Trying Cloudflare DDNS on 21.02

Testing OpenWRT 21.02rc3 on one of my TP-link Archer C6v2 routers. Cloudflare rejects the DDNS update requests. Any pointers?

{"success":false,"errors":[{"code":6003,"message":"Invalid request headers","error_chain":[{"code":6102,"message":"Invalid format for X-Auth-Email header"},{"code":6103,"message":"Invalid format for X-Auth-Key header"}]}],"messages":[],"result":null}

Hi!
What authentication method do you try to use?

I would advice to use the "new" API token method...

  • Login to your cloudflare account on the cloudflare website.
  • Go to your account settings (My profile?)
  • Go to "API-Tokens"
  • Click "Create Token"
  • Choose "Create a custom token"
  • Enter a name in the top field e.g. OpenWRT DynDNS
  • Select the following access rights:
    • Zone -> Zone -> Read
    • Zone -> DNS -> Edit
  • Under Zone Ressources:
    • Include -> Specific Zone -> "your domain name"
  • Click "Continue to Summary"
  • Write/save this API Token (long string) somwhere

In OpenWRT DynDNS LUCI GUI:

  • Select the cloudflare-v4 script under DDNS script provider
  • Use Bearer as Username
  • Use the API Token (you noted down earlier) as your password
  • For domain use subdomain@domain.com or @domain.com
  • Setup everything else to your liking

keep mind that current ddns only support global token

Looks a bit better now. ...but still no update.

Changed the "Domain" from "DOMAIN.TLD" to "boom.DOMAIN.TLD".
Changed the "Username" from "boom" to "Bearer".

Used @shm0's step-by-step this time instead of...

Detect local IP on 'interface'
#> ip -o addr show dev eth0.2 scope global >/var/run/ddns/myddns_ipv4.dat 2>/var/run/ddns/myddns_ipv4.err
Local IP '87.NNN.NNN.206' detected on interface 'eth0.2'
Update needed - L: '87.NNN.NNN.206' <> R: '192.168.1.1'

parsing script '/usr/lib/ddns/update_cloudflare_com_v4.sh'
Found Username 'Bearer' using Password as Bearer Authorization Token

#> /usr/bin/curl -RsS -o /var/run/ddns/myddns_ipv4.dat --stderr /var/run/ddns/myddns_ipv4.err --capath /etc/ssl/certs --noproxy '*' --header 'Authorization: Bearer ***PW***'  --header 'Content-Type: application/json'  --request GET 'https://api.cloudflare.com/client/v4/zones?name=boom.DOMAIN.TLD'

  WARN : Could not detect 'zone id' for domain.tld: 'boom.DOMAIN.TLD'
 ERROR : No update send to DDNS Provider

This is not correct.

try boom@domain.tld in the Domain field.
and boom.domain.tld in the Lookup Hostname field.

There is no need to edit anything, it just works out of the box now.
You have to use Bearer as username, this tells the script to use custom token authentication.

Changed the "Domain" from "boom.DOMAIN.TLD" to "boom@DOMAIN.TLD".

Success.

Detect registered/public IP
#> /usr/bin/nslookup boom.DOMAIN.TLD  >/var/run/ddns/myddns_ipv4.dat 2>/var/run/ddns/myddns_ipv4.err
Registered IP '192.168.1.1' detected

   info : Starting main loop at YYYY-MM-DD HH:MM

 Detect local IP on 'interface'
 #> ip -o addr show dev eth0.2 scope global >/var/run/ddns/myddns_ipv4.dat 2>/var/run/ddns/myddns_ipv4.err
 Local IP '87.NNN.NNN.206' detected on interface 'eth0.2'
 Update needed - L: '87.NNN.NNN.206' <> R: '192.168.1.1'
 parsing script '/usr/lib/ddns/update_cloudflare_com_v4.sh'
 Found Username 'Bearer' using Password as Bearer Authorization Token
 
 #> /usr/bin/curl -RsS -o /var/run/ddns/myddns_ipv4.dat --stderr /var/run/ddns/myddns_ipv4.err --capath /etc/ssl/certs --noproxy '*' --header 'Authorization: Bearer ***PW***'  --header 'Content-Type: application/json'  --request GET 'https://api.cloudflare.com/client/v4/zones?name=DOMAIN.TLD'
 
 #> /usr/bin/curl -RsS -o /var/run/ddns/myddns_ipv4.dat --stderr /var/run/ddns/myddns_ipv4.err --capath /etc/ssl/certs --noproxy '*' --header 'Authorization: Bearer ***PW***'  --header 'Content-Type: application/json'  --request GET 'https://api.cloudflare.com/client/v4/zones/nnnnnnnnnnnnnnnnnnnnnnnnnnnnnnnn/dns_records?name=boom.DOMAIN.TLD&type=A'
IPv4 at CloudFlare.com already up to date

   info : Update successful - IP '87.NNN.NNN.206' send
   info : Forced update successful - IP: '87.NNN.NNN.206' send

The Registered IP on the DDNS page is still "192.168.1.1". Weird.

It should show the correct IP on the next check/reload.
Seems to be a small bug.

Boom still shows 192.168.1.1 on the DDNS summary page. ...and sends update to Cloudflare every time.

When you do a nslookup/ping on the router for boom.domain.tld, does it return 192.168.1.1?

If yes:
Try to set a different DNS Server (e.g. 1.1.1.1) under the advanced setting for this domain.

Changed the DNS setting in the advanced section to "1.1.1.1".

Now the DDNS page says "104.NNN.NNN.10172.NNN.NNN.138", which is probably two IP-numbers. "104.NNN.NNN.10 and 172.NNN.NNN.138".

Could those IP addresses refer to Cloudflare's protection somehow?

Do you have Cloudflare's proxy service enabled?

Clicking the link "Pause Cloudflare on Site" opens up a window with the text:

Pause Website

Are you sure you want to pause DOMAIN.TLD?

Pausing Cloudflare stops traffic from passing through our network, making your origin server IP address visible. Also, Cloudflare’s security and protection features become disabled. As an alternative, consider Development Mode to bypass caching while preserving security and protection.

Well...
Maybe there is some script around to query the registered IP via the cloudflare API....I don't know...
But you can also create a new subdomain, checkip.domain.tld as CNAME for boom.domain.tld and only disable the proxy for checkip.domain.tld.
And use checkip.domain.tld as look up domain in the OpenWRT's dyndns config...

The protection seems to be activated for the entire domain. There is that possibility to pause the Cloudflare protection and if I do that then the correct IP is shown on the DDNS page.

Strange...
I can toggle the proxy/protection for each domain/subdomain in my interface.

Also, when you use the proxy/protection, you can only use http/https ports on your server.

You are right. There is a Proxy status toggle for each host. It just never occured to connect the word "proxy" to the Cloudflare protection.

Added a new CNAME for "vpn.DOMAIN.TLD" that points to "boom.DOMAIN.TLD" and removed the Cloudflare protection of it with the Proxy status toggle.

Reset "IP address source"
...from "Interface" / " eth0.2"
...to "Network" / "wan" (the default setting)

Both options seem to work.

The router LOGIN is set to be available only from the Local network interface. When I have the VPN ready that will allow changing the router settings through the virtual private network encrypted channel.

So I guess I can leave the LOGIN unprotected by Cloudflare.

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.