I have a wireless printer/scanner on a remote network that is accessible via OpenVPN server in eth-bridge mode running on Ubuntu 20.04 host (in the same remote network as the scanner of course). IP printing is fine and working, its the scanner service I need using tools on client machine(s), in this case OSX 10.15.7 via tunnelblick, thus why i have set up an ethernet-bridge on server.
Despite following OpenVPN documentation and other helpful guides, and what appears to be a working ovpn layer 2 server that is accepting clients - I am still not seeing the expected mdns broadcast from any server-side devices. As I understand, this is what is needed to use the scanner via most imaging software (image capture and vuescan for my use-case).
UPDATE:
I have not resolved this specific issue, however for anyone that cares, an adequate workaround has been following this guide using TUN instead of TAP - only modification being that i'm using the _uscan._tcp protocol in my dns record, and not ipp of course.
A few points in my troubleshooting process:
• client connects, TAP sets up and is assigned IP according to server-bridge directive, placing client in server side LAN
• Remote router visibly registers my client as a 'connected device'
• While connected, all remote hosts (including the scanner) are ping-able from client
• While connected, dns-sd -Z on osx confirms i'm not seeing any new service, i do continue to see local services however
• Client side firewall is off
• Remote scanner service is broadcasting as expected, confirmed by running avahi-browse on remote server
Maybe this specific traffic is being blocked from the TAP interface (client or server) in some other way? I have found only a handful of references to partially similar issues, none of which have seemed to provide resolution - I am hopeful for some guidance on further troubleshooting.
The following workarounds are not preferred and have been inadequate:
• Accessing the scanner's web server
• VNC to remote host to do image capturing locally relative to scanner
I am of course open to alternative methods of accomplishing the intended purpose, though OpenVPN TAP seems to be the more ubiquitous solution for this kind of thing, so what am I missing here?
Server side config, iptables and interface details below for reference:
Server Config
local 192.168.1.113
port ****
proto udp
dev tap0
ca server/ca.crt
cert server/server.crt
key server/server.key
dh server/dh.pem
auth SHA512
tls-crypt server/tc.key
server-bridge 192.168.1.1 255.255.255.0 192.168.1.201 192.168.1.240
push "redirect-gateway def1"
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 192.168.1.1"
push "route 192.168.1.0 255.255.255.0"
push "route-delay 10"
keepalive 10 120
cipher AES-256-CBC
user nobody
group nogroup
persist-key
persist-tun
verb 3
crl-verify server/crl.pem
explicit-exit-notify
Iptables
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -p udp -m udp --dport 1194 -j ACCEPT
-A INPUT -i tap0 -j ACCEPT
-A INPUT -i br0 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -s 10.8.0.0/24 -j ACCEPT #former TUN config
-A FORWARD -i br0 -j ACCEPT
Netplan config
network:
version: 2
renderer: NetworkManager
ethernets:
enp2s0:
dhcp4: false
dhcp6: false
bridges:
br0:
interfaces: [enp2s0]
addresses: [192.168.1.113/24]
gateway4: 192.168.1.1
mtu: 1500
nameservers:
addresses: [8.8.8.8]
parameters:
stp: true
forward-delay: 0
dhcp4: no
dhcp6: no
