Problem: I'm going to be moving soon, and for a long time I've enjoyed the benefits of my provider giving me a free static IP. Where I'm moving, they don't even offer static IP's to residential customers. I prefer keeping my own domain name, and I see this come up here on occcassion and a fair bit on reddit without much explanation, so I figured I'd give it a go in conquoring this and pass along all the fun. I also really wanted to stick with swag for my certs, since I'm so used to it. This is going to be long as hell, I just want to warn you. It’s not hard just a little tedious.
What you’ll need (other than a basic understanding of OMV):
A Domain (I used namecheap.com in this example, but as long as you can change the nameservers, I think this will work with any registrar). Domains can be either super expensive, or super cheap depending on what you choose (as you’ll see in a second)
A free cloudflare account
Docker set up on OMV. I’m not going to cover setting up docker, but will go over setting up linuxserver/swag to get our cert. There's other options that honestly may be easier, but I'm so used to swag, I wanted to keep using it.
An unprivileged user on OMV. This user will also be used to execute the script to update our IP address on cloudflare.
Some very basic command line skills.
Purchasing a domain
Go to the registrar of your choice and purchase a domain. As mentioned I’m using namecheap.com for this. Just an example of pricing, if I was going to choose the domain “some-test”.. Honestly there are a ton more options, and it would take probably 6-7 pics to show them all, but you get the idea, prices can go up to several thousand dollars, down to just a few bucks. My current domain I got for an introductory price of $1.99, and it now runs me about $12/yr.
When you purchase the domain, you’ll see a myriad of add ons. In our case, we won’t need these and will just get our domain and the domain privacy (which is free.. this basically keeps folks from doing an ICANN lookup on your domain and seeing your name, address, etc.)
Ultimately, I chose the domain km0201-test.xyz. I wanted to mess w/ my personal domain as little as possible to test this before the move, so spending $2 on a domain was a no brainer. Once you’re done, log in to your namecheap account and click Domain lists… and you’ll see your domain there. For a short while it will say it’s “pending” under Status. Generally this shouldn’t take more than an hour or so, but they say it can take up to 24hrs. I’ve personally never had this take longer than 20min. Eventually it will go to Active under status.
Creating a cloudflare account and configuring the name servers with our domain
While we wait for our domain to go active, we will go over to https://www.cloudflare.com and create a free account. Leave your Namecheap panel open in another tab, as we'll be switching back and forth between the two as we set this up.
Once logged in, click on the icon in the upper right and click Home, then click Add a Site. Now at this point your domain will have to be active on Namecheap, so refresh your namecheap dashboard and see if it’s active. Hopefully it is, if it’s not, just give it time. Once it’s active, add your domain from namecheap.
After you add your domain, it will ask you to select a plan. Choose the free plan and choose continue
The next screen it will just ask you to review your DNS. We don't need to do anything here for the time being, , just click Continue
On the next screen it will tell you to replace your domain’s name servers with cloudflares name servers. They will look something like this (maybe not exactly).
Now, switch to your NameCheap Panel, Click Domain List and Select the Manage button next to your Domain
Near the bottom, change the Name Servers to Custom DNS and add the Cloudflare DNS servers and save. Again you'll get a message this may take up to 48hrs, but it rarely takes more than an hour for me.
Now go back to your cloudflare panel and click Continue.
You'll then be given this screen to do a "quick start" guide. We don't need that, just click Finish Later.
quick-start-click-finish-later.png
Finally on the next screen it will just tell you to review your nameservers on your domain (which we should have already changed) and click the check nameservers button.
Once you click that, you can click your Profile and then Home and it will show your domain there as Pending, eventually it will show as Active. Typically it doesn't take to long.
When it shows Active, Click your Domain, and click DNS on the left.
Here, we are going to add two records
1. A ---- yourdomain.url---your.public.ip (if you don’t know it, whatismyip.com, make sure you’re not behind a VPN when you do this). Also uncheck the proxy option (the little cloud should be grey).
Note: Sometimes this A record is already there. If it's there, you can edit as above, or just delete it and create a new one as most of the time the IP is wrong and the proxy is enabled.
2. CNAME--- www --- yourdomain.url and again uncheck the proxy option
When you’re done, it should look something like this
Now, we need to get our API token for our cloudflare setup.
