openvpn dhcp to bind9

Need help configuring your VPN? Just post here and you'll get that help.
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Post Reply
Filipes
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 14, 2020 10:20 am

openvpn dhcp to bind9

Post by Filipes » Fri Feb 14, 2020 10:26 am

Hi community,
I can't figure out how to make dhcp range frm openvpn clinets write to my bind dns server (Some kind of DDNS). I can ping openvpn clients from my internal network only via IP address not by name.
I allow openvpn dhcp range in acl internals on my bind server but this was not help. Is there any how to rewrite cong which put openvpn dhcp address of clients to my bind9 entries ?
Thank you for any help.

TiTex
OpenVPN Super User
Posts: 315
Joined: Tue Apr 12, 2011 6:22 am

Re: openvpn dhcp to bind9

Post by TiTex » Fri Feb 14, 2020 4:37 pm

you can use a client connect script with nsupdate

Filipes
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 14, 2020 10:20 am

Re: openvpn dhcp to bind9

Post by Filipes » Mon Feb 17, 2020 5:53 am

Hello thank you for reply.
Could you tell me more about or show some configuratioof howto.
Thank you.

TiTex
OpenVPN Super User
Posts: 315
Joined: Tue Apr 12, 2011 6:22 am

Re: openvpn dhcp to bind9

Post by TiTex » Tue Feb 18, 2020 4:43 pm

Hi , i don't have a configuration example but it would be basic shell scripting.
Some high level info... you need to
1. Configure your vpn server with something like

Code: Select all

script-security 2
learn-address /path/to/executable-script
Note: not sure here if you should use learn-address config option, there are other options too ... you'll have to ask about that from somebody else.

2. Configure your bind/named server to allow ddns for the zone you want , here's an excellent guide for ubuntu/debian https://dnns.no/dynamic-dns-with-bind-and-nsupdate.html

When a client connects to your vpn server , three positional parameters are sent to your script
add client-vpn-ip client-username/client-cert-common-name
this can be parsed with any scripting/programming language , bash probably being the simpler one , and use nsupdate to update your dns zone

Some basic starting point

Code: Select all

#!/bin/bash


DNS_SERVER="localhost"
DDNS_KEY="/path/to/ddns.key"
DNS_ZONE="domain.tld"
DNS_IP="$2"
DNS_NAME="$3"
DNS_TTL="300"

nsupdate -k "${DDNS_KEY}" -v <(cat <<EOF
server ${DNS_SERVER}
zone ${DNS_ZONE}
update add ${DNS_NAME}.${DNS_ZONE} ${DNS_TTL} A ${DNS_IP}
show
send
EOF
)

Filipes
OpenVpn Newbie
Posts: 3
Joined: Fri Feb 14, 2020 10:20 am

Re: openvpn dhcp to bind9

Post by Filipes » Fri Feb 21, 2020 10:05 am

Hello,
Thank you for pointing me hoe to. I found this script on Github I think it is similar.

Code: Select all

-- openvpn config
client-connect "/etc/openvpn/update-dns add"
client-disconnect "/etc/openvpn/update-dns remove"


-- /etc/openvpn/update-dns
#!/bin/sh

#Debugging
#echo $* >> /tmp/dnsupd.txt
#env >> /tmp/dnsupd.txt

DNSSERVER="10.0.0.1"            ## your DNS server
FWDZONE="lan.example.com"       ## forward resolution zone (ie. vpn.company.com)
REVZONE="0.0.10.in-addr.arpa" ## reverse resolution zone (ie. "1.0.0.in-addr.arpa")
NSUOPTS=""                        ## extra arguments for nsupdate (ie. "-k /path/to/key")
SUBDOM=".routers"

#DEBUG=y

if [ -n "$DEBUG" ] ; then
  NSUOPTS="$NSUOPTS -d"
  set -x
fi

reverseRecord() {
  echo $1 | sed -re 's/^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$/\4.\3.\2.\1.in-addr.arpa./'
}

addRecord() {
  local ADDRESS="$1"
  local CN="$2"
  local TEMPFILE=$(mktemp /tmp/nsupdate.XXXXXX)
  local REVERSE=$(reverseRecord $ADDRESS)

  cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $FWDZONE
update delete ${CN} A
update delete ${CN} TXT
update add ${CN} 300 A $ADDRESS
update add ${CN} 300 TXT $KEY
send
EOF
  if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
  nsupdate $NSUOPTS $TEMPFILE
  cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $REVZONE
update delete $REVERSE PTR
update delete $REVERSE TXT
update add $REVERSE 300 PTR $CN.
update add $REVERSE 300 TXT $KEY
send
EOF
  if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
  nsupdate $NSUOPTS $TEMPFILE
  rm -f $TEMPFILE
}

removeRecord() {
  local ADDRESS="$1"
  local CN="$2"
  local TEMPFILE=$(mktemp /tmp/nsupdate.XXXXXX)
  local REVERSE=$(reverseRecord $ADDRESS)

  cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $FWDZONE
prereq yxrrset ${CN}. TXT $KEY
update delete ${CN}. A
send
EOF
  if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
  nsupdate $NSUOPTS $TEMPFILE
  cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $REVZONE
prereq yxrrset $REVERSE TXT $KEY
update delete $REVERSE PTR
send
EOF
  if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
  nsupdate $NSUOPTS $TEMPFILE
  rm -f $TEMPFILE
}

getCN() {
  local IPADDR=$1
  local FULLNAME=$(dig +noadditional +noqr +noquestion +nocmd +noauthority +nostats +nocomments -x ${IPADDR} | gawk '{print $5}')
  if [ -n "$FULLNAME" ] ; then
    echo $FULLNAME | sed -re 's/\.$//'
    return 0
  else
    return 1
  fi
}

OPERATION=$1
ADDRESS=$ifconfig_pool_remote_ip
CN=$common_name
KEY=$time_unix

REVERSE=$(reverseRecord $ADDRESS)

case "$OPERATION" in
  add|update)
    addRecord "$ADDRESS" "$CN$SUBDOM.$FWDZONE"
    ;;
  delete|remove)
    removeRecord "$ADDRESS" "$CN$SUBDOM.$FWDZONE"
    ;;
  *)
    echo "ERROR: don't know operation \"$OPERATION\"."
    exit 1
esac

Post Reply