This tutorial has been updated as of December 29 2024
Look at these videos and along with following the
instructions in this tutorial below and you will have success
Please read the entire guide before beginning as I have
written an addendum at the very end which explains
how to issue yourself ZeroSSL certificates with SHA-384
signature algorithm . Which is the default for ZeroSSL.
The process detailed in the main body of this tutorial
will result in you being issued a certificate with
RSA Encryption.
ZeroSSL certificates with SHA-384 provides the following :
Elliptic Curve Digital Signature Algorithm (ECDSA) is a
digital signature algorithm that uses elliptic curve
cryptography (ECC) to create digital signatures.
ECDSA is known for its efficiency and strong security, and is
often used in environments with limited storage and
computational power, such as mobile devices and IoT devices.
First as all of you just ought to know by now that before we begin
" The Into " remember always that it is always
Christmas Time In Ghetto
and one of my all time favorites
Bernadette
Now that the obligatory prerequisites have been satisfied
Let's begin the tutorial. Dynu the Best Free DDNS Service.
I find that Dynu works first time and every time. Most reliable
Cost-Free DDNS Service out there IMHO.
π»πͺππ¦ ππ‘πππβπ πΈβππΌ β€ππ£π πππ / πππ₯βπ€ πΌπππ£πͺπ‘π₯ βππ£π₯ππππππ₯ππ€ π/ πΉπβππ πππ»πΌππ first we have to register with DYNU DDNS service before we get down to issuing our certificates. In order to do this - let's get started.
Go to Create Account and by all means do so.
The page has all the instructions and is self explanatory. You can use an email account you also have other options such as a GitHub account. Once you have verified your account. Log into your account. Go to > DDNS Services`` > Click ADD > Option 1: Use Our Domain Name From the Drop Down Menu choose a " Top Level " Dynu Domain ( for this example I chose theworkpc.com ) enter a hostname. For purposes of this tutorial I chose suebeni2. Click Green ADD Button below - Done. My Dynu Domain is now suebeni2.theworkpc.com Note : Domains marked Members Only are not free and you must pay for. Now let's install and configure DDNS.
The username is used here is : cupid32
and the password is : Sue2Binnie
I used a real account here for purposes of this tutorial but I have changed the password. So please use your own account and credentials. Once you have established your Dynu Domain, click on symbol next to Search to the right at the top of the page the click on API Credentials. Then go down to OAuth2. You will see Client ID: and Secret: Go along that Boxed Column to the right. Click on the Binoculars Symbol in the box to view these codes. Copy and save them for later. Here are my examples below :
Client ID: cb82da76-800d-4ee3-9d2e-9683eee67027
Secret: b65f3eT4f54UV4gU55bU24YV5VcX3U
2 - Set up your router for Dynu DDNS and ZeroSSL
A - Go to Luci > System > Hostname ( enter name of your choice I am using "amani" here )
B - Then from Luci travel to Network > DHCP and DNS > Local domain ( here enter your Dynu domain which you created earlier suebeni2.theworkpc.com ( for this example ).
Your full domain ( for ZeroSSL Certificates ) will now be issued as follows "amani.suebeni2.theworkpc.com" . Now, let's set up Dynu DDNS and ACME ZeroSSL.
3 - Install DDNS and ACME as always "opkg update" then follow below :
Use apk update && apk add commands
if you are running OpenWRT Snapshot
opkg update && opkg install socat ncat-full acme acme-acmesh acme-acmesh-dnsapi acme-common luci-app-acme coreutils-stat ddns-scripts luci-app-ddns luci-app-uhttpd uhttpd knot-libs bind-tools drill nmap-full gnutls-utils unzip ip-full knot-host bind-host knot-dig libevent2-7 tcpdump-mini bash luci-app-firewall ca-certificates ca-bundle luci-app-opkg luci-mod-admin-full haveged
Dynu DDNS βDynu DDNS SCRIPT SECTIONβ
I use a script to update Dynu DDNS service.
See here : Find Public IP Address for OpenWRT Via Script
I have modified the script so it works more reliably.
