SSDP multicast routing over VPN connection

Hello,
I am a very new user of OpenWrt and I need a helping hand here. I hope that someone can have a look on what I try to achieve to route SSDP multicast packets over a VPN connection to a client that is connected. The VPN is established by using WireGuard as it is simple to configure. My setup is as follows:

|-------------|	192.168.1.114       192.168.1.1|-----------------| Public IP    |------------|
|DLNA Device  |--------------------------------|OpenWrt Router	 |--------------|VPN Client  |
|-------------|                         br-lan |-----------------| wg0          |------------|

The DLNA device has an IP 192.168.1.114. It is sending SSDP Notify packets on regular intervals.
The OpenWRT router runs on OpenWrt 18.06. Interface br-lan has 192.168.1.1 and is connected to the network of the DLNA device.
The Road Warrior Clients connecs to the Public IP of the OpenWrt router over to interface wg0. It has an internal IP of 192.168.50.11 and wg0 has address 192.168.50.10. Unicast routing works without problems.

What I am trying to achieve is to make SSDP Notify packets that originate from the DLNA device to be recieved also on the Road Warrior Client when it is connected.

For the purpose, after a lot of reading, I came to the conclusion that I should use some kind of multicast routing. I have searched about possibilites and found smcroute. Bellow is the configuration of /etc/smcroute.conf

mgroup from br-lan group 239.255.255.250
mroute from br-lan group 239.255.255.250 source 192.168.1.114 to wg0

mgroup from wg0 group 239.255.255.250
mroute from wg0 group 239.255.255.250 to br-lan

Upon launching smcroute I can see mroute table gets entries

root@LEDEF4:~# ip -s mroute
(192.168.50.11, 239.255.255.250) Iif: wg0        Oifs: br-lan  State: resolved
  294 packets, 79896 bytes, Age 2753.47
(192.168.1.114, 239.255.255.250) Iif: br-lan     Oifs: wg0  State: resolved
  1728 packets, 644352 bytes, Age   14.24

I can also see with tcpdump that the packets arrive on wg0 interface, but they are not routed, because I do not see them on the other side of the tunnel on the client machine.

root@LEDEF4:~# tcpdump -i wg0 -v -n port 1900
tcpdump: listening on wg0, link-type RAW (Raw IP), capture size 262144 bytes
16:25:00.524352 IP (tos 0x0, ttl 3, id 42891, offset 0, flags [DF], proto UDP (17), length 345)
    192.168.1.114.1900 > 239.255.255.250.1900: UDP, length 317
16:25:00.580875 IP (tos 0x0, ttl 3, id 42892, offset 0, flags [DF], proto UDP (17), length 336)

Just for referce here is my ifconfig:

root@LEDEF4:~# ifconfig
br-lan    Link encap:Ethernet  HWaddr A4:2B:B0:DE:77:D7
          inet addr:192.168.1.1  Bcast:192.168.1.255  Mask:255.255.255.0
          inet6 addr: fe80::a62b:b0ff:fede:77d7/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:491890 errors:0 dropped:0 overruns:0 frame:0
          TX packets:384645 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:371136583 (353.9 MiB)  TX bytes:51713146 (49.3 MiB)

eth0      Link encap:Ethernet  HWaddr 00:1C:F0:48:99:69
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:48929695 errors:0 dropped:10 overruns:0 frame:0
          TX packets:67302376 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2815880506 (2.6 GiB)  TX bytes:2962106946 (2.7 GiB)
          Interrupt:4

eth1      Link encap:Ethernet  HWaddr A4:2B:B0:DE:77:D7
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:83968656 errors:0 dropped:0 overruns:0 frame:0
          TX packets:43463802 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1989421149 (1.8 GiB)  TX bytes:201089548 (191.7 MiB)
          Interrupt:5

lo        Link encap:Local Loopback
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:10485 errors:0 dropped:0 overruns:0 frame:0
          TX packets:10485 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:1138547 (1.0 MiB)  TX bytes:1138547 (1.0 MiB)