Click your profile icon and click my Profile
Click API tokens on the left
Scroll down and click View Key next to Global API
Enter your password and complete the captcha’s.
Once your key is displayed, save it in a text file. We’ll need it later
Swag setup and deployment
If you’ve set up swag before, this isn’t going to be a big mystery. Assuming you’re using portainer, click on Stacks, and create a new stack. Name the stack (swag) and copy the docker-compose file below into the body (use the little icon in the upper right to make it easy to copy)
---
version: "2.1"
services:
swag:
image: ghcr.io/linuxserver/swag
container_name: swag
cap_add:
- NET_ADMIN
environment:
- PUID=1000 #ADJUST
- PGID=100 #ADJUST
- URL=your-domain.tld #ADJUST
- SUBDOMAINS=wildcard
- VALIDATION=dns
- DNSPLUGIN=cloudflare
- PROPAGATION=30
#- CERTPROVIDER=zerossl
- EMAIL=email@domain.com #ADJUST
volumes:
- /NAS/AppData/swag:/config #ADJUST
ports:
- 444:443
- 81:80
restart: unless-stoppedOnly the lines I’ve marked “#Adjust” need to be adjusted.
– Set the PUID/PGID for the user you created in OMV
– URL= is your domain
– Volume-- Absolute path to your swag config folder on the left of the colon
If you follow exactly what I put in that compose, you’ll need to forward port 81 to 80, and 444 to 443 for your server IP in your router(81/444 are internal, 80/443 are external)
Deploy the stack.
SSH your server and once it deploys you can watch the log at docker logs -f swag . It’s going to error out because we've got a bit more configuring to do.
In the command line, cd to your swag config folder and then the the dns-conf folder that is under it.
Should look something like cd /srv/some-uuid-/swag/dns-conf
Once there, do an ls and you’ll see several .ini files, one of which is called cloudflare.ini. We need to edit that one
nano cloudflare.ini
Once the file is open
dns.. email= that’s your clouudflare email
dns.. api= that’s the Global API key we copied earlier (we’ll need it again, don’t ditch it just yet).
Cntrl X, then Y, then Enter to save.
Back at your prompt, docker restart swag
Now watch your swag log again with docker logs -f swag . You should now get a cert. Most likely if you didn’t, you either messed up your port forwarding, you’ve still got your cloudflare domain behind a proxy (ie, the cloud is orange), your IP is wrong in your A record, or your API key/email is wrong in the cloudflare.ini. Assuming you get a cert, you should be able to navigate to https://www.your-domain.url and you should get the swag park page, and it’s secured with SSL (padlock by the URL) If you don't get a cert, just stop here and figure out the problem or post and ask questions. Proceeding isn't going to fix it.
Configuring a script to auto update our IP on cloudflare
Now, we get to really why I set off on this adventure, updating my IP automatically.
First we’ll need to start off as root in our server… so SSH your server and drop to your root account
cd /
mkdir scripts
cd scripts
touch update.sh
Now if you’re not comfortable with command line text editors (nano) Copy/paste the box below into a text file on your desktop (again use the little icons in the upper right, as this one is big). It may look big and daunting, but we only need to change 4 lines. Once you’ve made the adjustments mentioned below, you can nano update.sh and copy/paste the text file into the terminal window. If you’re comfortable with nano, just nano update.sh
#!/bin/bash
# A bash script to update a Cloudflare DNS A record with the external IP of the source machine
# Used to provide DDNS service for my home
# Needs the DNS record pre-creating on Cloudflare
# Proxy - uncomment and provide details if using a proxy
#export https_proxy=http://<proxyuser>:<proxypassword>@<proxyip>:<proxyport>
# Cloudflare zone is the zone which holds the record
zone=your-domain.url
# dnsrecord is the A record which will be updated
dnsrecord=your-domain.url
## Cloudflare authentication details
## keep these private
cloudflare_auth_email=your_email@domain.com
cloudflare_auth_key=your_global_api
# Get the current external IP address
ip=$(curl -s -X GET https://checkip.amazonaws.com)
echo "Current IP is $ip"
if host $dnsrecord 1.1.1.1 | grep "has address" | grep "$ip"; then
echo "$dnsrecord is currently set to $ip; no changes needed"
exit
fi
# if here, the dns record needs updating
# get the zone id for the requested zone
zoneid=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones?name=$zone&status=active" \
-H "X-Auth-Email: $cloudflare_auth_email" \
-H "X-Auth-Key: $cloudflare_auth_key" \
-H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')
echo "Zoneid for $zone is $zoneid"
# get the dns record id
dnsrecordid=$(curl -s -X GET "https://api.cloudflare.com/client/v4/zones/$zoneid/dns_records?type=A&name=$dnsrecord" \
-H "X-Auth-Email: $cloudflare_auth_email" \
-H "X-Auth-Key: $cloudflare_auth_key" \
-H "Content-Type: application/json" | jq -r '{"result"}[] | .[0] | .id')
echo "DNSrecordid for $dnsrecord is $dnsrecordid"
# update the record
curl -s -X PUT "https://api.cloudflare.com/client/v4/zones/$zoneid/dns_records/$dnsrecordid" \
-H "X-Auth-Email: $cloudflare_auth_email" \
-H "X-Auth-Key: $cloudflare_auth_key" \
-H "Content-Type: application/json" \
--data "{\"type\":\"A\",\"name\":\"$dnsrecord\",\"content\":\"$ip\",\"ttl\":1,\"proxied\":false}" | jqNow we need to change 4 lines (lines 11, 13, 17, and 18).