To implement this script, please follow these instructions below:
touch /usr/lib/ddns/getPublicIp.sh
nano /usr/lib/ddns/getPublicIp.sh
enter this script below in the new file :
( url includes Dynu hostname and account
password found above )
make sure to use Dynu domain/ hostname only :
#!/bin/sh
# sample script for detecting the public IP
wget -q -O - "https://api.dynu.com/nic/update?hostname=suebeni2.theworkpc.com&password=Sue2Binnie"
## then make it executable :
# chmod 755 /usr/lib/ddns/getPublicIp.sh
## test it by entering command :
# /usr/lib/ddns/getPublicIp.sh
Setup Dynu DDNS Config File
Replace The IPV4 Configuration Section
With The Contents Below:
## enter command
# nano /etc/config/ddns
config service 'dynu'
option enabled '1'
option domain 'suebeni2.theworkpc.com'
option username 'cupid32'
option use_https '1'
option cacert '/etc/ssl/certs/ca-certificates.crt'
option use_logfile '1'
option check_interval '10'
option check_unit 'minutes'
option force_interval '24'
option force_unit 'hours'
option ip_source 'script'
option retry_interval '60'
option retry_unit 'seconds'
option ip_script '/usr/lib/ddns/./getPublicIp.sh'
option update_url 'https://api.dynu.com/nic/update?hostname=suebeni2.theworkpc.com&password=Sue2Binnie'
option password 'Sue2Binnie'
option interface 'wan'
option use_bind_network 'wan'
option force_dnstcp '1'
option force_ipversion '1'
option service_name 'dynu.com'
option lookup_host 'suebeni2.theworkpc.com'
Now Start DDNS : run commands
( a -e ) in order as listed below :
( 1 ) # /usr/lib/ddns/./getPublicIp.sh ( 2) # /etc/init.d/ddns restart
# then ( 3 ) go to System > Startup > Restart Your DNS Resolver
( dnsmasq / unbound ) - then restart DDNS
( 4 ) /etc/init.d/ddns restart
Note : In order to issue / renew Let's Encrypt Certificates -
disable your VPN ( if running ) - and make sure Port 80
is free / open / unblocked.
You may then go to Luci > Services > Dynamic DNS >
and make sure the DDNS Client is running and updated.
If not - then do the following as outlined below :
( 1 ) # /usr/lib/ddns/./getPublicIp.sh ( 2) # /etc/init.d/ddns restart
# then ( 3 ) go to System > Startup > Restart Your DNS Resolver
( dnsmasq / unbound ) - then restart DDNS
In Services > Dynamic DNS - reload the service / client
Note : In order to issue / renew ZeroSSL Certificates,
disable your VPN ( if running ) - and make sure Port 80
is free / open / unblocked.
For Let's Encrypt Certificates Option
Jump Down To
You Must Set Up ACME On OpenWRT
Taken Directly From How to run Acme on OpenWrt
If you prefer to use the command line
simply edit
/etc/config/acme
It is prudent to update to the latest
acme client version before proceeding
enter the command below :
/usr/lib/acme/client/acme.sh --upgrade
DDNS must also be configured and running & updated
and run command
/etc/init.d/acme start
Once you run the command to start ACME
you will be issued your Let's Encrypt Certificates
Then WINSCP transfer your freshly issued Let's Encrypt Certificates
from the /root/.acme.sh/amani.suebeni2.theworkpc.com/ directory
in this case to /etc/ssl/acme/ and /etc/luci-uploads/ respectively.
Let's Encrypt is that simple provided you set up DDNS
and ACME configurations properly as detailed in this tutorial.
Now - Dynu ACME / ZeroSSL
The first order of business is to register
your ( an account ) with ZeroSSL. You must use
an email address - it can be anything.
Here is how you accomplish registration
below for our full Dynu Zerossl Certificate domain :
/usr/lib/acme/client/acme.sh --register-account -m kaidad2@aol.com
Note / Remember :
The full Dynu Zerossl certificate name is
amani.suebeni2.theworkpc.com
( β amani " is from Luci > System > Hostname )
amani.suebeni2.theworkpc.com is
for ZeroSSL / ACME ( configuration ) and Certificates
along with
Luci uHTTPd ( configuration )
The Dynu Domain name is
suebeni2.theworkpc.com
For DDNS ( configuration )
and
Luci > Network > DHCP and DNS > Local domain
See here for :
How to run on OpenWrt / acmesh-official / acme.sh
and here for :
24. Use Dynu API
Scroll down to Section 24. Use Dynu API
You must set up ACME on OpenWRT
Here is the configuration below for the
Dynu ACME ZeroSSL Certificate Domain
Name which we are issuing here in this example :
enter command
# nano /etc/config/acme
config acme
option state_dir '/root/.acme.sh/'
option account_email 'kaidad2@aol.com'
option debug '1'
config cert 'example'
option keylength '4096'
option update_uhttpd '1'
option enabled '1'
list domains 'amani.suebeni2.theworkpc.com'
option use_staging '0'
list credentials 'export Dynu_ClientId="cb82da76-800d-4ee3-9d2e-9683eee67027"'
list credentials 'export Dynu_Secret="b65f3eT4f54UV4gU55bU24YV5VcX3U"'
option validation_method 'dns'
option dns 'dns_dynu'
# /etc/init.d/acme enable
It is prudent to update to the latest
acme client version before proceeding
enter the command below :
/usr/lib/acme/client/acme.sh --upgrade
The packages are already installed. You now need
to issue this command below in order to issue your
ZeroSSL Certificates for the full Domain Name
which we set up at the beginning βamani.suebeni2.theworkpc.comβ
Note - that this includes the hostname which we
added on our router.
