Configuration and script for Cloudflare DDNS on Asuswrt-Merlin
Note: Starting with version 384.7 (circa 2018), Asuswrt-Merlin uses In-a-dyn for DDNS updates. The In-a-dyn client adds support for many DDNS services now including Cloudflare. User @bengalih has reported initial success transitioning to In-a-dyn from this script. New users are encouraged to try that option first as it is likely better supported and includes features lacking from this script. For more information, please see the introduction to In-a-dyn in the asuswrt-merlin project documentation.
The Asuswrt-Merlin custom firmware adds support for custom dynamic DNS providers to various ASUS routers. This is great for Cloudflare users because, although Cloudflare is not one of the built-in providers, we can add support for it. This guide and accompanying script do exactly that. Confirmed works on the following model routers:
Features include:
You should have your Merlin-enabled ASUS router configured for your network with Internet access. Since you've found this guide, it's also assumed you have a Cloudflare account managing your own domain, and you've already created a subdomain you will use for dynamic DNS.
Configuration of Cloudflare DDNS involves changes through the router web portal as well as changes made through the router shell.
Directions for disabling dynamic DNS and removal of the script and related files are at bottom.
In the router portal, under Administration -> System,
Save the configuration. Ensure you are able to SSH into your router using your router portal credentials (or via public key crypto, depending on configuration) before continuing.
Note: If SSH will be left enabled after installation, disallow password login, enable brute force protection, and use public keys for login to enhance security.
/jffs/scripts
.cloudflare_ddns
and .cloudflare.example
files to that directory..cloudflare.example
to .cloudflare
..cloudflare
with your Cloudflare API token and zone ID from your Cloudflare portal. The script also supports the legacy "API Key plus account e-mail" method of authentication, but this method is less secure and appears likely to be eliminated in future.chmod 700 cloudflare_ddns
.chmod 600 .cloudflare
../cloudflare_ddns list
.cloudflare_ddns.log
. Open the log file and review the JSON response object, which should be a listing of your Cloudflare DNS records for the zone ID specified in Step 4.Note: If there is an error in the log file or no log file is present, ensure permissions are correct and that the text of the script is copied accurately. Double-check your Cloudflare credentials. For large Cloudflare configurations, it may be necessary to increase the log file size limit in the script. If the error is from Cloudflare, you can review the text of the error in the JSON response and look for any error code online.
.cloudflare
with the DNS record information (i.e. ID, name and type) obtained from Step 8. Ensure your text matches exactly../cloudflare_ddns 1.1.1.1
.Note: You may get a throttled response if you have queried too quickly after Step 7. The script rate-limits to one query every 5 seconds. This is configurable in the
cloudflare_ddns
script or you can simply wait.
ln -s cloudflare_ddns ddns-start
. This creates a symbolic link with the name expected by the router firmware.In the router portal, under WAN -> DDNS,
the DNS host name you're using in Cloudflare
Save the configuration.
If all is configured correctly, you should see:
Nov 5 6:57 start_ddns: update CUSTOM , wan_unit 0
Nov 5 6:57 custom_script: Running /jffs/scripts/ddns-start (args: x.x.x.x ) - max timeout = 120s
Nov 5 6:57 ddns: Completed custom ddns update
Note: If any errors occur, review the router log file and the script log file for an indication of the error or manually re-run
./cloudflare_ddns list
and./cloudflare_ddns 1.1.1.1
to identify and troubleshoot.
Once everything is configured and working properly, you may delete the cloudflare_ddns.log
file from the /jffs/scripts/
directory on the router. If SSH access is no longer needed, disable SSH on the router portal for security (especially if password authentication was used).
To remove the script, the process is essentially reversed.