Highlighted
New Member
Posts: 33
Registered: ‎12-23-2014
Kudos: 7

mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

I am hopeing someone here will be able to help.

 

I have an L2TP/IPSEC VPN to my edgerouter lite setup to allow me remote access to my network (10.0.0.0/16) from my mac laptop. The network has a dynamic public IP which is mapped to a domain name.

 

The VPN works, and I can access all  the devices on my network by IP address, but not via their hostnames. I am fairly sure this is because the mDNS multicast is not getting through the VPN tunnel to my mac laptop on the other side.

 

I have tried turning on the mdns reflector in the edge router but this doesn't seem to work and causes en ever incresing number appeneded to the hostnames on my macs and airport extreme wireless acces point (which is in bridge mode). See forum post  here.

 

Any help would be appreciated.

 

Bellow is my VPN configuration:

 

vpn {
    ipsec {
        auto-firewall-nat-exclude disable
        ipsec-interfaces {
            interface eth0
        }
        nat-networks {
            allowed-network 0.0.0.0/0 {
            }
        }
        nat-traversal enable
    }
    l2tp {
        remote-access {
            authentication {
                local-users {
                    username not telling {
                        password not telling
                    }
                }
                mode local
            }
            client-ip-pool {
                start 10.1.254.1
                stop 10.1.254.254
            }
            dhcp-interface eth0
            dns-servers {
                server-1 8.8.8.8
                server-2 8.8.4.4
            }
            ipsec-settings {
                authentication {
                    mode pre-shared-secret
                    pre-shared-secret "not telling"
                }
                ike-lifetime 3600
            }
            mtu 1492
        }
    }
}

 

 

 

Member
Posts: 215
Registered: ‎11-26-2014
Kudos: 78
Solutions: 12

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

Avahi ignores any point-to-point interfaces, e.g. tun0, by default.

 

 You need to manually enable it via CLI:

sudo vi /etc/avahi/avahi-daemon.conf

 There you can prevent Avahi from ignoring your interface:

allow-point-to-point=yes

 Don't forget to uncomment the line if necessary.

 I guess you should then create a list of allowed/denied interfaces to prevent access over other interfaces like PPPoE:

allow-interfaces=eth2,eth3.12

 

deny-interfaces=pppoe0,eth1

 

I guess this could solve your problem. If not, you can find the manpage for Avahi for further information here.

New Member
Posts: 33
Registered: ‎12-23-2014
Kudos: 7

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

Thanks for taking a stab at solving this. Unfortunately this didn't work. mDNS multicasts still don't get to the other end of the VPN tunnel. Althrough your solution to the hostname change problem on the other thread did solve that issue.

 

Doing some reserch I might need ot setup the VPN as a bridge. I have a vague idea how to do that with openVPN but not with l2tp. Looks like if I want ot get this working I will need to do more reserch.

 

Thanks again for your help so far.

Member
Posts: 215
Registered: ‎11-26-2014
Kudos: 78
Solutions: 12

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

Well, does L2TP on the EdgeRouter support multicast? This is the way mDNS/Bonjour information is exchanged, even between Avahi and a client (Avahi then only broadcasts the information on another subnet via multicast).

 

It seems the RFC 4045 extension for L2TP is necessary to make this approach work. I have no idea if the software used supports this, and then if and how it can be activated.

New Member
Posts: 33
Registered: ‎12-23-2014
Kudos: 7

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

Good point. Does anyone know if RFC 4045 extensions are supported?

New Member
Posts: 33
Registered: ‎12-23-2014
Kudos: 7

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

I am thinging that a OpenVPN tap server might do the trick. But i need to figure out how to set this up. Most of the guides I have hour (eg here) are for tun devices.

 

Also there is a potential performance issue, since OpenVPN is much slower than L2TP/IPSEC.

 

More investigating.

SuperUser
Posts: 20,402
Registered: ‎09-17-2013
Kudos: 5142
Solutions: 1458

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

Yeah, it's a "performance issue" ... but if you're talking a residential environment you probably won't notice the difference.  

 

swapping openVPN to tap is pretty easy.

 

instead of using "dev tun" in the server.conf (and in the relevant remote host config(s)), set it up as "dev tap".  You'll need to then create routes (and/or a bridge) between the two networks.

