Posted inNetwork

Self-Hosted DDNS with Cloudflare and ddclient: A Free Solution for Your Home Server

Network tutorial - IT technology blog
Network tutorial - IT technology blog

The Struggle of Running a Home Server with a Dynamic IP

You just set up a NAS to store family photos or a VPN to access your home network from a coffee shop — and immediately hit a wall called a dynamic IP. ISPs like Viettel, FPT, and VNPT typically reset your public IP address every time the router reboots or on a 24–48 hour cycle.

Imagine you’re at the office urgently needing a file, only to get a Connection timed out error. The reason is simple: your home IP just changed. Back when I managed infrastructure for a 50-person office, I used DDNS as a failover for the primary leased line. Instead of paying an extra 600,000–1,200,000 VND per month for a static IP, this solution saved the company a significant amount while keeping remote access seamless.

The mechanism is straightforward: a tool automatically detects your new IP and updates the DNS record. Cloudflare is the top choice today thanks to its stable, completely free API. Meanwhile, ddclient is an ultra-lightweight Linux client — using less than 10MB of RAM — that handles this synchronization reliably.

Why Cloudflare and ddclient?

Many DDNS services like No-IP require you to confirm your email every month, which gets old fast. If you own a custom domain (like lab.itfromzero.com), combining it with Cloudflare brings a level of professionalism that free subdomains simply can’t match.

ddclient runs as a background daemon, turning an old computer or Raspberry Pi into a server you can reach from anywhere. No more memorizing messy IP strings — just a clean, memorable domain name.

Step 1: Create an API Token on Cloudflare

For security, you should never use the Global API Key. Instead, create an API Token with minimal permissions (Principle of Least Privilege) by following these steps:

  1. Go to the Cloudflare Dashboard and navigate to My Profile > API Tokens.
  2. Click Create Token and use the Edit zone DNS template.
  3. Set Permissions: Zone - DNS - Edit and Zone - Zone - Read.
  4. Under Zone Resources, select your specific domain.
  5. Click Continue to summary and copy the generated Token.

Important: Cloudflare will only display this token once. Store it in your password manager immediately.

Step 2: Install ddclient on Your System

Installation on Ubuntu or Debian is quick via apt. Open a terminal and run:

sudo apt update
sudo apt install ddclient libjson-any-perl libdata-validate-ip-perl -y

A blue ncurses configuration interface may appear. Just press Enter or Cancel to skip it. We’ll write the configuration file manually to ensure full compatibility with Cloudflare’s latest API v4.

Step 3: Configure ddclient

Open the configuration file at /etc/ddclient.conf. Clear all existing content and paste the snippet below. I’ve optimized it to detect your IP via the web, which is especially useful if your server sits behind multiple NAT layers.

# /etc/ddclient.conf
use=web, web=checkip.dyndns.org
protocol=cloudflare
server=api.cloudflare.com/client/v4
login=token
password='YOUR_CLOUDFLARE_API_TOKEN'

# Primary domain (Zone)
itfromzero.com

# Subdomain pointing to your server
home.itfromzero.com

Important notes:

  • use=web: Tells ddclient to fetch your actual public IP instead of the internal 192.168.x.x address.
  • login=token: This is the required syntax when using an API Token — you do not need to enter your personal email here.

Step 4: Set Permissions and Test the Connection

Since the config file contains a sensitive token, restrict access to prevent leaks:

sudo chmod 600 /etc/ddclient.conf
sudo chown root:root /etc/ddclient.conf

To verify everything is working correctly, run the following debug command:

sudo ddclient -daemon=0 -debug -verbose -noquiet

If the output shows SUCCESS: updating home.itfromzero.com, you’re all set. Head back to your Cloudflare dashboard and refresh — the DNS record should now reflect your latest IP.

Step 5: Enable Automatic Startup

Enable the service so ddclient starts automatically with the system and monitors IP changes for you:

sudo systemctl enable ddclient
sudo systemctl start ddclient

Check the service status with sudo systemctl status ddclient. By default, the script checks your IP every 5 minutes. If the IP hasn’t changed, it stays silent to avoid hammering the Cloudflare API unnecessarily.

Practical Tips for Homelab Enthusiasts

After years of running a home setup, here are 3 hard-won tips I want to pass on:

  1. Disable the Proxy (Orange Cloud): If you’re using your domain for SSH or VPN, switch the DNS record to Gray Cloud (DNS Only mode). Cloudflare’s proxy only supports HTTP/HTTPS — leaving it enabled will completely break SSH connections.
  2. Check the Logs: When your IP isn’t updating, run grep ddclient /var/log/syslog. Most issues come down to an expired token or a syntax error in the config file.
  3. Open Ports on Your Router: DDNS only handles the routing. To actually reach your server, you still need to configure Port Forwarding on your router to point to your server’s internal IP address.

Mastering DDNS is the first step toward freely running personal services at home without breaking the bank. Good luck with your homelab build — enjoy the satisfaction of running a professional server setup right from your living room!

Share:
Tags: