Last Updated on September 27, 2020 by Jan Bachelor
Why is is recommended?
Let’s say that you have a security camera that sends recordings to an external service like angelcam.com and you want to open a port for it on your OPNSense firewall (this will be covered in the next step). You will need to provide the service with an external IP address that they will use to pull the live stream from in order to store it off-site. But what if your ISP changes that external IP address? The service would lose connection and if someone broke into your humble estate during that time, you would not have the recordings.
How does it work?
Instead of you providing an external IP address to third party, you will provide a host name that points to it – this is called Dynamic DNS. On your OPNSense, you would run a plugin that periodically checks for what external IP address is assigned on your WAN interface. If it changes it, it will modify where does the hostname lead to. This way, the outage would be short (e.g. a minute) instead of hours or days before you would manually modify the new IP with the existing service provider.
How to set up DynDNS?
OPNSense supports a wide variety of DynDNS providers. In this guide, we will cover Duck DNS, since it is a free and reliable service.
- Register an account with the DynDNS provider. In our case, DuckDNS account is free and can be registered here. The easiest way is to use your Gmail account to sign in.
- Create a subdomain – e.g. mydomain.duckdns.org, as illustrated below:

- Install the dynamic DNS plugin in OPNSense. ‘System’ -> ‘Firmware’ -> ‘Plugins’ and locate he ‘os-dynds’ item – click on the + sign to install it:
- On your OPNSense web GUI, go to ‘Services’ -> ‘Dynamic DNS’ and click on the ‘Add’ button.
- Tick the ‘enabled’ box.
- Choose service type as: DuckDNS
- Interface to monitor – WAN
- Hostname – your subdomain (e.g. bachelor-tech.duckdns.org).
- Username – your generated token (see the screenshot above for where to find it).
- Password – leave blank (some OPNSense versions require it to be filled in, in which case, paste the token again).
Final state is as follows:
- Set up a cron job (scheduled task) that will run the check & sync with DuckDNS every 15 minutes (or however many you need). In OPNSense, go to ‘System’ -> ‘Settings’ -> ‘Cron’ and click on the + icon to add a new job:
- Tick the ‘enabled’ box.
- Minutes – */15 (for every 15 minutes) – see here for a cron calculator.
- All other time indicators as *
- Command – choose ‘Dynamic DNS update’.
- Leave parameters as blank.
- Add something meaningul in the Description field (esp. if you have multiple DynDNS items).
What happens once you create it?
With DuckDNS, the dynamic DNS agent will check every 15 minutes to see what is the external IP and sends it to the AWS-hosted DuckDNS server. In case it changes, the IP address will be modified, accordingly. DuckDNS uses SSL certificates (256bit) and so all communication is encrypted. You can now forward your services to this subdomain instead of the IP address. This means that you could have up to 15 minutes of an outage, so only use DuckDNS for non-critical services.
Sources:
- OPNSense documentation on DynDNS
- Home Network guy’s OPNSense guide with CloudFlare DynDNS
1 comment
Your instructions worked like a charm. Thanks.