WireGuard Client & WireGuard Server/InstantGuard at the same time?

[privacyguy123]

Nope, multicast doesnt work across different subnets. No fix for that, that I know of.

It's not possible to somehow tunnel into the router using WireGuard Server and be on the same subnet?

EDIT: answer from the internet (I think) for anybody interested: "WireGuard is a Layer 3 VPN and doesn’t transport multicast."

 

[privacyguy123]

Seems like there could be a lot more to this, and it's well over my head. Perhaps someone more well versed can chime in.

Post here saying it mightn't work on Android, which is what I wanted https://www.snbforums.com/threads/mdns-repeater-need-help-to-compile-for-arm-ac68u.19568/ but this might be worth a look?

Hacking Functionality into ASUSWRT Routers

This weekend, I spent some time to replace my aged Linksys WRT54G wireless router, which is running DD-WRT. The WRT54G is slow by today’s wireless standards and since I sync my iOS devices wi…

irq5.io

Extending ASUSWRT Functionality, Part 2

Following up from my earlier post, Asus has released faster and beefier routers. But perhaps the more important change here is that they have moved from MIPS in the RT-N56U to ARM in newer routers.…

irq5.io

mdns-repeater: mDNS across subnets

Update 21-Sep-2011: Added an Installation section and updated the binaries on Bitbucket. Update 20-Oct-2020: Moved repository to GitHub As you may know, I have a couple of Apple devices. Apple is f…

irq5.io

GitHub - geekman/mdns-repeater: mDNS repeater

mDNS repeater. Contribute to geekman/mdns-repeater development by creating an account on GitHub.

github.com

 

[ZebMcKayhan]

Seems like there could be a lot more to this, and it's well over my head. Perhaps someone more well versed can chime in.

Post here saying it mightn't work on Android, which is what I wanted https://www.snbforums.com/threads/mdns-repeater-need-help-to-compile-for-arm-ac68u.19568/ but this might be worth a look?

Hacking Functionality into ASUSWRT Routers

This weekend, I spent some time to replace my aged Linksys WRT54G wireless router, which is running DD-WRT. The WRT54G is slow by today’s wireless standards and since I sync my iOS devices wi…

irq5.io

Extending ASUSWRT Functionality, Part 2

Following up from my earlier post, Asus has released faster and beefier routers. But perhaps the more important change here is that they have moved from MIPS in the RT-N56U to ARM in newer routers.…

irq5.io

mdns-repeater: mDNS across subnets

Update 21-Sep-2011: Added an Installation section and updated the binaries on Bitbucket. Update 20-Oct-2020: Moved repository to GitHub As you may know, I have a couple of Apple devices. Apple is f…

irq5.io

GitHub - geekman/mdns-repeater: mDNS repeater

mDNS repeater. Contribute to geekman/mdns-repeater development by creating an account on GitHub.

github.com

Setup avahi as a repeater using reflector option: https://www.snbforums.com/threads/a...c-device-on-private-network.69671/post-655807

 

[privacyguy123]

Setup avahi as a repeater using reflector option: https://www.snbforums.com/threads/a...c-device-on-private-network.69671/post-655807

I'll have a look at this tomorrow ... expect more questions because I am clueless lol.

 

[ZebMcKayhan]

I'll have a look at this tomorrow ... expect more questions because I am clueless lol.

More info here: https://www.snbforums.com/threads/help-with-avahi-mdns-redirector-please.86537/post-861156

Not sure if adding the reflector option is just going to work or if more stuff is needed.

 

[privacyguy123]

More info here: https://www.snbforums.com/threads/help-with-avahi-mdns-redirector-please.86537/post-861156

Not sure if adding the reflector option is just going to work or if more stuff is needed.

I have a feeling it's going to be "more stuff" unfortunately.

