Call for #ddclient testers on #OpenBSD: the `net/ddclient` package is currently at 3.9.1, but we've got a patch updating to 4.0.0 in review:

https://marc.info/?t=176774244800001&r=1&w=2

This is a pretty big jump from the old version we currently have, but is necessary for some #DynDNS providers. I'm run-testing this patch with #Gandi, but it supports so many providers that it'd be best to get a better sampling.

Sysadmin journal: setting up wireguard on all of my Linux desktops

I have several mostly interchangeable Linux computers for personal use. All but one are laptops; the mini-tower which isn’t is used as both a desktop and my home network server, e.g., for DNS and for SSHing into the home network from the outside when I’m traveling with one of the laptops.

A pro-democracy activist group that I’m part of has asked everyone in the group to use a VPN whenever accessing group stuff online (including Signal, Matrix, Proton, etc.) and has recommended using a VPN all the time. I am not convinced this is worth the effort, but it probably can’t hurt, and I don’t want to be the Guy Who Wasn’t Following The Rules if something does end up going down, so today I set out to make this happen.

I signed up for a VPN service that uses wireguard (no, I’m not going to tell you which one, that would be giving away information unnecessarily) and set out to figure out how to set up this VPN to be active all the time on my phone and all of my Linux computers. Below are my notes about the bumps in the road I hit while figuring this out and how I got over them.

The VPN service I signed up with has a bespoke Android client so setting it up for Android was trivial.

The service allowed me to add other devices to my account and download a standard-format wireguard configuration file for each, to be imported into wireguard, which I was able to do easily in NetworkManager on Debian after installing the wireguard package (I’m actually not 100% certain that it was necessary to import the wireguard package, I think it may have worked even if I hadn’t done that):

• Open Settings app
• Click on Network
• Click the + symbol next to VPN
• Click Import from file…
• Select the wireguard configuration file I downloaded from the VPN service

I wanted to configure the VPN to connect automatically. You can’t do that from the Settings app but you can do it from nm-connection-editor or nmcli. In the connection editor:

• Open nm-connection-editor, a.k.a., the “Advanced Network Configuration” desktop app
• Double-click on the imported VPN
• Click on the General tab
• Check the “Connect automatically with priority” checkbox
• Save and exit

In nmcli, you can do “nmcli connection modify [connection-name] connection.autoconnect yes“.

I configure all my Linux machines via Ansible, so I wanted to figure out how to do the wireguard VPN configuration automatically using the nmcli Ansible module, i.e., I wanted to do the import as described above manually the first time and then figure out how to replicate in Ansible code what the manual import did so I wouldn’t have to do it manually in the future. Unfortunately, though the documentation claims this should be possible, for some reason I don’t have the ability to specify wireguard.peers to the module, so I can’t do the configuration automatically. Therefore, I set up an Ansible rule that checks if the VPN is configured and fails if it isn’t, so that I am reminded to configure it manually if/when I’m setting up a new computer:

Next, I had to deal with the fact that when I enabled the VPN on my desktop, my ddclient configuration stopped getting my correct public IP address and instead started putting the egress IP of my VPN into my dynamic DNS entry. The reason for this is obvious. I told ddclient to use=web, web=http://checkip.dyndns.com/, and that is obviously going to go through the VPN and get the VPN’s IP rather than mine. I don’t know if the fix I came up with is the best one, but it works: use=cmd, cmd='curl --silent --interface enp2s0 http://checkip.dyndns.com/ | perl -ne \'chomp; if (s/.\b([1-9][0-9]\.[1-9][0-9]\.[1-9][0-9]\.[1-9][0-9])\b./$1/){print;exit}\''

Next problem: I need to be able to log into my home desktop from outside the house. Solution: add routing policy rules on my home desktop so that traffic to/from our family server in the cloud bypasses the VPN, so that I can SSH into the cloud server from anywhere and then SSH into the home desktop from the cloud server. I deployed a script to /etc/NetworkManager/dispatcher.d to add the routing rules when the VPN comes up and remove them when it comes down. The commands the script runs look like this:

It specifies “del” instead of “add” to remove the rules. I figured this out with the help of this Reddit posting. Note that this needs to be a dispatcher script because NetworkManager ignores PostUp and PreDown lines in wireguard configuration files when importing them, and as far as I can tell there is no way to configure directly in NetworkManager commands to be run when an interface goes up or down.

Final challenge: when I am working on one of my laptops and I need to SSH into my desktop, I want to do so directly via the private IP address on the home network when I’m at home, or indirectly through my cloud server when I’m out of the house, and I want this to happen automatically. Fortunately, I already had a NetworkManager dispatcher script which automatically generates ah SSH configuration file that’s included by my main SSH configuration. The old purpose of this script was so that when I’m out of the house with laptop A and I want to SSH into laptop B, which is on my home network but not accessible from the outside, that SSH automatically gets proxied through my desktop, which is accessible from the outside. I was able to augment this script to add the new functionality. Now whenever one of my laptops connects to my home network, the script adds to my SSH config a Host section for the desktop with a HostName line in it specifying the internal domain host name which resolves to its internal IP address, whereas when the laptop connects to a network outside my home, instead of the HostName line it adds a ProxyJump line specifying the host name of my cloud server.

If you’re one of the two people in the world who read this blog posting all the way to the end, drop a comment and let me know. 😉

#Ansible #ddclient #Linux #NetworkManager #sysadmin #VPN #wireguard

Sysadmin journal: setting up wireguard on all of my Linux desktops

I had to hack together a few things to use wireguard transparently on my Android phone and all of my Linux laptops and desktop.
#ddclient #Linux #NetworkManager #VPN #wireguard #Ansible #SysAdmin
https://blog.kamens.us/2025/05/10/sysadmin-journal-setting-up-wireguard-on-all-of-my-linux-desktops/

seriously, wtf @cloudflare

https://github.com/ddclient/ddclient/issues/820

this broke my vpn because the dns was set to 1.0.1.1 instead of the actual ip.

(real ip obfuscated but you can clearly see it's different to 1.0.1.1)

thankfully there is a workaround for now

#ddns #ddclient #cloudflaresucks #networking #vpn