avahi
avahi copied to clipboard
lathiat
Avahi with Wireguard
Hi all,
Has anyone had success is getting mDNS to reflect onto a Wireguard interface (wg0) using Avahi? When Avahi starts, it binds to my ethernet adapter but Avahi doesn't bind to the wireguard interface.
In my config, I listed the wireguard interface in the allowed-interfaces. I set the allow_point_to_point flag to "yes."
I'm thinking that may it has to due with the check in "if_add_interface":
hw->flags_ok = (flags & IFF_UP) && (!m->server->config.use_iff_running || (flags & IFF_RUNNING)) && !(flags & IFF_LOOPBACK) && (flags & IFF_MULTICAST) && (m->server->config.allow_point_to_point || !(flags & IFF_POINTOPOINT));
Maybe the interface isn't setup with the multicast flag...
I would like Bonjour to work via my VPN so that my Apple Homekit works on my iPhone when I'm remote from house and connected by Wireguard to my home network? Anyone get something like this to work?
i got a bit closer. in my case on ubuntu the interface did not have the mulitcast flag. once i added that via ifconfig wg0 multicast avahi did enable that interface. I was unable to get the traffic to work over wireguard however. i even tried setting one client ip to 224.0.0.251/32 to no avail. i believe wireguard is not multicast aware and would one work on one endpoint anyway.
I was abled to make it work by creating vxlans on each network and then added the bridge adapter to avahi and restarted it. I used this gist as a guide https://gist.github.com/pamolloy/f464c2b54af03c436491f42abf0bbff9
Would like to make the AirPrint (and maybe AirPlay) discovery possible through wireguard. Mainly to print on our network printer. I'm on Ubuntu 20.04 on a proxmox VM. Wireguard workes as expected, routing is configured. I can reach the status site of the printer via VPN on iOS:
I have set the followin flags in avahi config, other flags are leaved unchanged.
[server]
allow-interfaces=eth0,wghub
allow-point-to-point=yes
[reflector]
enable-reflector=yes
#reflect-ipv=no
Furthermore I set multicast to the wghub device with ip link set multicast on dev wghub. That is propably the same as ifconfig wghub multicast.
The Services are shown up with avahi-browse --all
Here are some examples:
+ wghub IPv4 FireTV _googlecast._tcp local
+ eth0 IPv4 FireTV _googlecast._tcp local
+ wghub IPv6 Brother MFC-L3770CDW UNIX Printer local
+ wghub IPv4 Brother MFC-L3770CDW UNIX Printer local
+ eth0 IPv6 Brother MFC-L3770CDW UNIX Printer local
+ eth0 IPv4 Brother MFC-L3770CDW UNIX Printer local
+ wghub IPv6 Brother MFC-L3770CDW Internet Printer local
+ wghub IPv4 Brother MFC-L3770CDW Internet Printer local
+ eth0 IPv6 Brother MFC-L3770CDW Internet Printer local
+ eth0 IPv4 Brother MFC-L3770CDW Internet Printer local
+ wghub IPv6 Brother MFC-L3770CDW _scanner._tcp local
+ wghub IPv4 Brother MFC-L3770CDW _scanner._tcp local
+ eth0 IPv6 Brother MFC-L3770CDW _scanner._tcp local
+ eth0 IPv4 Brother MFC-L3770CDW _scanner._tcp local
+ wghub IPv6 Brother MFC-L3770CDW _privet._tcp local
+ wghub IPv4 Brother MFC-L3770CDW _privet._tcp local
+ eth0 IPv6 Brother MFC-L3770CDW _privet._tcp local
+ eth0 IPv4 Brother MFC-L3770CDW _privet._tcp local
+ wghub IPv6 Brother MFC-L3770CDW _uscan._tcp local
+ wghub IPv4 Brother MFC-L3770CDW _uscan._tcp local
+ eth0 IPv6 Brother MFC-L3770CDW _uscan._tcp local
+ eth0 IPv4 Brother MFC-L3770CDW _uscan._tcp local
+ wghub IPv6 Brother MFC-L3770CDW PDL Printer local
+ wghub IPv4 Brother MFC-L3770CDW PDL Printer local
+ eth0 IPv6 Brother MFC-L3770CDW PDL Printer local
+ eth0 IPv4 Brother MFC-L3770CDW PDL Printer local
+ wghub IPv6 Brother MFC-L3770CDW Web Site local
On an iPhone client no printer shows up while in the VPN. I have the following iptables rules set in wghub.conf.