I see a list of iptables rules that the other guy suggests ... I seem to havea whole host of networks in my ifconfig though, which do I need to be adding to my script?

archer Link encap:Ethernet HWaddr 00:00:00:00:00:00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1962427 errors:0 dropped:0 overruns:0 frame:0
TX packets:1962647 errors:0 dropped:8 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:308282608 (294.0 MiB) TX bytes:308297128 (294.0 MiB)

br0 Link encap:Ethernet HWaddr 7C:10:C9:62:54:68
inet addr:192.168.50.1 Bcast:192.168.50.255 Mask:255.255.255.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:1987560 errors:0 dropped:20859 overruns:0 frame:0
TX packets:8113940 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:157285539 (149.9 MiB) TX bytes:11347393032 (10.5 GiB)

eth0 Link encap:Ethernet HWaddr 7C:10:C9:62:54:68
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:8198 errors:0 dropped:0 overruns:0 frame:0
TX packets:106496 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:859459 (839.3 KiB) TX bytes:30312004 (28.9 MiB)

eth1 Link encap:Ethernet HWaddr 7C:10:C9:62:54:68
UP BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth2 Link encap:Ethernet HWaddr 7C:10:C9:62:54:68
UP BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth3 Link encap:Ethernet HWaddr 7C:10:C9:62:54:68
UP BROADCAST ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)

eth4 Link encap:Ethernet HWaddr 7C:10:C9:62:54:68
inet addr:80.2.60.52 Bcast:80.2.63.255 Mask:255.255.240.0
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:8238695 errors:0 dropped:0 overruns:0 frame:0
TX packets:1856151 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:11981000934 (11.1 GiB) TX bytes:285835712 (272.5 MiB)

eth5 Link encap:Ethernet HWaddr 7C:10:C9:62:54:68
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:111584 errors:0 dropped:0 overruns:0 frame:102423
TX packets:146204 errors:355 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:35334954 (33.6 MiB) TX bytes:56485313 (53.8 MiB)
Interrupt:38

eth6 Link encap:Ethernet HWaddr 7C:10:C9:62:54:6C
UP BROADCAST RUNNING ALLMULTI MULTICAST MTU:1500 Metric:1
RX packets:1856580 errors:0 dropped:21 overruns:0 frame:0
TX packets:8318425 errors:0 dropped:373 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:148943398 (142.0 MiB) TX bytes:11352920101 (10.5 GiB)

lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1
RX packets:102886 errors:0 dropped:0 overruns:0 frame:0
TX packets:102886 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:20167104 (19.2 MiB) TX bytes:20167104 (19.2 MiB)

lo:0 Link encap:Local Loopback
inet addr:127.0.1.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MULTICAST MTU:65536 Metric:1

wgc1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.2.0.2 P-t-P:10.2.0.2 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:8192859 errors:0 dropped:0 overruns:0 frame:0
TX packets:1830959 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:11579400264 (10.7 GiB) TX bytes:194480904 (185.4 MiB)

wgs1 Link encap:UNSPEC HWaddr 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00
inet addr:10.6.0.1 P-t-P:10.6.0.1 Mask:255.255.255.255
UP POINTOPOINT RUNNING NOARP MTU:1420 Metric:1
RX packets:4194 errors:6 dropped:0 overruns:0 frame:6
TX packets:4677 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:590704 (576.8 KiB) TX bytes:4472052 (4.2 MiB)

 

[ZebMcKayhan]

I have a feeling it's going to be "more stuff" unfortunately.

I see a list of iptables rules that the other guy suggests ... I seem to havea whole host of networks in my ifconfig though, which do I need to be adding to my script?

I dont think any iptables rules are needed.

Check your current avahi config:

cat /tmp/avahi/avahi-daemon.conf

You would need to create /jffs/configs/avahi-deamon.conf.add

And if I get @eibgrad correctly, you need to add under [server]

allow-interfaces=br0,wgs1

You could also experiment with skipping allow-interfaces line completally and adding wgc1 to:

deny-interfaces=eth0,wgc1

altough @eibgrad didnt seem to make this work.

And add reflector option:

[reflector] 
enable-reflector=yes

You would need to figure out how to use the "pc_append" and "pc_replace" to make this happen.