Dynu_ClientId="cb82da76-800d-4ee3-9d2e-9683eee67027" Dynu_Secret="b65f3eT4f54UV4gU55bU24YV5VcX3U" /usr/lib/acme/client/acme.sh --insecure --issue -d amani.suebeni2.theworkpc.com --keylength 4096 --dns dns_dynu --force
The issuance takes 20 seconds to complete after acme challenge ;
when finished You can locate the certificate and key files in
/root/.acme.sh/ directory, and then in the uHTTPd settings
point the certificate and key path to them respectively
This means that the two main files you need are found here :
/root/.acme.sh/amani.suebeni2.theworkpc.com/amani.suebeni2.theworkpc.com.cer
/root/.acme.sh/amani.suebeni2.theworkpc.com/amani.suebeni2.theworkpc.com.key
There are two main / required default directories to which
you should / must transfer and upload your ZeroSSL
Certificates to. One is for ACME the other is for LUCI
They are as follows below :
/etc/ssl/acme/ = Default Acme Cert Directory
/etc/luci-uploads/ = Default Luci Directory For SSL Login
You do this by WINSCP transfer your freshly issued ZeroSSL Certificates from the /root/.acme.sh/amani.suebeni2.theworkpc.com/ directory in this case to /etc/ssl/acme/ and /etc/luci-uploads/ respectively.
After you have transferred ZeroSSL Certificates to the
appropriate directories - you must configure Luci uHTTPd
for SSL Login. See below for that.
Notice that I set login port is to " 10445 "
AGH will use port 443
Now edit /etc/config/uhttpd file
thusly as demonstrated below:
You must enter your routerβs Lan IP Address
on port 10445 for Luci SSL encrypted login
In this case my Lan IP is 192.168.5.10
# nano /etc/config/uhttpd
config uhttpd 'main'
list listen_https '192.168.5.10:10445'
option redirect_https '1'
option home '/www'
option rfc1918_filter '1'
option max_requests '3'
option max_connections '100'
option cert '/etc/luci-uploads/amani.suebeni2.theworkpc.com.cer'
option key '/etc/luci-uploads/amani.suebeni2.theworkpc.com.key'
option cgi_prefix '/cgi-bin'
list lua_prefix '/cgi-bin/luci=/usr/lib/lua/luci/sgi/uhttpd.lua'
option script_timeout '60'
option network_timeout '30'
option http_keepalive '20'
option tcp_keepalive '1'
option ubus_prefix '/ubus'
config cert 'defaults'
option days '730'
option key_type 'ec'
option bits '4096'
option ec_curve 'P-256'
option country 'US'
option state 'New York'
option location 'WARDELL'
option commonname 'DIT_Hannu Nyman DL-WRX36 6.6.51-1'
then issue these two commands :
# chmod 400 /etc/ssl/acme/amani.suebeni2.theworkpc.com.key
and
# chmod 400 /etc/luci-uploads/amani.suebeni2.theworkpc.com.key
BONUS :
In order to preserve your ZeroSSL Certificates,
use WINSCP and go into the open default directory.
In this case while already in open directory :
/root/.acme.sh/amani.suebeni2.theworkpc.com/
( on the right side of the WINSCP window )
You will see all the ZeroSSL Certificates and associated files.
Save them to a folder on your desktop USB or what have you
in case you need to upgrade or install new OpenWRT firmware.
As you might know, ZeroSSL Certificates are good for 90 days
and you do not want to abuse this free service. You can reuse
them via WINSCP. Using WINSCP just transfer your saved ZeroSSL Certificates from your storage device ( desktop folder or USB ) and upload the certificates to the default directories for Acme and Luci uHTTPd
At this point DO NOT !! / I REPEAT DO NOT !! / DO NOT RESTART
uhttpd for any reason whatsoever. Instead clear your browser. Close and clean cookies and all that good stuff. Actually after clearing your web browser it is best to reboot your router in order to make sure to that you can login to your router with your new valid certificate. After reboot, I will open my browser and login with
https://amani.suebeni2.theworkpc.com:10445
as per this example. You should not be prompted by " insecure warning " any longer and the green padlock will appear in the address bar. Click on it and see the certificate details if you wish.