pppoe-wan Link encap:Point-to-Point Protocol
          inet addr:94.236.128.87  P-t-P:91.193.156.96  Mask:255.255.255.255
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1492  Metric:1
          RX packets:378014 errors:0 dropped:0 overruns:0 frame:0
          TX packets:483517 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:3
          RX bytes:47533006 (45.3 MiB)  TX bytes:372008891 (354.7 MiB)

tun0      Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:10.8.0.1  P-t-P:10.8.0.1  Mask:255.255.255.0
          inet6 addr: fe80::335a:61b:a4e5:600e/64 Scope:Link
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:14 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:100
          RX bytes:0 (0.0 B)  TX bytes:704 (704.0 B)

wg0       Link encap:UNSPEC  HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
          inet addr:192.168.50.10  P-t-P:192.168.50.10  Mask:255.255.255.0
          UP POINTOPOINT RUNNING NOARP MULTICAST  MTU:1420  Metric:1
          RX packets:351 errors:0 dropped:0 overruns:0 frame:0
          TX packets:605 errors:1046 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1
          RX bytes:72592 (70.8 KiB)  TX bytes:105888 (103.4 KiB)

wlan0     Link encap:Ethernet  HWaddr A4:2B:B0:DE:77:D5
          inet6 addr: fe80::a62b:b0ff:fede:77d5/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:18507 errors:0 dropped:0 overruns:0 frame:0
          TX packets:26295 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:2991145 (2.8 MiB)  TX bytes:13487988 (12.8 MiB)

wlan1     Link encap:Ethernet  HWaddr A4:2B:B0:DE:77:D6
          inet6 addr: fe80::a62b:b0ff:fede:77d6/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:4566 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:0 (0.0 B)  TX bytes:1208493 (1.1 MiB)

And here is my etc/config/firewall

root@LEDEF4:~# cat /etc/config/firewall

config defaults
        option syn_flood '1'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'

config zone
        option name 'lan'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option network 'lan'

config zone
        option name 'wan'
        option input 'REJECT'
        option output 'ACCEPT'
        option forward 'REJECT'
        option masq '1'
        option mtu_fix '1'
        option network 'wan wan6'

config rule
        option name 'Allow-DHCP-Renew'
        option proto 'udp'
        option dest_port '68'
        option target 'ACCEPT'
        option family 'ipv4'
        option src 'lan'

config rule
        option name 'Allow-Ping'
        option src 'wan'
        option proto 'icmp'
        option icmp_type 'echo-request'
        option family 'ipv4'
        option target 'ACCEPT'

config rule
        option name 'Allow-IGMP'
        option src 'wan'
        option proto 'igmp'
        option family 'ipv4'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-DHCPv6'
        option src 'wan'
        option proto 'udp'
        option src_ip 'fc00::/6'
        option dest_ip 'fc00::/6'
        option dest_port '546'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-MLD'
        option src 'wan'
        option proto 'icmp'
        option src_ip 'fe80::/10'
        list icmp_type '130/0'
        list icmp_type '131/0'
        list icmp_type '132/0'
        list icmp_type '143/0'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Input'
        option src 'wan'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        list icmp_type 'router-solicitation'
        list icmp_type 'neighbour-solicitation'
        list icmp_type 'router-advertisement'
        list icmp_type 'neighbour-advertisement'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ICMPv6-Forward'
        option src 'wan'
        option dest '*'
        option proto 'icmp'
        list icmp_type 'echo-request'
        list icmp_type 'echo-reply'
        list icmp_type 'destination-unreachable'
        list icmp_type 'packet-too-big'
        list icmp_type 'time-exceeded'
        list icmp_type 'bad-header'
        list icmp_type 'unknown-header-type'
        option limit '1000/sec'
        option family 'ipv6'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-IPSec-ESP'
        option src 'wan'
        option dest 'lan'
        option proto 'esp'
        option target 'ACCEPT'
        option enabled '0'

config rule
        option name 'Allow-ISAKMP'
        option src 'wan'
        option dest 'lan'
        option dest_port '500'
        option proto 'udp'
        option target 'ACCEPT'
        option enabled '0'