 

[privacyguy123]

That parts easy enough

cat /tmp/avahi/avahi-daemon.conf
[Server]
host-name=RT-AX58U-5468
aliases=RT-AX58U
aliases_llmnr=RT-AX58U
use-ipv4=yes
use-ipv6=no
allow-interfaces=br0,wgs1
#deny-interfaces=eth4
ratelimit-interval-usec=1000000
ratelimit-burst=1000

[publish]
publish-a-on-ipv6=no
publish-aaaa-on-ipv4=no

[wide-area]
enable-wide-area=yes

[rlimits]
rlimit-core=0
rlimit-data=4194304
rlimit-fsize=0
rlimit-nofile=768
rlimit-stack=4194304
rlimit-nproc=3

[reflector]
enable-reflector=yes

I notice though that my Ras Pi (running avahi-daemon @ dietpi.local) is un pingable from my router console even, which is definitely an issue

 

[ZebMcKayhan]

I notice though that my Ras Pi (running avahi-daemon @ dietpi.local) is un pingable from my router console even, which is definitely an issue

What if you ping using its ip instead?

Is there anything you could ping on your lan using its ip? Any device would suffice as prof of communication path br0 to wgs1 is ok.

Are your wg server clients using same dns as your lan? Is dns lookup from wgs1 clients working?

Im not an expert on mDNS, Avahi, Bonjour I typically dont use it and never have. So I dont know how much help Im going to be debugging this further.

 

[privacyguy123]

What if you ping using its ip instead?

Is there anything you could ping on your lan using its ip? Any device would suffice as prof of communication path br0 to wgs1 is ok.

Are your wg server clients using same dns as your lan? Is dns lookup from wgs1 clients working?

Im not an expert on mDNS, Avahi, Bonjour I typically dont use it and never have. So I dont know how much help Im going to be debugging this further.

Contacting via direct IP is fine ... but that's not how these remote apps communicate, it's definitely via multicast. Googling around shows extremely complicated write ups, almost offputting trying to get it to work to be honest.

Yes same DNS across the board.

I noticed installing avah-utils and running avahi-browse returns that the daemon isn't running at all ... yet I see in the logs I have a .local address.

 

[ZebMcKayhan]

I noticed installing avah-utils and running avahi-browse returns that the daemon isn't running at all ... yet I see in the logs I have a .local address.

You can check it with:

admin@RT-AX86U_Pro:/tmp/home/root# ps | grep avahi
 8881 nobody    3200 S    avahi-daemon: running [RT-AX86U]

Perhaps your config update made it refuse to start, check syslog. Maybe it could be started with service restart_avahi

 

[privacyguy123]

You can check it with:

admin@RT-AX86U_Pro:/tmp/home/root# ps | grep avahi
 8881 nobody    3200 S    avahi-daemon: running [RT-AX86U]

Perhaps your config update made it refuse to start, check syslog. Maybe it could be started with service restart_avahi

RT-AX58U-5468:/tmp/mnt/USB/entware/bin# ps | grep avahi
2225 admin 4896 S grep avahi
3615 nobody 3096 S avahi-daemon: running [RT-AX58U-5468.local]

RT-AX58U-5468:/tmp/mnt/USB/entware/bin# avahi-browse -a
Failed to create client object: Daemon not running

 

[ZebMcKayhan]

Again, Im not a mDNS type-of-guy so I have no idea how this is supposed to work.

Since Wireguard is a p-t-p perhaps you also need in avahi-deamon.conf:

[server]
allow-point-to-point=yes

Im also noticing when listing the interfaces my wan if has tags:

UP BROADCAST RUNNING ALLMULTI MULTICAST

Whilst my wg server has:

UP POINTOPOINT RUNNING NOARP

Maybe the prevention of multicasts to p-t-p goes deeper then just avahi???

 

[privacyguy123]

I've stumbled across some more stuff that doesn't even mention avahi reflector at all - which doesn't work for me. I don't think that is the answer.

