hostname to the DHCPd when requesting a DHCP lease
    it works, but is more fragile
  • if you configure a static DHCP lease with option dns '1'
    this is the preferred -dependable- approach

SSL certs are a different topic, in general you can't get certificates for internal systems (which are not accessible from the outside, e.g. by letsencrypt to verify the HTTP-01 challenged) signed, which means you can only rely of self-signed certificates.

Not entirely true.
A self-signed certificate is a certificate that’s signed with its own private key.
You can use non-public (your own) CA to sign certificates.

For local domains you can follow this:

True, but that doesn't really changes the circumstances - either you self-sign the cert directly, or use your own self-signed CA - the browser side complaints remain the same. Yes, you can import this self-signed CA into your cert stores, but that needs to be done on every system you're using (which is not going to be funny on the more 'smart'- or IoT'ish devices).

If you are in an enterprise environment, with central device management for hundreds of devices, yes - in a typical home with maybe up to ~5 SSL enabled services and maybe 20 client devices, the efforts needed surpass the gains.

Yes, if you value your time, it's 'cheaper' to get a public domain.

…or to accept the self-signed cert on the relevant clients once (should be two clicks per browser), rather than importing the custom CA.

I'm reluctant about custom CAs for these reasons:

  • importing CAs can be quite challenging (system-wide, browser specific, different situation for mobile/ smart operating systems etc.)
  • the CA needs to be properly secured, as it can be (ab-)used to sign 'everything', so it can create a MITM situation (if you are maintaining a CA for a bigger company, I hope you follow best practices - but doing it at home, many treat this with more -too much- slack)
  • accepting the self-signed cert is only treated as valid for this one overriden cert, less danger about wildcard domains

Yes, you can do this 'properly' and securely, but very few actually go the extra mile.

1 Like

Thanks for the hint about CA. What settings do you propose for my openwrt router?