mdns over vxlan over wireguard - by slonkazoid

which you will never have to do in your life probably

written
2024-12-21T11:58:37Z
last modified
2024-12-21T11:58:37Z
tags
draft hellish networking tutorial
link
back to home

mdns over vxlan over wireguard

/etc/avahi/avahi-daemon.conf, needed on mdns reflector nodes (recommended to have the main wg peer be one):

[reflector]
enable-reflector=yes

server wg conf:

[Interface]
PostUp = ip link add the-vxlan type vxlan id 41 group 239.1.1.1 local 10.11.0.1 dev the-tunnel dstport 0
# `bridge fdb append` is needed for multicast traffic
PostUp = bridge fdb append to 00:00:00:00:00:00 dst 10.11.1.1 dev the-vxlan
PostUp = bridge fdb append to 00:00:00:00:00:00 dst 10.11.2.1 dev the-vxlan
PostUp = bridge fdb append to 00:00:00:00:00:00 dst 10.11.3.1 dev the-vxlan
# add any other wg peers you want to access mdns
PostUp = ip link set the-vxlan up
PreDown = ip link del the-vxlan

client wg conf:

[Interface]
PostUp = ip link add the-vxlan type vxlan id 41 local 10.11.1.1 remote 10.11.0.1 dev the-tunnel dstport 0
# needed to be resolvable by them, but not to resolve
# if the server's a reflector node, you only need *it* to resolve you
PostUp = bridge fdb append to 00:00:00:00:00:00 dst 10.11.0.1 dev the-vxlan
# add more peers you want to be resolvable by
PostUp = ip link set the-vxlan up
PreDown = ip link del the-vxlan

server /etc/systemd/network/the-vxlan.network:

[Match]
Name=the-vxlan
Description=VXLAN for WireGuard peers, required for multicast DNS (mDNS)

[Network]
Address=10.12.0.1/16 # give it a chonky address range
DHCPServer=yes # addresses dont matter, we just need multicast

[DHCPServer]
EmitDNS=no # needed or else it advertises local dns servers
EmitRouter=no # needed or else peers will set it as their default route

client /etc/systemd/network/the-vxlan.network (might not be needed depending on setup):

[Match]
Name=the-vxlan

[Network]
DHCP=yes # enable dhcp just in case the OS doesn't do it

server nftables rules:

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;

		iifname the-vxlan udp dport mdns accept # accept mdns traffic in the-vxlan
	}

	chain forward {
		type filter hook forward priority filter; policy drop;

		iifname the-vxlan oifname the-vxlan udp dport mdns accept # allow peers to do mdns with each other
	}
	chain output {
		type filter hook output priority filter;

		# if your output chain is set to drop, you'll have to allow outgoing mdns here
		#oifname the-vxlan udp dport mdns accept
	}
}