Hint: I have a native IPv6 connection but not public IPv4, so don't mind about the tun0 device. It is just a tunneled public IPv4 from a provider).
#eth0
PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
PostUp = ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
PostUp = iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostUp = ip6tables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
#tun0
PostUp = iptables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun0 -j TCPMSS --clamp-mss-to-pmtu
PostUp = ip6tables -t mangle -A POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun0 -j TCPMSS --clamp-mss-to-pmtu
PostUp = iptables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
PostUp = ip6tables -t nat -A POSTROUTING -o tun0 -j MASQUERADE
#forwarding an
PostUp = iptables -A FORWARD -i %i -j ACCEPT
PostUp = ip6tables -A FORWARD -i %i -j ACCEPT
#forwarding aus
PostDown = iptables -D FORWARD -i %i -j ACCEPT
PostDown = ip6tables -D FORWARD -i %i -j ACCEPT
#eth0
PostDown = iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
PostDown = ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o eth0 -j TCPMSS --clamp-mss-to-pmtu
#tun0
PostDown = iptables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
PostDown = ip6tables -t nat -D POSTROUTING -o tun0 -j MASQUERADE
PostDown = iptables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun0 -j TCPMSS --clamp-mss-to-pmtu
PostDown = ip6tables -t mangle -D POSTROUTING -p tcp --tcp-flags SYN,RST SYN -o tun0 -j TCPMSS --clamp-mss-to-pmtu
PostUp = sysctl -q -w net.ipv4.ip_forward=1
PostUp = sysctl -q -w net.ipv6.conf.all.forwarding=1
PostDown = sysctl -q -w net.ipv4.ip_forward=0
PostDown = sysctl -q -w net.ipv6.conf.all.forwarding=0
@all Any hints how to debug?
@jasonehines Thanks for posting about the VXLAN. I can't imagine what you have done to make it work. Can you describe just a little bit more or give us an sample config?
Any news about this? Is there any zeroconf way to make a mDNS query over Wireguard?
So far, following a reddit thread came to the same conclusion @elearningdienst did, setting the avahi-daemon.conf with those parameters and enabling MULTICAST in the network interface. However, from the other side of the tunnel, no package is being received.
Using tcpdump I have this info:
root@da5d68a844cd:/# tcpdump -i wg0 -vv
tcpdump: listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
17:35:00.049002 IP (tos 0x0, ttl 255, id 15210, offset 0, flags [DF], proto UDP (17), length 74)
10.13.13.1.5353 > 224.0.0.251.5353: [bad udp cksum 0xf850 -> 0xa78d!] 0 PTR (QM)? _services._dns-sd._udp.local. (46)
17:35:01.050693 IP (tos 0x0, ttl 255, id 15392, offset 0, flags [DF], proto UDP (17), length 74)
10.13.13.1.5353 > 224.0.0.251.5353: [bad udp cksum 0xf850 -> 0xa78d!] 0 PTR (QM)? _services._dns-sd._udp.local. (46)
17:35:03.053284 IP (tos 0x0, ttl 255, id 15547, offset 0, flags [DF], proto UDP (17), length 74)
10.13.13.1.5353 > 224.0.0.251.5353: [bad udp cksum 0xf850 -> 0xa78d!] 0 PTR (QM)? _services._dns-sd._udp.local. (46)
17:35:07.058025 IP (tos 0x0, ttl 255, id 15906, offset 0, flags [DF], proto UDP (17), length 74)
10.13.13.1.5353 > 224.0.0.251.5353: [bad udp cksum 0xf850 -> 0xa78d!] 0 PTR (QM)? _services._dns-sd._udp.local. (46)
17:35:15.066559 IP (tos 0x0, ttl 255, id 16719, offset 0, flags [DF], proto UDP (17), length 74)
Should I expect Wireguard to know that the destination 224.0.0.251 must be routed through the tunnel? I'm not sure if tweaking in WG configuration which IPs are allowed can I route the package through the appropiate network interface.
Wireguard in general does not support multicast traffic. Or, to be more precise: When an wireguard interface has more than one peer, multicast traffic going into that wireguard interface will be forwarded to at maximum one peer.
I (now successfully 🙂) setup avahi reflection for a site-to-site vpn connection with wireguard on two OpenWrt 21.02.1 routers:
- At both ends, a wireguard interface with only one peer each.