config include
        option path '/etc/firewall.user'

config forwarding
        option dest 'wan'
        option src 'lan'

config rule
        option target 'ACCEPT'
        option src 'wan'
        option proto 'udp'
        option dest_port '4500'
        option name 'WG_VPN'
        option family 'ipv4'

config zone
        option name 'WireGuard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'wg0'
        option family 'ipv4'
        option forward 'REJECT'

config forwarding
        option dest 'lan'
        option src 'WireGuard'

config forwarding
        option dest 'WireGuard'
        option src 'lan'

I think what you want may not actually be possible as it is likely DLNA is using a TTL of 1 which AIUI make it link-local unless you had some sort of reflector (kind of like is required for mDNS for similar reasons).

Thanks for the answer. I understand what you mean. TTL in the packet is 3 as it can be seen from tcpdump.

Ah, sorry missed the the TTL in tcpdump.

Have you assigned a firewall zone to wg0 and allowed the necessary things there? It doesn't look like from the snippets you show. Since you seem to be using wireguard you can probably add the wireguard 'interface' section's name to the lan zone.

I have assigned a firewall zone

config zone
        option name 'WireGuard'
        option input 'ACCEPT'
        option output 'ACCEPT'
        option network 'wg0'
        option family 'ipv4'
        option forward 'REJECT'

config forwarding
        option dest 'lan'
        option src 'WireGuard'

config forwarding
        option dest 'WireGuard'
        option src 'lan'

I am thinking if something like relayd could help me, but I am not sure how to configure it in my case. Or maybe use l2tp?

I think

option network `wg0`

is probably wrong unless you named

config interface wg0
  ...

for you WireGuard interfae. If not the network should be the name of the interface section, OR you should have:

option device `wg0`

It seems that the configuration actually works. The problem however is how the software performs the DLNA device discovery. It is discussed here in more details: KODI UPNP .
Finally I gave up of DLNA and started using WebDAV.
@cshoredaniel Thanks a lot for your help.

Ah, yeah, I thought it was tap interface not a tun interface.

Here's my working smcroute.conf used to send SSDP through OpenVPN/IPsec:

mroute from tun0 group 239.255.255.250 to br-lan
mroute from tun1 group 239.255.255.250 to br-lan
mroute from eth0.2 group 239.255.255.250 to br-lan

SSDP packets need to have a TTL of 2 in order for multicast routing to work, achieved like this:

iptables -t mangle -A PREROUTING -d 239.255.255.250 -j TTL --ttl-inc 1

With this I am able to see Plex and Kodi UPnP/DLNA services on my iOS devices connected with either OpenVPN or strongSwan.

1 Like

That makes sense; It was the TTL. The TTL of 3 is the VPN packet not the SSDP packet in the tcpdump above, hence the confusion (I think, I probably should look more closely to be sure).

Thanks for the configuration @escalade. Could you please clarify...I suppose tun0 and tun1 are OpenVPN interfaces and what is eth0.2?

Yes those are my OpenVPN interfaces and eth0.2 is my WAN interface where IPsec packets come in.

1 Like

Hi @escalade,
I've been using your builds for my older wndr3700v2 for ages with great joy.
Now I bought a wrt3200 acm with DavidC builds. They work fine and I'd like to be able to use my home's DLNA resouces and my home's Nvidia Shield Chromecast implementation through OpenVPN. Can your SSDP configuration be useful to do that (Chromecast part)?
Also considering I already have IGMPProxy installed can I simply install SMCRoute with your configuration and add the iptables rule and it works without conflicts (unfortunately I'm a newbie with multicast so I ask for your help)?

Thanks.
Puppinoo.

I'm actually not sure about Chromecast, let me know if you get it working somehow :slight_smile:

1 Like

Hi @escalade,

I am currently trying to implement miniDLNA over WireGuard using your example (with the appropriate changes), but unfortunately I cannot make it happen. Maybe you could lead the way somehow. Thanks in advance.