Need someone to translate this into English for me though ... https://an0n-r0.medium.com/making-dlna-through-site-to-site-vpn-work-f393629f4ce0

 

[ZebMcKayhan]

They are using a deamon called SmcRoute to route multicast packages and iptables rules to increase TTL. However SmcRoute does not exist on our router. I got the impression that Avahi would act more as a repeater (hence reflector), rendering all other configs obsolete. If it could repeat multicast on adjecent networks that would be it.

An interesting thing that may be nessisary though:

ip link set wgs1 multicast on

If this is not enabled on the interface its not going to work. On the router side you could just execute above to enable it (until next reboot / restart of wgs). But what about the other end? You have far less controll over, say Android, Wireguard interface settings. After all this trouble, how to make Android send multicast over vpn?

 

[privacyguy123]

They are using a deamon called SmcRoute to route multicast packages and iptables rules to increase TTL. However SmcRoute does not exist on our router. I got the impression that Avahi would act more as a repeater (hence reflector), rendering all other configs obsolete. If it could repeat multicast on adjecent networks that would be it.

An interesting thing that may be nessisary though:

ip link set wgs1 multicast on

If this is not enabled on the interface its not going to work. On the router side you could just execute above to enable it (until next reboot / restart of wgs). But what about the other end? You have far less controll over, say Android, Wireguard interface settings. After all this trouble, how to make Android send multicast over vpn?

SmcRoute is on opkg ... I just don't know how to use it

I've got

ip link set wgs1 multicast on

on server and client, still broken. I'm unable to ping any of my .local addresses from the router at all ... almost feels like an issue somewhere else first.

 

[ZebMcKayhan]

SmcRoute is on opkg ... I just don't know how to use it

Well, if you are feeling adventurous, have a stab at installing it, most info about usage would be available online. But manipulating mcast routes in the kernel seems to have endless possibilities to break things on our routers. Much around the kernel have been heavaly customized to fit around broadcoms proprietary hw. But as long as it installs on usb you could always remove it and reboot.

 

[privacyguy123]

Honestly it feels a lot like the current installation of avahi on my router is totally broken or the implementation of it in Merlin doesn't work properly

Surely this is in a non working state? This is default conf, without the ".add" stuff etc. Yet it shows running in ps a

RT-AX58U-5468:/tmp/home/root# avahi-daemon --debug
Failed to find group 'nogroup'.

RT-AX58U-5468:/tmp/home/root# ps | grep avahi
3955 nobody 3144 S avahi-daemon: running [RT-AX58U-5468.local]
4544 admin 4896 D grep avahi

Is there 2 copies of it in the router or something? Thats the only way I can explain this.

 

[ZebMcKayhan]

I'm unable to ping any of my .local addresses from the router at all ... almost feels like an issue somewhere else first.

Neither can I, but my router (Avahi) still announces Alexa (which I havnt enabled) when I use "Service Browser". Perhaps router itself are not setup to itself resolve mDNS, I mean it wouldnt have to, right?

I have 2 rpi and they could ping each other on their .local address but on my router I cant.

Edit: oops, the router can ping its own .local address, but no others. Interesting:

admin@RT-AX86U_Pro:/tmp/home/root# ping rt-ax86u_pro.local
PING rt-ax86u_pro.local (192.168.128.1): 56 data bytes
64 bytes from 192.168.128.1: seq=0 ttl=64 time=0.153 ms
64 bytes from 192.168.128.1: seq=1 ttl=64 time=0.095 ms
64 bytes from 192.168.128.1: seq=2 ttl=64 time=0.098 ms

 

[privacyguy123]

Neither can I, but my router (Avahi) still announces Alexa (which I havnt enabled) when I use "Service Browser". Perhaps router itself are not setup to itself resolve mDNS, I mean it wouldnt have to, right?

I have 2 rpi and they could ping each other on their .local address but on my router I cant.

So this, as it stands, is broken.

Seems like a firmware deep issue that I would have no control over fixing even if I knew how. Why is avahi implemented in this firmware in a broken state? How can I turn it on fully?