As I have said, ZeroSSL Certificates are valid for 90 days
and you may renew after 60 days. You can find your exact
expiration date for your certificate by click on the " green padlock " on your router's encrypted login page - In order to renew your OpenWRT Dynu registered ZeroSSL Certificates do the following
Setup your DDNS and ACME as detailed above and make sure your DDNS address is updated and current. The --renew flag on ZeroSSL will return β not registered " output. So go through the registration command once again`` in this particular demonstrated example
/usr/lib/acme/client/acme.sh --register-account -m kaidad2@aol.com
Then issue the command below in order to renew your certificate :
Dynu_ClientId="cb82da76-800d-4ee3-9d2e-9683eee67027" Dynu_Secret="b65f3eT4f54UV4gU55bU24YV5VcX3U" /usr/lib/acme/client/acme.sh --insecure --issue -d amani.suebeni2.theworkpc.com --keylength 4096 --dns dns_dynu --force
I wrote this because
needs Certificates
In order to use encryption, you need to provide a valid SSL certificates chain for your domain. You can get a free certificate on letsencrypt.org or you can buy it from one of the trusted Certificate Authorities.
ZeroSSL Certificates are best suited for this purpose as I put forth at the outset
I will write properly Encrypted DNS AdGuardHome tutorial as a follow up in the very near future
βππππ ππ₯ππͺ ππππ πππ βππππ₯ππͺ πππ πΎπ π πΉπππ€π€ πΈππ πΈππ¨ππͺπ€
Addendum / What I Recommend
Dynu ACME ZeroSSL Certificates allow you the option
to select and issue SSL Certificates with a plethora
of encryption parameters.
What Type of SSL Certificates Does ZeroSSL Provide?
At ZeroSSL we issue certificates with SHA-384
signature algorithm by default. For a good reason IMHO.
Here you can read about 384-bit ECDSA key encryption.
How does ECC compare to RSA and DSA?
and
ECC is more efficient
As the figure shows, with ECC you get equivalent cryptographic strength with significantly smaller key sizes about an order of magnitude smaller. For example, to achieve the equivalent cryptographic strength of encrypting using a 112 bit symmetric key would require an RSA 2048 bit key, but only an ECC 224 bit key. The shorter key lengths mean devices require less processing power to encrypt and decrypt data, making ECC a good fit for mobile devices, Internet of Things, and other use cases with more limited computing power.
Key Size and Security
ECDSA typically uses key sizes ranging from 256 to 384 bits. Despite the smaller key size, it provides a security level equivalent to much larger RSA keys. For instance, a 256-bit ECDSA key offers comparable security to a 3072-bit RSA key.
Performance and Speed
ECDSA uses less computational power, memory, and energy, making it suitable for devices with limited resources.
Adoption and Compatibility
ECDSA is seeing growing adoption, particularly in modern systems and applications. It is supported by most new web browsers and platforms. However, compatibility with older systems may be limited.
If you decide to issue yourself a ZeroSSL certificate with SHA-384 signature algorithm. Then change amend the instructions detailed above in the following manner.
In ACME configuration - open configuration file
# nano /etc/config/acme
change
option keylength '4096'
to
option keylength 'ec-384'
In Luci uHTTPd configuration - open configuration file
# nano /etc/config/uhttpd
Luci uHTTPd configuration values are for a self signed certificate, so I do not believe that these are relevant in the first instance. However, Luci WebGui will complain if these values are left empty. I chose this value because a 384-bit ECC key is equivalent to a 7680-bit RSA key.
change entries as shown below
option bits '4096'
option ec_curve 'P-256'
to
option bits '7680'
option ec_curve 'P-384'
Remember to register your account
/usr/lib/acme/client/acme.sh --register-account -m kaidad2@aol.com
And lastly issue your certificate with the
command below where we have changed
the key flag length to --keylength ec-384
Dynu_ClientId="cb82da76-800d-4ee3-9d2e-9683eee67027" Dynu_Secret="b65f3eT4f54UV4gU55bU24YV5VcX3U" /usr/lib/acme/client/acme.sh --insecure --issue -d amani.suebeni2.theworkpc.com --keylength ec-384 --dns dns_dynu --force
Article For Total Transparency
However
The security of ECDSA depends on the elliptic curve discrete logarithm problem ( ECDLP ), which is a difficult mathematical problem to solve. This makes it practically impossible to figure out the private key from the public key as such ECDSA is considered a very secure algorithm.
αEα©αE α©ααͺ α·Oα ααΌα©ααE