Local domain for SSL

I'm using openwrt-19.07 with LuCI interface. I have set up DDNS(Duckdns) with SSL which works fine from external. When I access from internal "https://pi.lan:port", it shows insecure due to no valid certification for local domain. How can I make a valid certification for this local domain? Thanks.

you should use the FQDN when you access it from the LAN, too.

In short, you can't - as no CA would sign a .lan domain (which can't be reached from the outside for the verification). As frollic mentioned, you need to use the external DDNS domain name (which can get verified and signed) - and for practical reasons (routing/ firewall) you'll need (at least want-) to override this external DNS A/ AAAA records on your router's dnsmasq instance (use luci's hostname page) with your local IP address(es).

How about make a subdomain pointing to my local ip? I have seen this method on other website but I have no idea how to do it on openwrt. I don't see this settings in the ddns page.


if you control domain.com, you can create a internal.domain.com DNS
entry, and point that to the LAN side 192.168.x.x IP of the router.

you might need to add an additional cert for that internal.domain.com.

obviously it'll only work while being connected to the LAN side.

I have added a new subdomain pointing to the router( by selecting network->lan in DDNS page
How can I make this new subdomain pointing to my local device(

is the new DNS name to be pointing towards the router, or some other device on your LAN ?
the 2nd alternative won't work, since the DDNS services are designed for resolving your public IP.

You might be able to fool the script/site, if they don't verify the IP you feed them.
you could try https://www.duckdns.org/update?domains=internal.domain.com&token=your_token&ip=

this might work too

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.