WireGuard site-to-site VPN and mDNS

I have setup a site-to-site VPN using WireGuard on two OpenWrt boxes. Each site has an interface dedicated to the site-to-site tunneling with only a single peer. Both sites use different subnets; routed IP traffic is working flawlessly. Now I would like to have mDNS work between those subnets.

I enabled multicast for the WireGuard interfaces on both boxes with:

ip link set dev wg0 multicast on

As far as I understand, although WireGuard does not support multicast traffic, it will simply send multicast packets to the first peer that has the destination IP in its allowed IPs. So for a single peer per WireGuard-Interface, this should work. Consequently I also added 224.0.0.251 and ff02::fb to the allowed IPs of both site-to-site peers.

I installed the package avahi-utils on both boxes and did the following configuration changes:

In /etc/dbus-1/system.d/avahi-dbus.conf, commented out the netdev policy to solve dbus, Error: dbus[5175]: Unknown group "netdev" in message bus configuration file #11514:

  <!--<policy group="netdev">
    <allow send_destination="org.freedesktop.Avahi"/>
    <allow receive_sender="org.freedesktop.Avahi"/>
  </policy>-->

Changed the following entries in /etc/avahi/avahi-daemon.conf:

[server]
allow-interfaces=br-lan,wg0
allow-point-to-point=yes

[reflector]
enable-reflector=yes

Rebooted the boxes. Afterwards, I find this in OpenWrt's system log (similar on both boxes):

daemon.info avahi-daemon[7939]: Found user 'nobody' (UID 65534) and group 'nogroup' (GID 65534).
daemon.info avahi-daemon[7939]: Successfully dropped root privileges.
daemon.info avahi-daemon[7939]: avahi-daemon 0.8 starting up.
daemon.warn avahi-daemon[7939]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns!
daemon.info avahi-daemon[7939]: No service file found in /etc/avahi/services.
daemon.info avahi-daemon[7939]: Joining mDNS multicast group on interface wg0.IPv6 with address fd36:xxxx:xxxx:2240::226.
daemon.info avahi-daemon[7939]: New relevant interface wg0.IPv6 for mDNS.
daemon.info avahi-daemon[7939]: Joining mDNS multicast group on interface wg0.IPv4 with address 10.111.224.226.
daemon.info avahi-daemon[7939]: New relevant interface wg0.IPv4 for mDNS.
daemon.info avahi-daemon[7939]: Joining mDNS multicast group on interface br-lan.IPv6 with address 2a02:xxxx:xxxx:xxxx:5e49:xxxx:fecd:84a1.
daemon.info avahi-daemon[7939]: New relevant interface br-lan.IPv6 for mDNS.
daemon.info avahi-daemon[7939]: Joining mDNS multicast group on interface br-lan.IPv4 with address 10.111.228.2.
daemon.info avahi-daemon[7939]: New relevant interface br-lan.IPv4 for mDNS.
daemon.info avahi-daemon[7939]: Network interface enumeration completed.
daemon.info avahi-daemon[7939]: Registering new address record for fd36:xxxx:xxxx:2240::226 on wg0.*.
daemon.info avahi-daemon[7939]: Registering new address record for 10.111.224.226 on wg0.IPv4.
daemon.info avahi-daemon[7939]: Registering new address record for 2a02:xxxx:xxxx:xxxx:5e49:xxxx:fecd:84a1 on br-lan.*.
daemon.info avahi-daemon[7939]: Registering new address record for fd36:xxxx:xxxx:2280:5e49:xxxx:fecd:84a1 on br-lan.*.
daemon.info avahi-daemon[7939]: Registering new address record for 10.111.228.2 on br-lan.IPv4.
daemon.info avahi-daemon[7939]: Registering HINFO record with values 'MIPS'/'LINUX'.
daemon.info avahi-daemon[7939]: Server startup complete. Host name is openwrt-ac.local. Local service cookie is 3682660911.

Running avahi-browse -a on the OpenWrt boxes, I find the services on each local subnet, but not on the remote subnet. With WireShark (tcpdump over SSH), I can see the local mDNS traffic reaching the local br-lan and wg0 interfaces, but not the remote wg0 interfaces. The TTL of the packets does not seem to be the problem, as all mDNS packets that I sniffed hat an IP TTL >= 4.

I wonder if the line daemon.warn avahi-daemon[7939]: WARNING: No NSS support for mDNS detected, consider installing nss-mdns! points me to the problem, but I do not find nss-mdns in the OpenWrt packages.

I also started avahi-daemon manually with avahi-daemon --debug (after /etc/init.d/avahi-daemon stop) and looked at the debug output. It is just the same as in the system log. No information about packet handling is logged, but I'm not sure if it should be.

Any idea how to get this working?

Thanks!
Stefan

1 Like

After re-reading about cryptokey routing, I noticed that this is wrong, as it is the source IP that has to be in the allowed IPs. The avahi reflector sends packets directly on the WireGuard interface. After adding the IPs of the WireGuard interfaces to the allowed IPs of the peers, the packets of the mDNS reflectors now reach the other sites.

1 Like

Hey, did you ever get this to work? I am trying to accomplish the same thing, and I an not having nay luck.

Unfortunately not. Although I managed the multicast packets to be routed to the other site, they were not properly reflected to the remote network by the second Avahi daemon. Sniffing the traffic in the remote network with WireGuard, I saw some local packets coming through, but not all. Neither Windows 10 nor VLC nor some UPnP browser would detect any services from the remote network. I finally gave up, but still interested if someone gets this to work.

1 Like

Have a look in this thread, maybe it can be of assistance.

1 Like

I remember having tried to route mDNS packets with smcroute before trying Avahi, and failed. I think I also found an explanation why it was not possible to do with smcroute, but I do not remember exactly. However, it looks like I'm not alone with not being able to make it work with smcroute: Possible to do mDNS across VLANS without AVAHI, and using smcroute?