Hi community,
I can't figure out how to make dhcp range frm openvpn clinets write to my bind dns server (Some kind of DDNS). I can ping openvpn clients from my internal network only via IP address not by name.
I allow openvpn dhcp range in acl internals on my bind server but this was not help. Is there any how to rewrite cong which put openvpn dhcp address of clients to my bind9 entries ?
Thank you for any help.
openvpn dhcp to bind9
Moderators: TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech, TinCanTech
Forum rules
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
Please use the [oconf] BB tag for openvpn Configurations. See viewtopic.php?f=30&t=21589 for an example.
-
- OpenVPN Super User
- Posts: 310
- Joined: Tue Apr 12, 2011 6:22 am
Re: openvpn dhcp to bind9
you can use a client connect script with nsupdate
-
- OpenVpn Newbie
- Posts: 3
- Joined: Fri Feb 14, 2020 10:20 am
Re: openvpn dhcp to bind9
Hello thank you for reply.
Could you tell me more about or show some configuratioof howto.
Thank you.
Could you tell me more about or show some configuratioof howto.
Thank you.
-
- OpenVPN Super User
- Posts: 310
- Joined: Tue Apr 12, 2011 6:22 am
Re: openvpn dhcp to bind9
Hi , i don't have a configuration example but it would be basic shell scripting.
Some high level info... you need to
1. Configure your vpn server with something like
Note: not sure here if you should use learn-address config option, there are other options too ... you'll have to ask about that from somebody else.
2. Configure your bind/named server to allow ddns for the zone you want , here's an excellent guide for ubuntu/debian https://dnns.no/dynamic-dns-with-bind-and-nsupdate.html
When a client connects to your vpn server , three positional parameters are sent to your script
add client-vpn-ip client-username/client-cert-common-name
this can be parsed with any scripting/programming language , bash probably being the simpler one , and use nsupdate to update your dns zone
Some basic starting point
Some high level info... you need to
1. Configure your vpn server with something like
Code: Select all
script-security 2
learn-address /path/to/executable-script
2. Configure your bind/named server to allow ddns for the zone you want , here's an excellent guide for ubuntu/debian https://dnns.no/dynamic-dns-with-bind-and-nsupdate.html
When a client connects to your vpn server , three positional parameters are sent to your script
add client-vpn-ip client-username/client-cert-common-name
this can be parsed with any scripting/programming language , bash probably being the simpler one , and use nsupdate to update your dns zone
Some basic starting point
Code: Select all
#!/bin/bash
DNS_SERVER="localhost"
DDNS_KEY="/path/to/ddns.key"
DNS_ZONE="domain.tld"
DNS_IP="$2"
DNS_NAME="$3"
DNS_TTL="300"
nsupdate -k "${DDNS_KEY}" -v <(cat <<EOF
server ${DNS_SERVER}
zone ${DNS_ZONE}
update add ${DNS_NAME}.${DNS_ZONE} ${DNS_TTL} A ${DNS_IP}
show
send
EOF
)
-
- OpenVpn Newbie
- Posts: 3
- Joined: Fri Feb 14, 2020 10:20 am
Re: openvpn dhcp to bind9
Hello,
Thank you for pointing me hoe to. I found this script on Github I think it is similar.
Thank you for pointing me hoe to. I found this script on Github I think it is similar.
Code: Select all
-- openvpn config
client-connect "/etc/openvpn/update-dns add"
client-disconnect "/etc/openvpn/update-dns remove"
-- /etc/openvpn/update-dns
#!/bin/sh
#Debugging
#echo $* >> /tmp/dnsupd.txt
#env >> /tmp/dnsupd.txt
DNSSERVER="10.0.0.1" ## your DNS server
FWDZONE="lan.example.com" ## forward resolution zone (ie. vpn.company.com)
REVZONE="0.0.10.in-addr.arpa" ## reverse resolution zone (ie. "1.0.0.in-addr.arpa")
NSUOPTS="" ## extra arguments for nsupdate (ie. "-k /path/to/key")
SUBDOM=".routers"
#DEBUG=y
if [ -n "$DEBUG" ] ; then
NSUOPTS="$NSUOPTS -d"
set -x
fi
reverseRecord() {
echo $1 | sed -re 's/^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$/\4.\3.\2.\1.in-addr.arpa./'
}
addRecord() {
local ADDRESS="$1"
local CN="$2"
local TEMPFILE=$(mktemp /tmp/nsupdate.XXXXXX)
local REVERSE=$(reverseRecord $ADDRESS)
cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $FWDZONE
update delete ${CN} A
update delete ${CN} TXT
update add ${CN} 300 A $ADDRESS
update add ${CN} 300 TXT $KEY
send
EOF
if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
nsupdate $NSUOPTS $TEMPFILE
cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $REVZONE
update delete $REVERSE PTR
update delete $REVERSE TXT
update add $REVERSE 300 PTR $CN.
update add $REVERSE 300 TXT $KEY
send
EOF
if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
nsupdate $NSUOPTS $TEMPFILE
rm -f $TEMPFILE
}
removeRecord() {
local ADDRESS="$1"
local CN="$2"
local TEMPFILE=$(mktemp /tmp/nsupdate.XXXXXX)
local REVERSE=$(reverseRecord $ADDRESS)
cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $FWDZONE
prereq yxrrset ${CN}. TXT $KEY
update delete ${CN}. A
send
EOF
if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
nsupdate $NSUOPTS $TEMPFILE
cat >$TEMPFILE <<EOF
server $DNSSERVER
zone $REVZONE
prereq yxrrset $REVERSE TXT $KEY
update delete $REVERSE PTR
send
EOF
if [ -n "$DEBUG" ] ; then cat $TEMPFILE; fi
nsupdate $NSUOPTS $TEMPFILE
rm -f $TEMPFILE
}
getCN() {
local IPADDR=$1
local FULLNAME=$(dig +noadditional +noqr +noquestion +nocmd +noauthority +nostats +nocomments -x ${IPADDR} | gawk '{print $5}')
if [ -n "$FULLNAME" ] ; then
echo $FULLNAME | sed -re 's/\.$//'
return 0
else
return 1
fi
}
OPERATION=$1
ADDRESS=$ifconfig_pool_remote_ip
CN=$common_name
KEY=$time_unix
REVERSE=$(reverseRecord $ADDRESS)
case "$OPERATION" in
add|update)
addRecord "$ADDRESS" "$CN$SUBDOM.$FWDZONE"
;;
delete|remove)
removeRecord "$ADDRESS" "$CN$SUBDOM.$FWDZONE"
;;
*)
echo "ERROR: don't know operation \"$OPERATION\"."
exit 1
esac