New Member
Posts: 33
Registered: ‎12-23-2014
Kudos: 7

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

[ Edited ]

Thanks for all the help.

 

I have had some issues getting the bridge up and runnig (I can't add vtun0 to the br0 bridge) but I'll figure out why eventually.

 

[ interfaces openvpn vtun0 ]
can't add vtun0 to bridge br0: Operation not supported
Error adding interface vtun0 to bridge br0

Commit failed
Member
Posts: 215
Registered: ‎11-26-2014
Kudos: 78
Solutions: 12

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

Could you post the relevant parts of your config, so your bridge configuration and OpenVPN configuration? Maybe the subnets don't match or something like that.

New Member
Posts: 33
Registered: ‎12-23-2014
Kudos: 7

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

hmm, not sure how since I am unableto commit and save the config. I am still new to this router. One of the (eventually) nice things about a router like the edgerouter lite that forces you to manually set everything up is that it forces you to learn alot.  Unfortunately this takes time.

 

 

I am following the instructions here, replacing the subnet of 192.168.1.0/24 with 10.0.0.0/16 (which is my subnet)

 

 

Member
Posts: 215
Registered: ‎11-26-2014
Kudos: 78
Solutions: 12

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

[ Edited ]

Did you set up the bridge before? Sometimes, the configuration CLI is a bit 'stupid' and doesn't get the order of changes right - maybe you just have to create the bridge interface and tunnel first, commit, and then make the tunnel part of the bridge, commit, save.

New Member
Posts: 33
Registered: ‎12-23-2014
Kudos: 7

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

I ran into that issue. So I created the bridge and added eth1 (my local network) to the bridge. That works fine but when i then try to add vtun0 to the already existing bridge i run into issues

Senior Member
Posts: 3,146
Registered: ‎05-19-2013
Kudos: 1345
Solutions: 30

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

This discussion seems to be similar to what I am trying to achieve though slight difference on the VPN tunnel (IPSec Site-to-Site with VTI).

I am trying to get 'mDNS Reflector' to work across IPSec site-to-site tunnels with VTI interfaces. Has anyone found success to use it with VTI?
Senior Member
Posts: 3,146
Registered: ‎05-19-2013
Kudos: 1345
Solutions: 30

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

@UBNT-ancheng 

 

Is there possibility to include in future roadmap to open up "options" for mdns reflector so that we can configure additional parameters such as those below?

 

  • allow-interfaces
  • allow-point-to-point
  • deny-interfaces
  • use-ipv6

 

http://linux.die.net/man/5/avahi-daemon.conf

Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5473
Solutions: 1656
Contributions: 2

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel


chaicka wrote:

Is there possibility to include in future roadmap to open up "options" for mdns reflector so that we can configure additional parameters such as those below?

 

  • allow-interfaces
  • allow-point-to-point
  • deny-interfaces
  • use-ipv6

Yeah the interfaces options for avahi have been discussed before, and we can look into the other options as well. Thanks for the feedback.

New Member
Posts: 33
Registered: ‎12-23-2014
Kudos: 7

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

This solved the issue.

 

OpenVPN tap seems to be working well and it allows mDNS to work while I am outside my home network.

 

 

New Member
Posts: 14
Registered: ‎05-17-2016

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

Did anyone ever find or implement a solution to doing this over L2TP/IPSEC?

Emerging Member
Posts: 65
Registered: ‎09-21-2016
Kudos: 6
Solutions: 1

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

I'm also interested in this and specially if this can be set in bridge mode since I belive if we are in the same subnet there will be no problems for mdns multicast to transverse back and forward.

New Member
Posts: 4
Registered: ‎11-26-2017

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

Same situation here.  I just bought my first Ubiquiti router (ER-X).  I have the dDNS working w/ NoIP and have the L2TP/IPSEC VPN configured and working.  I can ping internal LAN IPs, SSH to the router and connect to IP addresses inside my network, but I'm not able to browse devices from my Mac with Bonjour.  I'd rather not switch to OpenVPN at this point if possible.

 

Thanks!

New Member
Posts: 2
Registered: ‎09-18-2017

Re: mDNS/Bonjour over L2TP/IPSEC remotes access tunnel

Same here.  Pings to static IPs work, but bonjour discovery won't flow over VPN.