What's new

DDNS, OpenVPN, and Hurricane Electric

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

bgvaughan

Occasional Visitor
I've been trying to get OpenVPN working, and I've run into a few issues. One is that there seems to be an interaction between DDNS and OpenVPN, and DDNS doesn't quite work for my configuration. I hope what I describe below is clear, as I'm describing an interaction between different problems.

I've been using Hurricane Electric's free DNS service, which now allows DDNS. The menu for DDNS on the RT-N66U includes a listing for www.tunnelbroker.net, which is the domain name for a different, related service offered by Hurricane Electric. Despite entering the correct information, DDNS fails to update. Note that the log shows that ddns tried to contact ipv4.tunnelbroker.net:
[noparse]Sep 21 17:57:48 notify_rc : restart_ddns
Sep 21 17:57:48 ddns: clear ddns cache file for server setting change
Sep 21 17:57:48 ddns update: connected to ipv4.tunnelbroker.net (64.62.200.2) on port 80.
Sep 21 17:57:48 ddns update: bad request: Invalid API key or password[/noparse]

However, from Hurricane Electric's instructions, the host for DDNS is, is dyn.dns.he.net, which resolves to 184.105.242.3 and 2001:470:0:193::3000.

I normally use a script in /etc/cron.daily to update Hurricane Electric's dynamic DNS service, and the domain name I use for my router correctly resolves, as I can confirm with my ISP's DNS, and with public DNS, such as Google's at 8.8.8.8.

Despite failing to connect to Hurricane Electric's service, the Network Map page for the RT-N66U shows my domain name when I have DDNS enabled on the WAN - DDNS page, and a link to that page when it is disabled.

When configuring OpenVPN, I found that, on a client device:
If I entered the domain name for my router, and DDNS was disabled on my router, the client would quickly fail to connect;
If I entered the domain name for my router, and DDNS was enabled on my router, the client would begin negotiations, and fail to connect after about a minute;
If I entered the current IP address for my router, the client would begin negotiations, and fail to connect after about a minute.

This was puzzling because, on the one hand, DDNS on the router was failing to connect to Hurricane Electric's DDNS server; and on the other hand, my router's domain name was resolvable.

The instructions for Hurricane Electric's dynamic DNS can be read at https://dns.he.net/ (but only if you're not logged in to your HE account, confusingly). Here's an excerpt:
Here are a few examples to get you started
[noparse]http://[your domain name]:[your password]@dyn.dns.he.net/nic/update?hostname=[your domain name]

Autodetect my IPv4/IPv6 address:
% curl -4 "http://dyn.example.com:password@dyn.dns.he.net/nic/update?hostname=dyn.example.com"
% curl -6 "http://dyn.example.com:password@dyn.dns.he.net/nic/update?hostname=dyn.example.com"

Specify my IPv4/IPv6 address:
% curl "http://dyn.example.com:password@dyn.dns.he.net/nic/update?hostname=dyn.example.com&myip=192.168.0.1"
% curl "http://dyn.example.com:password@dyn.dns.he.net/nic/update?hostname=dyn.example.com&myip=2001:db8:beef:cafe::1"[/noparse]


Here are a couple more examples that allow sending the password in the URL

[noparse]Note: The username is also the hostname. The password is sent using 'password='. This skips HTTP basic auth.

Authentication and Updating using GET
% curl "https://dyn.dns.he.net/nic/update?hostname=dyn.example.com&password=password&myip=192.168.0.1"
% curl "https://dyn.dns.he.net/nic/update?hostname=dyn.example.com&password=password&myip=2001:db8:beef:cafe::1"

Authentication and Updating using a POST
% curl "https://dyn.dns.he.net/nic/update" -d "hostname=dyn.example.com" -d "password=password" -d "myip=192.168.0.1"
% curl "https://dyn.dns.he.net/nic/update" -d "hostname=dyn.example.com" -d "password=password" -d "myip=2001:db8:beef:cafe::1"[/noparse]
 
Since posting the above, I found that with PPTP, using the domain name on the client fails to connect, but using the IP address succeeds in connecting. This is a change from before I installed 3.0.0.4.220.17.

Also, the same pattern occurs, whether the client is already connected to the LAN, or not.
 
I don't see any relationship here between DDNS failing to update and PPTP/OpenVPN. You will have to resolve the DDNS issues before you can use that host as target for your VPN clients.

The tunnelbroker feature of DDNS is for updating an IPv6 tunnel endpoint, not to use as an actual dyndns from what I see in the code (that feature was implemented by Asus). It connects with ipv4.tunnelbroker.net.
 
It looks like I had some intermittent glitch resolving my domain name, which had notthing really to do with the firmware. It may have had to do with some tweaking I'd done with my zone file, taking time to migrate to other name servers

It's weird how Asus set up the tunnelbroker.net entry, if it's for a special purpose. I still can't get that to work. However, the script I was already using to dynamically update he.net's DNS works fine, and I was clearly wrong that OpenVPN is dependent upon the router's DDNS config.

Incidentally, so far, I've connected to the OpenVPN server with my Android phone, which is running Cyanogenmod 7.2. I just had to figure out to export the certs and key as a PKCS12 certificate, and on the router, to set compression to enabled, rather than to automatic.
 

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top