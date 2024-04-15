I have a sonos setup at my dorm connected to an EdgeRouter via Ethernet. The EdgeRouter is connected to the rest of the school network via Ethernet. Devices on the wireless network are not able to send any broadcast packets, as they are stopped at the wireless APs at school to reduce such unwanted traffic. So controlling the sonos setup is not possible via the wireless network. I tried traditional VPNs to connect to my local sonos network via the edgerouter, but still, no discovery of the system.

VPN technologies like L2TP (layer 2 tunneling protocol) can be quite deceiving as they do in fact not route layer 2 broadcast packets when used on end devices like mobile phones and computers. So things like bonjour and other discovery protocols that rely on such broadcasts do not work on these traditional VPNs as is.

The solution to this is to create a virtual TAP interface on the end device (android in this case), that tunnels all packets via the VPN. The VPN of choice here is OpenVPN. On the other end is the EdgeRouter PoE with a vtun0 interface bridged to the local network. I’ll be showing the steps I took to achieve such a setup.

These instructions are based on info from the ubnt community forum, this post is based heavily on this post on creating the keys and this post on creating the tap setup.

We begin by installing easy-rsa on the edgerouter

curl -O http://ftp.us.debian.org/debian/pool/main/e/easy-rsa/easy-rsa_2.2.2-1~bpo70+1_all.deb sudo dpkg -i easy-rsa_2.2.2-1~bpo70+1_all.deb

This installs easy-rsa to “/usr/share/easy-rsa”.

Change to sudo shell

sudo -i

Change to /config/auth/ and create an empty directory openvpn/keys. In this way any generated key and certificates are also part of backups/archives.

cd /config/auth/ mkdir openvpn mkdir openvpn/keys

Change to the directory /config/auth/openvpn/keys and create textfiles index.txt and serial.

cd /config/auth/openvpn/keys

touch index.txt

echo 00 > serial

Change to the directory /config and create a directory openvpn. Then prerequisites for generating OpenVPN keys and certifications are made.

cd /config mkdir openvpn

cd /config/openvpn

cp -p /usr/share/easy-rsa/vars ./

Edit with vi the file /config/openvpn/vars.

cd /config/openvpn

vi ./vars

Modify the following lines and save it:

...

export EASY_RSA="/usr/share/easy-rsa"

...

export KEY_DIR="/config/auth/openvpn/keys"

...

# export PKCS11_MODULE_PATH="dummy" # commented out

# export PKCS11_PIN="dummy" # commented out

...

export KEY_COUNTRY="MyCountryCode" # e.g. "US" export KEY_PROVINCE="MyProvince"

export KEY_CITY="MyCity"

export KEY_ORG="MyOrganisationName"

export KEY_EMAIL="admin@MyDomain.com"

export KEY_EMAIL=admin@MyDomain.com

export KEY_CN=gateway.MyDomain.com # can be some other gateway domain

export KEY_NAME=MyOrganisation_MyGatewayName # can be some other name

export KEY_ALTNAMES="something"

export KEY_OU=Operation

# export PKCS11_MODULE_PATH=changeme # commented out

# export PKCS11_PIN=1234 # commented out

Change to directory /usr/share/easy-rsa and create certificates and keys

cd /usr/share/easy-rsa

# look at the dot and space

. /config/openvpn/vars

# cleans all in /config/auth/openvpn/keys previously genrated keys and certificates

./clean-all # takes some time

./build-dh # confirm all question with return or yes leave password unchanged/void

./build-ca # take the same value as parameter as set in vars for KEY_CN=gateway.MyDomain.com # confirm all question with return or yes leave password unchanged/void

./build-key-server gateway.MyDomain.com

The directory /config/auth/openvpn/keys should now contain the following files:

01.pem ca.crt ca.key dh1024.pem gateway.MyDomain.com.crt gateway.MyDomain.com.csr gateway.MyDomain.com.key index.txt index.txt.attr index.txt.old serial serial.old server.key

Create now your OpenVPN client users in the EdgeRouter GUI or CLI. Select as user level “operator” and and set for each an appropriate password. You can create an delete users, and modify passwords as you want and at any time.

