Enable Air play via Wireguardserver

Community Builds, Projects & Packages
1

Hey there

I have recently been successful in enabling a remote WireGuard access to my network with some help here. Now I plan to only use WireGuard via mobile network to have VPN and home network access from anywhere from my mobile device. I have a nice stereo setup in my living room with an RPi4B that runs Moode Spotify with a DAC and 2 nice KEF LS50 loudspeakers. I'm listening to music via Spotify here. I have an Android device, my wife has an iPhone...

I somehow just managed to enable my Android phone to remote control the stereo via Spotify Connect using the WireGuard tunnel after configuring the Avahi-daemon in OpenWRT and allowing the ports to be forwarded... Honestly, I cant tell what exactly did the trick, but it works like a charm! Unfortunately, I'm failing to make my wife's iPhone remote control the stereo via AirPlay.
Here is how my system looks like:

ubus call system board
{
"kernel": "5.15.167",
"hostname": "OpenWrt",
"system": "ARMv7 Processor rev 1 (v7l)",
"model": "Linksys WRT3200ACM",
"board_name": "linksys,wrt3200acm",
"rootfs_type": "squashfs",
"release": {
"distribution": "OpenWrt",
"version": "23.05.5",
"revision": "r24106-10cc5fcd00",
"target": "mvebu/cortexa9",
"description": "OpenWrt 23.05.5 r24106-10cc5fcd00"

root@OpenWrt:~# cat /etc/config/network

config interface 'loopback'
	option device 'lo'
	option proto 'static'
	option ipaddr '127.0.0.1'
	option netmask '255.0.0.0'

config globals 'globals'
	option ula_prefix 'fd7f:0959:af62::/48'

config device
	option name 'br-lan'
	option type 'bridge'
	list ports 'lan1'
	list ports 'lan2'
	list ports 'lan3'
	list ports 'lan4'

config interface 'lan'
	option device 'br-lan'
	option proto 'static'
	option ipaddr '192.168.3.1'
	option netmask '255.255.255.0'
	option ip6assign '60'

config device
	option name 'wan'
	option macaddr 'xxxxxxxxxxxxxx'

config interface 'wan'
	option device 'wan'
	option proto 'dhcp'
	option peerdns '0'
	list dns '194.242.2.3'
	list dns '194.242.2.9'
	list dns '103.86.96.100'

config interface 'OPENVPN'
	option proto 'none'
	option device 'tun0'

config interface 'wgserver'
	option proto 'wireguard'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option listen_port '55443'
	list addresses '172.22.22.1/24'

config wireguard_wgserver
	option description 'Husband'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option route_allowed_ips '1'
	option endpoint_port '55443'
	option persistent_keepalive '24'
	list allowed_ips '172.22.22.2/32'

config wireguard_wgserver
	option description 'Wife'
	option public_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	option private_key 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
	list allowed_ips '172.22.22.3/32'
	option route_allowed_ips '1'
	option endpoint_port '55443'

root@OpenWrt:~# cat /etc/config/firewall

config defaults
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option synflood_protect '1'

config zone
	option name 'lan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'lan'

config zone
	option name 'wan'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list network 'wan'

config rule
	option name 'Allow-DHCP-Renew'
	option src 'wan'
	option proto 'udp'
	option dest_port '68'
	option target 'ACCEPT'
	option family 'ipv4'

config rule
	option name 'Allow-Ping'
	option src 'wan'
	option proto 'icmp'
	option icmp_type 'echo-request'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-IGMP'
	option src 'wan'
	option proto 'igmp'
	option family 'ipv4'
	option target 'ACCEPT'

config rule
	option name 'Allow-DHCPv6'
	option src 'wan'
	option proto 'udp'
	option dest_port '546'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-MLD'
	option src 'wan'
	option proto 'icmp'
	option src_ip 'fe80::/10'
	list icmp_type '130/0'
	list icmp_type '131/0'
	list icmp_type '132/0'
	list icmp_type '143/0'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Input'
	option src 'wan'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	list icmp_type 'router-solicitation'
	list icmp_type 'neighbour-solicitation'
	list icmp_type 'router-advertisement'
	list icmp_type 'neighbour-advertisement'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-ICMPv6-Forward'
	option src 'wan'
	option dest '*'
	option proto 'icmp'
	list icmp_type 'echo-request'
	list icmp_type 'echo-reply'
	list icmp_type 'destination-unreachable'
	list icmp_type 'packet-too-big'
	list icmp_type 'time-exceeded'
	list icmp_type 'bad-header'
	list icmp_type 'unknown-header-type'
	option limit '1000/sec'
	option family 'ipv6'
	option target 'ACCEPT'