zone=your-domain.url
dnsrecord=your-domain.url
cloudflare_auth_email=your_cloudflare_email
cloudflare_auth_key=your_global_api
Now save the script (Cntrl X, then Y, then Enter to save and drop back to the prompt)
Now we will make the script executable
chmod +x update.sh
Finally, I’ll set my omv-user to own the script so I don’t have to run it as root.
chown your-omv-user:users update.sh
Testing the script and then setting it to run automatically.
Now we’ll proof of concept that this works.
In your cloudflare panel, edit your A record you created with your domain and IP, and change your IP to 0.0.0.0 and save. Now if you go to https://www.your-domain.url you’ll get an error the site could not be reached (when earlier we got a secured swag park page).
Now we just run the script as our user
SSH in to your server as an unprivileged user (the one you gave ownership of the script to above)
cd /scripts
sh update.sh
The script should run and you end up back at your prompt. Now go back to your cloudflare DNS page and refresh, and your IP should be correct in your A record again, and you can now get to your secured swag page again. This shows the script is working. If it's not working, you need to check the lines you edited in the script and make sure they are correct.
Now, we just need to schedule the script to run at a desired interval. Now I’m not sure how often IP’s change.. as it's not a situation I'm currently dealing with. So for this, I'm gonna go w/ 4hrs. Just keep in mind if your IP changes between script runs, your server will be unavailable until the script runs again. So if you want to make your checks more frequent, say every hour.. you can do that. Whatever works for you.
In the OMV web panel, click on Scheduled Tasks, then the + sign
Change the time of execution, to certain date
Change minutes to 0 (don’t use the *)
Change hours to whatever you want it to be, and check the “N” box beside it.
Now scroll down and under user, I’m going to change that to my OMV user that I set to own the script (in my case, ken0201) and the command will be sh /scripts/update.sh. Once you're done, it should look something like the below, then save it.
Now if you want to proof of concept this to make sure it works properly, again just go back to cloudflare, change your IP for your A record to 0.0.0.0 and save. Then go back to the scheduled task, choose the task and click the run button and then start, and you will see the script execute. Once it’s done, go back to your cloudflare dns page and refresh, and it should have your IP there again. The scheduled task is working properly.
Hope that helps anyone facing this issue that doesn't want to pony up the monthly fees for a DNS service or static IP address (or go w/ a free one one like duckdns)
If there's a need, I'll go over setting up CNAME's for services and routing them through swag.
Using the Cloudflare proxy feature
If you want to use the Cloudflare proxy after you set up your subdomains, you can go through and edit them (ie, change the cloud to orange)... This means if someone ping's your domain, they will be returned w/ a cloudflare IP vs your personal IP.
You can set the proxy feature on all your CNAME records address. For some reason in my testing... I couldn't get this to work during initial setup (still haven't figured that out)... but once everything was setup without the proxy and working, I went back and adjusted all of the subdomains and my A record to enable the proxy, and it has worked fine.
This is entirely optional, but I've not noticed a performance hit since I did this and it may be desirable for some to hide their IP.