What's new
  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

mDNS on different subnets via VPN

Igor

Regular Contributor
Two local networks on two routers are connected via OpenVPN.

The routers have files "/jffs/configs/avahi-daemon.conf.add" with the following settings:
Code:
[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=yes
publish-domain=yes

[reflector]
enable-reflector=yes

After rebooting (service restart_mdns) I see new parameters in "/tmp/avahi/avahi-daemon.conf"
Then I add network permissions on the routers:
Code:
iptables -I FORWARD -i br0 -o tun+ -j ACCEPT
iptables -I INPUT -i tun+ -p udp --dport 5353 -j ACCEPT

But this didn't help me with mDNS forwarding to another local network.
What needs to be done to make mDNS used in different subnets connected via OpenVPN?
 
This is just a guess but,

1) I don't think you need any additional iptables rules as there should already be rules that do the same thing. I'm assuming you have a working bidirectional OpenVPN LAN to LAN setup.

2) I think you also need to add the following line to the [Server] section of avahi-daemon.conf :
Code:
allow-point-to-point=yes

That way, when either avahi-daemon or openvpn starts up you should see messages similar to the following in the syslog.
Code:
Mar 21 16:28:48 avahi-daemon[6624]: Joining mDNS multicast group on interface tun21.IPv4 with address 10.8.100.1.
Mar 21 16:28:48 avahi-daemon[6624]: New relevant interface tun21.IPv4 for mDNS.
Mar 21 16:28:48 avahi-daemon[6624]: Registering new address record for 10.8.100.1 on tun21.IPv4.
and
Code:
Mar 21 16:29:11 avahi-daemon[6624]: Joining mDNS multicast group on interface tun11.IPv4 with address 10.100.0.2.
Mar 21 16:29:11 avahi-daemon[6624]: New relevant interface tun11.IPv4 for mDNS.
Mar 21 16:29:11 avahi-daemon[6624]: Registering new address record for 10.100.0.2 on tun11.IPv4.

This could be a security issue though if you have other point to point network interfaces to untrusted networks, e.g. a commercial VPN service. In that case you'd probably have to add either allow-interfaces= or deny-interfaces=.
 
Last edited:
2) I think you also need to add the following line to the [Server] section of avahi-daemon.conf :
Thanks for your reply! Unfortunately, I missed your reply, sorry.

I added to the avahi-daemon.conf
Code:
[Server]
allow-point-to-point=yes
I use the command
Code:
cat /tmp/syslog.log | grep avahi
to look at the log. I see the entries you specified from avahi-daemon on all interfaces, including tunnels.

Next I started to analyze traffic on one host in the network 192.168.2.0/24
Code:
sudo tcpdump -e -vv -n port 5353 and net 192.168.1.0/24
But I didn't find any packages from another network.

Then I added to the config
Code:
[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=yes
publish-domain=yes

[reflector]
enable-reflector=yes
But I didn't find any packages from another network.

There is something I am missing or doing wrong.
 
Next I started to analyze traffic on one host in the network 192.168.2.0/24
Code:
sudo tcpdump -e -vv -n port 5353 and net 192.168.1.0/24
But I didn't find any packages from another network.
I would run tcpdump on whatever device is running the VPN on 192.168.2.0/24 and monitor what's coming out of the tunnel interface.

Then I added to the config

Code:
[publish]
publish-addresses=yes
publish-hinfo=yes
publish-workstation=yes
publish-domain=yes

[reflector]
enable-reflector=yes
Just to be clear - you added both the allow-point-to-point option and the enable-reflector option?
 
Just to be clear - you added both the allow-point-to-point option and the enable-reflector option?
Yes, I added it. Later I saw that my Home Assistant from one network saw devices in another network. Then I analyzed the traffic again and saw the necessary packets, the format of which was different from what I expected.

Code:
192.168.2.1.5353 > 224.0.0.251.5353: <...> (Cache flush) A 192.168.1.183, KD-43XD8305._androidtvremote2._tcp.local. <...>

In the end, two options helped - allow-point-to-point and enable-reflector. Thank you!
 

Similar threads

Support SNBForums w/ Amazon

If you'd like to support SNBForums, just use this link and buy anything on Amazon. Thanks!

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Back
Top