Yunohost only local and VPN ( .local)

Discuss Advanced use case
,
1

My YunoHost server

Hardware: Mini-Desktop-PC (i5,6GB Ram…)
YunoHost version: current - installed this week
I have access to my server : Through SSH | through the webadmin | direct access via keyboard / screen | …
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Hey!

I try to update my Setup and want that my Yunohost Server is only reachable over local network. The only port I want to forward is the wireguard port. So - I hope - it is a secure way to have an Yunohost server without anyone else can access it.
At the moment I have some problems with wireguard but I addressed it in the wireguard topic.

I have two questions - because I am a noob :slight_smile:

  1. Does this setup sound like a good idea? Is it secure? Do I miss something?
  2. I tried it for one whole week and tried to read a lot in the forum (even translated some french) but somehow I am not getting mDSN to work. I cannot access yunohost.local, or test.local (added the domain). I am using a fritzbox as router. What can I do?

Thanks in advance!

2

Yes, yes, and apparently no. Except…

Sorry about that. mDNS does not go through WireGuard tunnels by default because they do not allow multicast. I am loosely investigating it whenever I have some time. My rough trials brought me to:

  1. CLI: ip link set dev wg0 multicast on
  2. Add 224.0.0.251/32, ff02::fb/128 in the AllowedIPs of your WireGuard peers. These are the multicast addresses.
  3. Reinstall avahi (sudo apt install avahi-utils and systemctl enable --now avahi-daemon)
  4. Tweak avahi configuration (/etc/avahi/avahi-daemon.conf) to allow point-to-point and reflector, and list wg0 in the enabled interfaces.
  5. Restart yunomdns and avahi-daemon services.

I would love a guinea pig to test it, since I am unsure how tweaked is my setup. :slight_smile:
So far I can get .local domains published by the server, but not ones published by other peers.

Edit: oops I overlooked the “because I am a noob” part. :sweat: I would totally be fine if you cannot try out these yourself. It’s good for me to have finally written it out so that other can investigate too.

1 Like
3

Hey Thanks for your answer!

I have a freshly installed Yunohost instance, be my guest and use it as a guinea pig.

Just one thing, I dont get the .local adresses running even without VPN.

Edit: I am not a total noob, I use Linux as my main OS and I am a developer, just not very familiar with Server and Network Stuff :slight_smile:

Edit2: I will try it out, as soon as I fixed my wireguard connection :slight_smile:

4

So Wireguard is now working :slight_smile:

But before I can test mDNS/Bonjour over VPN, I should get it working without VPN first.

So whats the problem?
No matter what I do, whatever.local and yunohost.local (yunohost-2.local) are not working. I added mulitple .local domains in the WebUi, but they cannot be found by browser or by ping (and on mutliple devices).
Yunomdns is running: hastebin (at the moment the second yunohost is not running, but I had the same problem with it)

also mdns.yml looks like this

domains:
    - yunohost.local
    - bauerbyter.local

I added the addresses into the Fritzbox “DNS-Rebind-Schutz” to whitelist them.

What else can I do?

5

Tried it again several times, but still no luck. Can someone please point me in the right direction.

6

Let’s assess the situation:

  1. Your server is on address 192.168.178.50. Can you make sure it has a fixed address?
  2. Which device are you using to test the mDNS domains? (OS, version, if it is on the same network subnet)
  3. What is Fritzbox “DNS-Rebind-Schutz”? Are you sure your modem is not interfering with mDNS broadcast? (not sure how though)
7
  1. Yes it has a fixed address.
  2. I am using a Laptop with EndeavourOS ( Arch Linux) and my Android Smartphone
  3. I tried to translate it: Some devices come with DNS rebind protection. This is intended to prevent a DNS query in the browser from being assigned to an IP address in the network of the requesting client. Because this is how DNS rebind attacks can be carried o
8

On your laptop, can you make sure avahi-utils is installed and that the service avahi-daemon is running? If so, check if your server is listed with the command avahi-browse --all.

Is your phone running an Android version >= 12?

9

Okay you were right, it was an avahi problem (Windows is working fine with *.local adresses).
So now I will test mDNS over VPN!

10

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.