I know the basics but I am trying to get a deeper understanding of how they work and how I can improve upon my setup.
So here’s the back-story which is relevant just so that you know how my current setup is…
It all started with me getting into self-hosting. Next thing I know I had 19 different URLs (nextcloud, bitwarden, emby, IPMI etc etc.) that I had to remember the IPs and the ports. So I thought of getting a reverse-proxy. Obvious choices, Apache & Nginx. But then I thought, why not get proper SSL Certs from Lets-Encrypt along with the reverse proxy so that it avoids the browsers from screaming about it and my wife calling me over whenever she is accessing bitwarden or emby etc.
Enter Caddy2 which had easy integration with Lets-Encrypt DNS challenges. I needed the easy button because this was all very new to me. I bought a domain name for myself from Namecheap. Unfortunately, Caddy2 only had the Cloudflare plugin available for DNS challenges during 2.0 Beta. So, I created a Cloudflare account and then used those nameservers as my “Custom DNS” in the Namecheap account instead of using the Namecheap BasicDNS.
I set up 19 different A records – all pointing to my public WAN address (say XX:XX:XX:252) and using Cloudflare as the Proxy. I used DNS challenge and everything works as expected. I can use the sub-domains I defined in the A records instead of remembering the IPs and ports.
I use Opnsense as my firewall. I also have a road-warrior VPN server that I connect to from the road. I also have a dynamically assigned IP address. If my WAN IP changes, I would still want my certs and my VPN to continue functioning. Enter DDNS. I enabled DDNS service in Opnsense, and used the Namecheap option – put in my domain name (that I had purchased), my user/password and it immediately listed my WAN IP (XX:XX:XX:252) as the Cached IP. So here’s where I am confused
- How did it cache my WAN IP for my domain name instead of the actual public IP of the domain name? In Cloudflare, my base domain points to a completely different IP (I am not hosting anything on that domain though)
Then my WAN IP changed when I rebooted the modem and the Opnsense firewall
- However, all the A records that I created for the 19 services still point to the old WAN IP address (XX:XX:XX:252). This will be a problem whenever my current LE certs expire, wouldn’t it? Is there a way to auto-update these records whenever my WAN IP changes?
- Is there a way to create a wildcard cert for my domain name so that I can use the same cert for all my LAN services?
- How do I use the DDNS service in Opnsense such that my WAN IP is always tied to a particular domain name that I can use for all my VPN clients – so that I don’t have to manually change the IP address in each client’s VPN config?