AGH, Hetzner Firewall and Dynamic IP

sponch

I use Adguard on a Hetzner Cloudron VPS. To do this, TCP/UDP port 53 (DNS) has to be opened in the Hetzner firewall. To prevent every client in the world from accessing it, I only allow my ISP's dynamic IP. Unfortunately, this keeps changing and I have to enter my new IP in the Hetzner firewall (until then, DNS no longer works). DNS Adguard-Sever IP is stored on my Unifi router.
Is there any easier way to do all this, or is there any way to automate the firewall entry?

Kubernetes

My setup is pretty similar to yours. I decieded to use Adguard with integrated DoT or DoH and ClientIDs. Works very good.

joseph

@Kubernetes does that mean you don't use the Hetzner Firewall?

@sponch https://docs.hetzner.cloud/#firewalls has an API. You can just run it off a cronjob. Cloudron's DNS automation is at https://git.cloudron.io/platform/box/-/blob/master/src/dns/hetzner.js?ref_type=heads#L42 , very easy to use, just pass Auth-API-Token in header.

Kubernetes

@joseph I do use the Hetzner Firewall, but not to block DNS requests. Because of Client IDs any strangers DNS request will be denied by Adguard, IP-Limitter helps to get not flooded with requests. I have whitelistet my ISP IP and update it manually when it changes.

Thanks for the hint with Hetzner Firewall API, could be interesting for some other use cases

joseph

Good workflow!

@Kubernetes said in AGH, Hetzner Firewall and Dynamic IP:

I have whitelistet my ISP IP and update it manually when it changes.

I think this is where the API will help if your IP changes a lot. I don't know if it applies to @sponch but in my home, the VPS only changes IP within a specific subnet. In the firewall, I just whitelist the subnet instead of a specific IP.