mDNS on different subnets via VPN

[Igor]

Two local networks on two routers are connected via OpenVPN.

The routers have files "/jffs/configs/avahi-daemon.conf.add" with the following settings:

[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=yes
publish-domain=yes

[reflector]
enable-reflector=yes

After rebooting (service restart_mdns) I see new parameters in "/tmp/avahi/avahi-daemon.conf"
Then I add network permissions on the routers:

iptables -I FORWARD -i br0 -o tun+ -j ACCEPT
iptables -I INPUT -i tun+ -p udp --dport 5353 -j ACCEPT

But this didn't help me with mDNS forwarding to another local network.
What needs to be done to make mDNS used in different subnets connected via OpenVPN?

 

[ColinTaylor]

This is just a guess but,

1) I don't think you need any additional iptables rules as there should already be rules that do the same thing. I'm assuming you have a working bidirectional OpenVPN LAN to LAN setup.

2) I think you also need to add the following line to the [Server] section of avahi-daemon.conf :

allow-point-to-point=yes

That way, when either avahi-daemon or openvpn starts up you should see messages similar to the following in the syslog.

Mar 21 16:28:48 avahi-daemon[6624]: Joining mDNS multicast group on interface tun21.IPv4 with address 10.8.100.1.
Mar 21 16:28:48 avahi-daemon[6624]: New relevant interface tun21.IPv4 for mDNS.
Mar 21 16:28:48 avahi-daemon[6624]: Registering new address record for 10.8.100.1 on tun21.IPv4.

and

Mar 21 16:29:11 avahi-daemon[6624]: Joining mDNS multicast group on interface tun11.IPv4 with address 10.100.0.2.
Mar 21 16:29:11 avahi-daemon[6624]: New relevant interface tun11.IPv4 for mDNS.
Mar 21 16:29:11 avahi-daemon[6624]: Registering new address record for 10.100.0.2 on tun11.IPv4.

This could be a security issue though if you have other point to point network interfaces to untrusted networks, e.g. a commercial VPN service. In that case you'd probably have to add either allow-interfaces= or deny-interfaces=.

 

[Igor]

2) I think you also need to add the following line to the [Server] section of avahi-daemon.conf :

Thanks for your reply! Unfortunately, I missed your reply, sorry.

I added to the avahi-daemon.conf

[Server]
allow-point-to-point=yes

I use the command

cat /tmp/syslog.log | grep avahi

to look at the log. I see the entries you specified from avahi-daemon on all interfaces, including tunnels.

Next I started to analyze traffic on one host in the network 192.168.2.0/24

sudo tcpdump -e -vv -n port 5353 and net 192.168.1.0/24

But I didn't find any packages from another network.

Then I added to the config

[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=yes
publish-domain=yes

[reflector]
enable-reflector=yes

But I didn't find any packages from another network.

There is something I am missing or doing wrong.

 

[ColinTaylor]

Next I started to analyze traffic on one host in the network 192.168.2.0/24

sudo tcpdump -e -vv -n port 5353 and net 192.168.1.0/24

But I didn't find any packages from another network.

I would run tcpdump on whatever device is running the VPN on 192.168.2.0/24 and monitor what's coming out of the tunnel interface.

Then I added to the config

[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=yes
publish-domain=yes

[reflector]
enable-reflector=yes

Just to be clear - you added both the allow-point-to-point option and the enable-reflector option?

 

[Igor]

Just to be clear - you added both the allow-point-to-point option and the enable-reflector option?

Yes, I added it. Later I saw that my Home Assistant from one network saw devices in another network. Then I analyzed the traffic again and saw the necessary packets, the format of which was different from what I expected.

192.168.2.1.5353 > 224.0.0.251.5353: <...> (Cache flush) A 192.168.1.183, KD-43XD8305._androidtvremote2._tcp.local. <...>

In the end, two options helped - allow-point-to-point and enable-reflector. Thank you!