config rule
	option name 'Allow-IPSec-ESP'
	option src 'wan'
	option dest 'lan'
	option proto 'esp'
	option target 'ACCEPT'

config rule
	option name 'Allow-ISAKMP'
	option src 'wan'
	option dest 'lan'
	option dest_port '500'
	option proto 'udp'
	option target 'ACCEPT'

config zone
	option name 'OpenVPN'
	option input 'REJECT'
	option output 'ACCEPT'
	option forward 'REJECT'
	option masq '1'
	option mtu_fix '1'
	list device 'tun+'

config forwarding
	option src 'lan'
	option dest 'OpenVPN'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Force DNS'
	option src 'wan'
	option src_dport '53'
	option dest_port '53'

config rule
	option name 'Allow-55443'
	list proto 'udp'
	option src 'wan'
	option dest_port '55443'
	option target 'ACCEPT'

config nat
	option name 'SNAT-WGserver'
	list proto 'all'
	option src 'lan'
	option src_ip '172.22.22.0/24'
	option target 'MASQUERADE'

config include 'pbr'
	option fw4_compatible '1'
	option type 'script'
	option path '/usr/share/pbr/firewall.include'

config zone
	option name 'wgserver'
	option input 'ACCEPT'
	option output 'ACCEPT'
	option forward 'ACCEPT'
	list network 'wgserver'

config forwarding
	option src 'wgserver'
	option dest 'lan'

config forwarding
	option src 'lan'
	option dest 'wgserver'

config forwarding
	option src 'wgserver'
	option dest 'wan'

config forwarding
	option src 'wgserver'
	option dest 'OpenVPN'

config forwarding
	option src 'wgserver'
	option dest 'lan'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'Spotify Connect'
	option src 'wan'
	option src_dport '4070'
	option dest_ip '192.168.3.141' ---- IP of RBP with Moode Audio
	option dest_port '4070'

config rule
	option name 'Allow-mDNS-AirPlay'
	option src 'wgserver'
	option dest 'lan'
	option proto 'udp'
	option dest_port '5353'
	option target 'ACCEPT'

config rule
	option name 'Allow-AirPlay-UDP'
	option src 'wgserver'
	option dest 'lan'
	option proto 'udp'
	option dest_port '7000-7100'
	option target 'ACCEPT'

config rule
	option name 'Allow-AirPlay-TCP'
	option src 'wgserver'
	option dest 'lan'
	option proto 'tcp'
	option dest_port '3689 5005'
	option target 'ACCEPT'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option src 'wan'
	option src_dport '3689'
	option dest_ip '192.168.3.141'
	option dest_port '3689'
	option name 'Airplay'
	list proto 'tcp'

config redirect
	option dest 'lan'
	option target 'DNAT'
	option name 'AP'
	list proto 'udp'
	option src 'wan'
	option src_dport '5353'
	option dest_ip '192.168.3.141'
	option dest_port '5353'

root@OpenWrt:~# cat /etc/avahi/avahi-daemon.conf
[server]
allow-interfaces=br-lan,wgserver
use-ipv4=yes
use-ipv6=no
check-response-ttl=no
enable-dbus=no

[publish]
publish-addresses=yes
publish-hinfo=no
publish-workstation=no
publish-domain=yes
publish-aaaa-on-ipv4=no

[reflector]
enable-reflector=yes
reflect-ipv=yes
reflect-filters=_spotify-connect._tcp

[rlimits]
#rlimit-as=
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=30
rlimit-stack=4194304
rlimit-nproc=3

Any idea how i can make airplay remote control Spotify on the stereo?

Thanks in advance for your help :stuck_out_tongue:

2

You will need to enable multicast support on tunnel and lan interfaces and relay discovery packets using avahi reflector mode. Tcpdump and google helps.

3

... or just switch over to OpenVPN ethernet bridge mode.

4

TAP mode OpenVPN tunnels are not supported on iOS or Android. And, I seem to remember seeing something about it being deprecated in OpenVPN in general, but I could be wrong. But I am certain about the lack of mobile support for TAP.

