[RESOLVED] DDNS with a double NAT and OpenVPN server/client setup

Hi all,

I recently changed by ISP provider, who does not provide a static public IP. Therefore, I had to look in to using a DDNS to access internal resources (via VPN). I chose dnsexit.com as the DDNS provider.

As I am using a double nat setup: ISP_router----LEDE_router----Internal_network, the DDNS is picking up the private IP address of the WAN side of the LEDE router (and not the public).

Is it possible to successfully use DDNS with the above setup?

Solution: [RESOLVED] DDNS with a double NAT and OpenVPN server/client setup

Yes, but you would need:

  1. A remote server on which your router could obtain the public IP address
  2. To modify the DDNS script to use the IP address obtained by #1

LP,
Jure

Only adapt ddns-script configuration file /etc/config/ddns
use "option ip_source" and "option ip_url"

https://openwrt.org/docs/guide-user/base-system/ddns

1 Like

Doesn't this still require what @dustwolf said - i.e. a remote server that can provide the correct public IP?

At https://openwrt.org/docs/guide-user/services/ddns/client-tomerge#detecting_local_ip you find a long incomplete list of servers

1 Like

You need some way for the OpenWRT scripts to know your public IP. If there is a way that you can "pull" it from the inside of your ISP-supplied router, that's one way without requiring a public-facing server.

The easiest would be to get rid of the double NAT, but I'm assuming there is a good reason for it. If not, connecting to the modem directly and/or putting their equipment into bridged mode would be the easiest (once that part was done).

@chris5560 Are you saying the LEDE router alone would be able to pick up the updated public IP via this method?

Yes, the ISP router does not allow for modem-only mode. So far my existing setup (with double nat) has worked for my needs. But if I cannot get DDNS working, then I'll have to consider purchasing a fibre modem.

Basically, a script running on your OpenWRT box makes a GET from a remote web server that "politely" returns your public IP. The script extracts your public IP from the response, and uses that.

In other words, as I should have anticipated, yours is not a novel problem and therefore the solution for this already exists in the OpenWRT DDNS software package.

As @chris5560 mentions, all you have to do is set the "ip_source" option to "web" and then set the "ip_url" option to one of the services that provide you with your public IP from a remote server. The link he provides shows you over 40 different servers to choose from that do this exact thing.

It is unclear if these settings can be set trough the web interface, but you can set them using uci on the command line. You don't have to modify any scripts or write any software yourself.

LP,
Jure

This is my ddns config file. Can someone let me know, what lines are correct/incorrect. I have chosen dnsexit.com as the DDNS provider.

*sensitive data replaced in config file.

config service 'myddns_ipv4'
	option interface 'wan'
	option ip_source 'web'
	option ip_network 'wan'
	option ip_url 'http://checkip.dyndns.org/'
	option enabled '1'
	option service_name 'dnsexit.com'
	option domain 'user_host.publicvm.com'
	option username 'username'
	option password 'password'
	option lookup_host 'user_host.publicvm.com'

You don't have an update_url. It doesn't appear your updates aren't being applied anywhere.

Oh I thought some of the prefilled filelds with my DDNS provider info did that? And then using anyone of those (40) resolvers updated the IP?

@Sh500 you are right dnsexit.com is one of the "out of the box" supported DDNS provider.
so no update_url needed. It's read from the files services/services_ipv6
You should remove the "option ip_network" from your config.
Everything else looks good for the moment.
You should enable logging when you startup and if you see errors post the log here.

Thanks, it has essentially started working after removing the option ip_network. But, as my outgoing traffic is going through a VPN, DDNS is picking up the VPN's IP and not my actual IP.

I have got a couple of interfaces - 'WAN' which should go out straight to internet and 'VPN_FW', where traffic goes through the VPN. I thought setting the 'option interface' to WAN, would make it pick up my actual public IP?

Just bumping this thread....

I still cannot seem to get DDNS to recognise my real public IP address. The system is still resolving my VPN client address.

I thought this may have been a common issue faced by others?

I've tried asking my new ISP for a static IP, but they are apparently 'having trouble applying it on a consumer service'.

Can I not some how explicitly state for DDNS to monitor the 'non-VPN' WAN interface when using the update URL method?

Is this an issue because I have a double NAT (with VPN client)? Would a single NAT with VPN client work correctly?

The solution we mentioned should work. Do you have the logs, so that we can check what the problem is?

LP,
Jure

075024       : Detect registered/public IP
 075024       : #> /usr/bin/nslookup user_host.publicvm.com  >/var/run/ddns/myddns_ipv4.dat 2>/var/run/ddns/myddns_ipv4.err
 075024       : Registered IP '81.VPN.IP.ADD' detected
 075024  info : Rerun IP check at 2018-05-21 07:50
 075024       : Detect local IP on 'web'
 075024       : #> /usr/bin/wget-ssl -nv -t 1 -O /var/run/ddns/myddns_ipv4.dat -o /var/run/ddns/myddns_ipv4.err --no-proxy 'http://ipv4.wtfismyip.com/text'
 075024       : Local IP '81.VPN.IP.ADD' detected on web at 'http://ipv4.wtfismyip.com/text'
 075024       : Waiting 600 seconds (Check Interval)

The above is the DDNS log, taken 10 minutes before this post. The config file is the same as in my post earlier.

The issue with VPN that it possibly set default router to itself. So all data going via the tunnel (incl. ddns traffic). Same problem is DNS resolving using VPN. You can either use the DNS "inside" the tunnel or the default DNS. You cannot decide i.e. on a domain base which DNS to use.
You should have a look to your routing settings. Configure routing that the ddns-traffic is routed the way where you can find your "real" external IP.

2 Likes

@chris5560 Your post pointed me to the exact solution. All my outgoing Internet traffic by default, goes out through the VPN tunnel.

So I created an exemption rule for the DDNS update URL and now it resolves to my 'real' WAN IP address as desired.

Many thanks.