7

I have a server running Debian 8. Recently I installed OpenVPN on it using this tutorial. Everything is working nicely. I tested on my macbook using the Tunnelblick client. Used Google to check my IP, connected to the VPN checked again and it changed to the same IP as my servers LAN. So I know that's all good.

My problem is that the File Shares on all the computers (all OSX's AFP protocol) on that LAN do not show up on my Finders sidebar while I'm connected through the VPN. Am able to connect to them manually using Finder's "Connect to Server" tool by connecting to afp://192.168.0.100 and that works nicely. So I'm assuming it's a problem with Bonjour.

From my research I've found out that Bonjour (mDNS) does not broadcast to different subnets. So I ran ifconfig on my macbook while connected through the VPN. it was 192.168.43.206. All of the computers on the network I'm connecting to are 192.168.0.10 to 192.168.0.200. So I'm guessing that's the source of my problem?

I think my solution might be to switch my OpenVPN config to "bridge" mode? I read some forums and articles which pointed to this as the solution, But I'm not even sure if I've diagnosed my problem correctly. And I haven't really grasped with Bridge mode setting.

Hoping someone can give me some clarity.

tyler mackenzie
  • 171
  • 1
  • 1
  • 2
  • I had a similar issue with my RDP protocol. What I ended up doing was resubnetting my network so that everything was on the same network. That fixed my issue. I used the connection type that forwarded all Ethernet frames, not just the ip protocol. Hope this helps! – Elliot Huffman Jan 16 '18 at 08:13

2 Answers2

2

IIUC, the problem with mDNS/Bonjour is that it's implemented using the so-called multicasting, and multicast packets do not automatically crosss network boundaries (due to both the protocol's design and the design of Linux).

You might want to use something like smcroute to tunnel multicast traffic between all the networks your OpenVPN instance connects.

See this for more info, and this in general.

Another possibility is to switch OpenVPN from tun mode to tap. Unfortunately, this has its repercussions which must be considered thoroughly before implementing.

kostix
  • 1,100
  • 1
  • 7
  • 13
  • Thanks, It looks like smcroute can do what I want. as i've read up on vpn bridging and don't think I want that. but I don't think I have enough knowledge on networking to make it work. I think I want to connect my eth0 interface to the tun0. But the IP groups and whatnot have me lost. – tyler mackenzie Jan 17 '18 at 14:56
  • Alright, looks like it's even worse (or better): the last message in [this thread](https://forum.openwrt.org/viewtopic.php?id=66912) says that 1) it's apparently still impossible to route mdns's packets using a multicast router, but 2) `avahi`, the stock Linux mdns server, can work as a "repeater" for mdns packets. – kostix Jan 17 '18 at 20:45
  • 1
    Looks like it's the "reflector" mode — see [this](https://manpages.debian.org/stretch/avahi-daemon/avahi-daemon.conf.5.en.html#SECTION_%5BREFLECTOR%5D). – kostix Jan 18 '18 at 09:00
  • 1
    Ah cool! That might work well, I'm already running avahi on the same server that's hosting the VPN. I'm gonna read up on that and see if it works! – tyler mackenzie Jan 18 '18 at 12:44
  • @tylermackenzie Did you ever figure this out? – slhck Mar 11 '21 at 14:18
0

Sucks that TAP is no longer an option for MacOS since apple deprecated it ugh. So now you're forced to use avahi (if using pfsense or others) to replicate mDNS records across zones. Struggling getting it to work myself.

Timothy Meredith
  • 1
  • This does not provide an answer to the question. Once you have sufficient [reputation](https://serverfault.com/help/whats-reputation) you will be able to [comment on any post](https://serverfault.com/help/privileges/comment); instead, [provide answers that don't require clarification from the asker](https://meta.stackexchange.com/questions/214173/why-do-i-need-50-reputation-to-comment-what-can-i-do-instead). - [From Review](/review/late-answers/500055) – Dave M Oct 16 '21 at 17:56