- Each peer has the mdns multicast addresses added to it's
AllowedIps:224.0.0.251/32andff02::fb/128(allowing all IPs with0.0.0.0/0and::0/0should also work). - Each peer has the addresses of the interface it connects to in its
AllowedIps. - Added the MULTICAST flag to both interfaces (
ip link set dev wg0 multicast on) (although on OpenWrt this currently does not even seem to be necessary). - Installed
avahi-dbus-daemonon both OpenWrt routers. - In the avahi config files (
/etc/avahi/avahi-daemon.conf):- In the
[server]section:-
allow-interfaces=br-lan,wg0(optional) -
allow-point-to-point=yes
-
- In the
[reflector]section:-
enable-reflector=yes
-
- In the
After stopping the avahi-daemon with init.d (/etc/init.d/avahi-daemon stop) and running it manually, I get the following output:
root@openwrt:~# avahi-daemon --debug
avahi-daemon 0.8 starting up.
WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
No service file found in /etc/avahi/services.
Joining mDNS multicast group on interface wg0.IPv6 with address fd36:[...].
New relevant interface wg0.IPv6 for mDNS.
Joining mDNS multicast group on interface wg0.IPv4 with address 10.[...].
New relevant interface wg0.IPv4 for mDNS.
Joining mDNS multicast group on interface br-lan.IPv6 with address 2003:[...].
New relevant interface br-lan.IPv6 for mDNS.
Joining mDNS multicast group on interface br-lan.IPv4 with address 10.[...].
New relevant interface br-lan.IPv4 for mDNS.
Network interface enumeration completed.
Registering new address record for fd36:[...] on wg0.*.
Registering new address record for 10.[...] on wg0.IPv4.
Registering new address record for 2003:[...] on br-lan.*.
Registering new address record for fd36:[...] on br-lan.*.
Registering new address record for 10.[...] on br-lan.IPv4.
Registering HINFO record with values 'MIPS'/'LINUX'.
Server startup complete. Host name is openwrt-lengsdorf.local. Local service cookie is 1765[...].
~~However, trying to ping a .local address in the remote subnet from my local Windows machine's command-line fails with an error saying the host could not be found.~~
~~So next, I installed rpcapd on both OpenWrt boxes (opkg install rpcapd) and started it with rpcapd -n. Now with Wireguard I looked at the mdns traffic of the interfaces br-lan and wg0 on the local and the remote OpenWrt box. When repeating the ping from Windows, I see a "MDNS Standard query" packet pass all four interfaces, so it is correctly reflected twice, it does arrive in the remote network and is broadcasted there. The "MDNS Standard query response" follows immediately, and is reflected on the remote box from br-lan to wg0. It also arrives on the local box's wg0 interface, but it is not reflected from wg0 to br-lan on the local box. avahi-daemon --debug does not show any error messages or any related messages at all.~~
~~As far as I can tell, the only difference between the mdns packages arriving on br-lan (first reflection) and then wg0 (second reflection) is their source address. I have no idea why the reflection works on both hops for the query, but only on the first hop for the response. Is this maybe a bug related to https://github.com/lathiat/avahi/issues/30 or https://github.com/lathiat/avahi/issues/187?~~
Update: One of the OpenWrt boxes was misconfigured - it had another wireguard interface set up with conflicting routes. After removing that conflicting interface, avahi reflector now works as expected with the settings described above: packets are reflected from the first network to the wireguard link and from the wireguard link to the second network, and vice-versa. Name resolution of .local Domains works across subnets, VLC on Windows finds UPnP media devices across subnets, and Wireshark shows the packages travelling across subnets.
Just chiming in, i'd like to report that @skleeschulte's solution works perfectly for client-to-site VPN setups as well.
My usecase is for accessing services (web and ssh) on my home's LAN PCs from my laptop and phone (when outside of the LAN), connected through Wireguard VPN server located at that LAN (a raspberry pi, specifically).
I would like to know if it is possible to make it work when you have a middle server like this:
Home1 WG client <-> Cloud WG server <-> Home2 WG client
…to access Home1 services on Home2 or vica versa.
I have it like that, you are going to need the mDNS Reflector in the "Cloud WG server" if you use two interfaces.
I have it like that, you are going to need the mDNS Reflector in the "Cloud WG server" if you use two interfaces.
Which guide you followed? You mean Avahi’s built in reflector?
I use the mdns-repeater, actually: https://github.com/geekman/mdns-repeater
In my case I use the one on EdgeOS (Vyatta) on an EdgeRouter, but it should easy to configure in any other Linux distro.
I use the mdns-repeater, actually: https://github.com/geekman/mdns-repeater
In my case I use the one on EdgeOS (Vyatta) on an EdgeRouter, but it should easy to configure in any other Linux distro.
Instructions unclear, do you run this alongside avah-daemon or instead of?