Leave now the sudo shell with exit and enter the CLI configure mode

exit configure

Now create the OpenVPN server configuration based on the following:

bridge br0 { address 192.168.10.1/24 #Internal IP }

Associate the bridge with one of the interfaces:

ethernet eth1 { bridge-group { bridge br0 } }

The OpenVPN part:

openvpn vtun0 { bridge-group { bridge br0 } device-type tap encryption aes128 mode server openvpn-option --tls-server openvpn-option "--proto udp" openvpn-option "--port 1194" openvpn-option "--user nobody --group nogroup" openvpn-option "--plugin /usr/lib/openvpn/openvpn-auth-pam.so login" openvpn-option "--client-cert-not-required --username-as-common-name" openvpn-option --duplicate-cn openvpn-option --comp-lzo server { subnet 192.168.10.0/24 } # REMEMBER TO CHANGE THESE! tls { ca-cert-file /config/auth/openvpn/keys/ca.crt cert-file /config/auth/openvpn/keys/gateway.DOMAIN.com.crt dh-file /config/auth/openvpn/keys/dh1024.pem key-file /config/auth/openvpn/keys/gateway.DOMAIN.com.key } }

Open the ca file at /config/auth/openvpn/keys

cat /config/auth/openvpn/keys/ca.crt

Create a file on your local computer ending with .ovpn and pase the contents of the certificate where shown:

dev tap auth-nocache <connection> remote YOUR EXTERNAL IP tun-mtu 1400 </connection> comp-lzo keysize 128 key-method 2 resolv-retry infinite ns-cert-type server verb 3 cipher AES-128-CBC auth SHA1 auth-user-pass client <ca> ##################### PASTE CA HERE ##### </ca> # this is an random certificate and is used in OpenVPN IOS Client. It can be copied as it is <cert> -----BEGIN CERTIFICATE----- MIIB1jCCAT+gAwIBAgIEAmLSTjANBgkqhkiG9w0BAQUFADAVMRMwEQYDVQQDEwpP cGVuVlBOIENBMB4XDTEzMDExNzAyMTExMloXDTIzMDEyMjAyMTExMlowKDEmMCQG A1UEAxQdZnJyaWN0aW9uQGdtYWlsLmNvbV9BVVRPTE9HSU4wgZ8wDQYJKoZIhvcN AQEBBQADgY0AMIGJAoGBALVEXIZYYu1Inmejuo4Si6Eo5AguTX5sg1pGbLkJSTR4 BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlUtWnVCwCYtewYfEc/+azH7+7eU6ue T2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCedptgWyiL50N7FMcUUMjjXYh/hftB AgMBAAGjIDAeMAkGA1UdEwQCMAAwEQYJYIZIAYb4QgEBBAQDAgeAMA0GCSqGSIb3 DQEBBQUAA4GBABhVzSYXHlQEPNaKGmx9hMwwnNKcHgD9cCmC9lX/KR2Y+vT/QGxK 7sYlJInb/xmpa5TUQYc1nzDs9JBps1mCtZbYNNDpYnKINAKSDsM+KOQaSYQ2FhHk bmBZk/K96P7VntzYI5S02+hOWnvjq5Wk4gOt1+L18+R/XujuxGbwnHW2 -----END CERTIFICATE----- </cert> # this is an random key and is used in OpenVPN IOS Client. It can be copied as it is <key> -----BEGIN PRIVATE KEY----- MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALVEXIZYYu1Inmej uo4Si6Eo5AguTX5sg1pGbLkJSTR4BXQsy6ocUnZ9py8htYkipkUUhjY7zDu+wJlU tWnVCwCYtewYfEc/+azH7+7eU6ueT2K2IKdik1KWhdtNbaNphVvSlgdyKiuZDTCe dptgWyiL50N7FMcUUMjjXYh/hftBAgMBAAECgYEAsNjgOEYVRhEaUlzfzmpzhakC SKT8AALYaAPbYO+ZVzJdh8mIbg+xuF7A9G+7z+5ZL35lrpXKnONuvmlxkK5ESwvV Q7EOQYCZCqa8xf3li3GUBLwcwXKtOUr3AYXhdbOh2viQdisD4Ky7H6/Nd3yMc3bu R4pErmWeHei+l6dIwAECQQDqljNxi9babmHiei6lHaznCMg5+jfAyDXgHvO/afFr 1bDQVDTDK+64kax4E9pvDZC6B/HGse9hOUGWXTjb0WZBAkEAxdAw/14iJIUcE5sz HDy2R0RmbUQYFjrNgBCi5tnmr1Ay1zHAs1VEF+Rg5IOtCBO50I9jm4WCSwCtN6zF FoFVAQJAUGfBJDcZIm9ZL6ZPXJrqS5oP/wdLmtFE3hfd1gr7C8oHu7BREWB6h1qu 8c1kPlI4+/qDHWaZtQpJ977mIToJwQJAMcgUHKAm/YPWLgT31tpckRDgqgzh9u4z e1A0ft5FlMcdFFT8BuWlblHWJIwSxp6YO6lqSuBNiuyPqxw6uVAxAQJAWGxOgn2I fGkWLLw4WMpkFHmwDVTQVwhTpmMP8rWGYEdYX+k9HeOJyVMrJKg2ZPXOPtybrw8T PUZE7FgzVNxypQ== -----END PRIVATE KEY----- </key>

Copy the file to your mobile device and download the following app (paid):

https://play.google.com/store/apps/details?id=it.colucciweb.openvpn&hl=en

Load the profile and you should be good to go.