---
title: mdns over vxlan over wireguard
description: which you will never have to do in your life probably
author: slonkazoid
written_at: 2024-12-19T14:46:00+03:00
tags:
 - hellish
 - networking
 - tutorial
 - draft
---

# mdns over vxlan over wireguard

`/etc/avahi/avahi-daemon.conf`, needed on mdns reflector nodes (recommended to have the main wg peer be one):

```ini
[reflector]
enable-reflector=yes
```

server wg conf:

```ini
[Interface]
PostUp = ip link add the-vxlan type vxlan id 41 group 239.1.1.1 local 10.11.0.1 dev the-tunnel dstport 0
# `bridge fdb append` is needed for multicast traffic
PostUp = bridge fdb append to 00:00:00:00:00:00 dst 10.11.1.1 dev the-vxlan
PostUp = bridge fdb append to 00:00:00:00:00:00 dst 10.11.2.1 dev the-vxlan
PostUp = bridge fdb append to 00:00:00:00:00:00 dst 10.11.3.1 dev the-vxlan
# add any other wg peers you want to access mdns
PostUp = ip link set the-vxlan up
PreDown = ip link del the-vxlan
```

client wg conf:

```ini
[Interface]
PostUp = ip link add the-vxlan type vxlan id 41 local 10.11.1.1 remote 10.11.0.1 dev the-tunnel dstport 0
# needed to be resolvable by them, but not to resolve
# if the server's a reflector node, you only need *it* to resolve you
PostUp = bridge fdb append to 00:00:00:00:00:00 dst 10.11.0.1 dev the-vxlan
# add more peers you want to be resolvable by
PostUp = ip link set the-vxlan up
PreDown = ip link del the-vxlan
```

server `/etc/systemd/network/the-vxlan.network`:

```ini
[Match]
Name=the-vxlan
Description=VXLAN for WireGuard peers, required for multicast DNS (mDNS)

[Network]
Address=10.12.0.1/16 # give it a chonky address range
DHCPServer=yes # addresses dont matter, we just need multicast

[DHCPServer]
EmitDNS=no # needed or else it advertises local dns servers
EmitRouter=no # needed or else peers will set it as their default route
```

client `/etc/systemd/network/the-vxlan.network` (might not be needed depending on setup):

```ini
[Match]
Name=the-vxlan

[Network]
DHCP=yes # enable dhcp just in case the OS doesn't do it
```

server nftables rules:

```nftables
table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;

		iifname the-vxlan udp dport mdns accept # accept mdns traffic in the-vxlan
	}

	chain forward {
		type filter hook forward priority filter; policy drop;

		iifname the-vxlan oifname the-vxlan udp dport mdns accept # allow peers to do mdns with each other
	}
	chain output {
		type filter hook output priority filter;

		# if your output chain is set to drop, you'll have to allow outgoing mdns here
		#oifname the-vxlan udp dport mdns accept
	}
}
```