How to use mDNS (via Avahi) with VPN interface

fw

I haven't figured out how to get mDNS working yet, but I found this:
https://www.reddit.com/r/PFSENSE/comments/awmd5r/openvpn_avahi/

A guy says he got it working using tap instead of tun. So far tap has not worked for me.

JKnott

@fw

mDNS uses multicasts and would not normally be passed by a router. I have no experience with TAP.

fw

@JKnott Well that's the whole point of Avahi though. It's supposed to rebroadcast mDNS across subnets. The VPN tunnel is just another subnet.

fw

Looks like I need to setup a network bridge to get tap to work with mDNS. I have not done that yet. I'll give that a try later tonight. Unfortunately, it looks like tap is not supported on iOS or Android though.

JKnott

@fw

Why do you need to use mDNS?

johnpoz

I could see zero use for a mdns for some roadwarrior? What exactly are you trying to access while your remote?

Please explain the use case where mdns would be needed by some phone while they are out and about from your network? AirPrint?

fw

All of my IoT devices are setup to work on my local network only, so that I can only access them on the local network (or VPN). Most of them rely on mDNS for certain functionality. As an example, I use iOS/MacOS App to access my security cameras that uses mDNS for auto-discovery. I have some wifi relays for automated lighting. For some settings, I need to log into the wifi relays directly, which I normally use mDNS for (http to hostname.local). Otherwise I need to access home assistant, which I also use an mDNS hostname for. There is no way to fix auto-discovery without mDNS, for example needing to reinstall my camera App would force me to manually enter in all of the camera IP addresses, or if the cameras change, or the subnet changes etc. I've already had multiple times where stuff like that has happened to my wife where she has gotten upset at me, because I have "made things too complicated" and she has to enter in these manual IP addresses just to access the baby cams because mDNS is not working. There are other ways to solve this, such as using a cloud based solution, or enable P2P, however, after paying 1.7 BTC ransom due to heartbleed a while back, I do not take any chances. No open ports other than VPN, no port forwarding, and no IoT cloud access. I've gotten around some of these other mDNS issues by using static IPs and hardcoding hostnames in the DNS resolver, but my home automation stuff is always in flux, so mDNS would be very convenient.

JKnott

@fw

So, you're trying to get around using a "home assistant" by forcing mDNS to do something it wasn't intended to?

JKnott

@fw

Here's something you could try. The pfSense DHCP server supports hard mapping a MAC address to an IP address and then automatically adding it's host name to the DNS. You can still use mDNS on the local LAN, but use the regular DNS when elsewhere.

Gertjan

@fw said in How to use mDNS (via Avahi) with VPN interface:

All of my IoT devices are setup to work on my local network only

which means that the device you use should be on the same LAN segment or network or, say, /24 (Ipv4 wise).

True, calling in using VPN and TAP, if set up correcly, give you an IP that could be situated "in your LAN" and thus you could visit your cams.

@fw said in How to use mDNS (via Avahi) with VPN interface:

in these manual IP addresses just to access the baby cams because mDNS is not working

nan, that's just you not locking down the DHCP-client of your camera with a Static-MAC-IPv4 in your DHCP server. And while you're at it, give it a host name defined by YOU (rather then by the cam, that will probably can propose you something like KLHG6545ARd.
Now you can use an URL like CAM1 in your web browser - Windows and or pfSense will add local.net (if that is your network name) so your browser will hit cam1.local.net which will resolve just fine in the classic DNS to the LAN - or other network - IP of your device.

@JKnott said the same thing .....

JKnott

@Gertjan

This sort of reminds me of when I set up a bunch of security cameras a few years ago. There was software that would find the cameras, so that they could be configured and then the cameras were added to a digital recorder. The individual cameras could then be accessed via the recorder. While it was possible to do all that manually, it was a lot more work that involved using static ARP to initially provide an IP address, just so a browser could be used to configure the camera. Once it had an address, then the camera could be accessed via IP address. It would have been necessary to provide a DNS entry to use a host name. Seems to me it was a lot easier to just use the proper tools. One other thing, the recorder had 2 NICs, one for the LAN where the cameras were and one for remote access, without exposing the cameras to the world.

fw

@JKnott said in How to use mDNS (via Avahi) with VPN interface:

So, you're trying to get around using a "home assistant" by forcing mDNS to do something it wasn't intended to?

I am not trying to get around using a "home assistant". I am using home assistant, which also makes use of mDNS for various purposes.

johnpoz

@fw said in How to use mDNS (via Avahi) with VPN interface:

makes use of mDNS for various purposes.

No offense then its crap!! You should be able to point direct to an IP/FQDN.. You shouldn't have to rely on discovery that only works on the local L2..

Good luck... I have no desire to help with such nonsense at all..

fw

@JKnott said in How to use mDNS (via Avahi) with VPN interface:

Here's something you could try. The pfSense DHCP server supports hard mapping a MAC address to an IP address and then automatically adding it's host name to the DNS. You can still use mDNS on the local LAN, but use the regular DNS when elsewhere.

@JKnott Currently I am doing this essentially by reserving IP addresses with DHCP and then adding hostname overrides in DNS Resolver settings as a workaround for some issues. I wasn't aware of the ability to do all of that in DHCP settings by itself. Either way it's not idea though as it's basically a large list of hardcoded IP addresses that have to be manually maintained. My network setup is still WIP, so my subnets are not finalized, plus I keep adding new IoT devices that constantly require manually updating my DHCP / DNS Resolver override list. Plus it doesn't solve the auto-discovery issue.

fw

@Gertjan said in How to use mDNS (via Avahi) with VPN interface:

nan, that's just you not locking down the DHCP-client of your camera with a Static-MAC-IPv4 in your DHCP server. And while you're at it, give it a host name defined by YOU (rather then by the cam, that will probably can propose you something like KLHG6545ARd.
Now you can use an URL like CAM1 in your web browser - Windows and or pfSense will add local.net (if that is your network name) so your browser will hit cam1.local.net which will resolve just fine in the classic DNS to the LAN - or other network - IP of your device.

No, actually I do have reserved IPs and hostnames for those cameras. That is not enough to make the app auto-discover them. mDNS does more than that. It has a service discovery mechanism.