OPNSense – Dynamic DNS with Cloudflare


In this post, I will show you how to configure Dynamic DNS with Cloudflare using ddclient on OPNSense.

** Note: you should back up system configuration under System ‣ Configuration ‣ Backups in case things go south. You should be able to reverse any actions and restore the system to the known working state.

Check out my YouTube channel if you prefer video content over written posts. Here’s the link to the video:

Step 1: Install the Dynamic DNS (ddclient) plugin
  • Install the plugin via System ‣ Firmware ‣ Plugins.
  • Search for “ddc.”
  • Click + to install “os-ddclient.”
  • Refresh after the installation is completed.
Step 2: Create an A record on Cloudflare
  • From your Domain Overview, select DNS.
  • Select Add record to add a new A record.
  • Type: A
  • Name: DNS (or whatever name you prefer).
  • IPv4: (or any random Private IP address. It will be replaced with your Public IP).
  • Proxy status: Turn it off.
  • TTL: Auto (default).
Step 3: Generate the API Key from Cloudflare
  • Go back to Overview.
  • Scroll down to the bottom of the page.
  • Select Get your API token.
  • Select Create Token
  • Select Use template for Edit Zone DNS
  • Token name: DDNS for OPNSense (or whatever name you prefer).
  • Zone: DNS with Edit Permission.
  • Zone Resources: Specific zone, and select the correct Zone for your domain.
  • Select Continue to summary.
  • Select Create Token.
  • Select Copy to copy the API Token.
  • Paste it temporarily to a text file or a sticky note. For security reasons, the token will not be shown again.
Step 4: Add an Accounts
  • Install the plugin via System ‣ Services ‣ Dynamic DNS Settings.
  • Click + to add a new account.
  • Description: Cloudflare (or whatever name you prefer).
  • Service: Cloudflare.
  • Username: Leave it blank.
  • Password: API Key that you created in step 3.
  • Zone: FQDN (ex. sysadmin102.org).
  • Hostname: subdomain (ex. ddns.sysadmin102.org).
  • Check IP method: ip4only.me.
  • Interface to monitor: WAN.
  • Save.
  • Apply.

All the Current IP and Updated tabs didn’t reflect anything; the Public IP Address was actually successfully pushed to your A record. You can confirm this by checking the Log File. Your private IP to the A record should reflect your public IP now.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Translate »