Edit: OpenVPN 3 dropped support for TAP. But 2.x still works; 24.10.0 uses OpenVPN 2.6.12-r1). The problem is on the phone os’s though, as tap is not supported there.

5

True, never supported it. I wasn't careful enough reading that OP is planning using it from his phone.

1 Like
6

I tried but im not a coder. I know basic commands on openwrt and linux.

I tried this:

config interface 'lan'
    option device 'br-lan'
    option proto 'static'
    option ipaddr '192.168.3.1'
    option netmask '255.255.255.0'
    option ip6assign '60'
    option igmp_snooping '1'
    option multicast '1'

and to add this firewall rule 

config rule
    option name 'Allow-Multicast'
    option src 'wgserver'
    option dest 'lan'
    option proto 'igmp'
    option target 'ACCEPT'

In the attempt to enable multicast support on tunnel and lan interfaces and relay discovery packets using avahi reflector mode.

But the Iphone wont discover the stereo

7

Disable igmp snooping. Nobody ever told you to set it.
Ir reduces multicast reach. Also you can tcpdump udp port 5353 to see whats on the wire

8

I did now... But it still won't work and I also realized that it breaks the internet connectivity of the devices that are connected by Ethernet and WiFi. The devices connected by WireGuard have internet, but with my ISP IP, not via VPN.

9

Maybe Air play uses DLNA/SSDP for discovery?

In which case you need something like SMCRoute?

10

I checked... It apparently uses Bonjour and needs multicast DNS :confused:
And it somehow breaks the network connectrion of my eth and wlan devices if i start it as described above.

11

bonjour is mDNS/Avahi so that should work in theory

12

Does nobody have an idea on how i can fix this?

13

Start by providing more detailed diagnostics. Kind of my internet is fine.

14

indeed avahi-dbus-daemon should work. In the config file select the right interfaces and set reflector to true

1 Like
15

oh you may need to allow access to the router for the various interfaces, e.g.

image
image837×136 9.32 KB

If you dont then there is no way for the router to "reflect" the packets

2 Likes
16 
root@OpenWrt:~# timeout 60s tcpdump -i any -n -vv -s 0 port 5353
-ash: timeout: not found
root@OpenWrt:~# nano ~/.bashrc
root@OpenWrt:~# nano ~/.bashrc
root@OpenWrt:~# nano ~/.profile
root@OpenWrt:~# source ~/.profile
root@OpenWrt:~# timeout 60 tcpdump -i any -n -vv -s 0 port 5353
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

0 packets captured
6 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~# 
[1]+  Done                       "${@}"
root@OpenWrt:~# timeout 60 tcpdump -i any -n -vv -s 0 port 3689
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

0 packets captured
3 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~# 
[1]+  Done                       "${@}"
root@OpenWrt:~# timeout 60 tcpdump -i any -n -vv -s 0 portrange 7000-7100
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes

0 packets captured
4 packets received by filter
0 packets dropped by kernel
root@OpenWrt:~# 
[1]+  Done                       "${@}"

Did i mention that it works when she exits the Wireguardtunnel and uses wifi instead?

I did all this:

Screenshot_2025-03-15_15-07-16
Screenshot_2025-03-15_15-07-16944×253 35.5 KB

17

unless the airplay device actually runs on the router then you need to adjust your firewall rules, it needs to be a forward rule. (the avahi rule is an accept rule though). You can also check with avahi tools app if the multicast gets reflected.

18

You can store pcap files

tcpdump -c 1000 -w /tmp/some.pcap port 5353

then look into them with wireshark.

19 
root@OpenWrt:~# tcpdump -c 1000 -w /tmp/some.pcap port 5353
tcpdump: Marvell EDSA link-layer type filtering not implemented

Then i tried from my android phone using wireguardconnection and tried to search repeatedly for airplaydevices with the iphone

root@OpenWrt:~# timeout 60 tcpdump -i any -n -vv -s 0 -w
 /tmp/all.pcap port 5353
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux c
ooked v2), snapshot length 262144 bytes
15 packets captured
18 packets received by filter
0 packets dropped by kernel
20

Not sure why you wont follow my advice, so last try, check the system log for avahi info messages etc. And try running avahi-browse -a -r from a device on the tunnel