When implementing VPN connectivity with Mountain Lion Server (10.8), many administrators discover that mDNS (Bonjour) service discovery doesn't automatically traverse VPN tunnels. This creates a disconnect between remote users and local network resources that rely on zero-configuration networking.
The default VPN configuration in Mountain Lion Server typically establishes a Layer 3 connection without multicast forwarding. Bonjour relies on multicast DNS (mDNS) which operates at Layer 2, explaining why services don't automatically appear for VPN clients.
To enable Bonjour over VPN, we need to modify the server's mDNSResponder configuration:
# Edit the mDNSResponder configuration sudo nano /etc/mDNSResponder.conf # Add these parameters: BonjourForwardingEnabled MulticastForwarding
For OpenVPN configurations (if you're using it alongside the built-in VPN), additional steps are required:
# OpenVPN server configuration additions port 1194 proto udp dev tap topology subnet server 10.8.0.0 255.255.255.0 push "dhcp-option DNS 10.8.0.1" push "route 192.168.1.0 255.255.255.0"
The pf firewall needs proper rules to allow mDNS traffic:
# Add to /etc/pf.conf pass in proto udp from any to 224.0.0.251 port 5353 pass out proto udp from any to 224.0.0.251 port 5353
After making changes, verify functionality with these commands:
# Restart services sudo launchctl unload /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist sudo launchctl load /System/Library/LaunchDaemons/com.apple.mDNSResponder.plist # Test discovery dns-sd -B _services._dns-sd._udp
While enabling mDNS over VPN provides convenience, consider these factors:
- Increased network chatter across VPN links
- Potential latency in service discovery
- Additional broadcast traffic on both networks
For environments where multicast forwarding isn't ideal, consider:
# DNS-based service discovery (Unicast DNS) dns-sd -P "Service Name" _http._tcp local 80 server.local
Or implement a dedicated VPN gateway that handles mDNS reflection more efficiently.
When implementing VPN connectivity in Mac OS X Mountain Lion Server environments, developers often encounter the limitation where Bonjour (mDNS) services don't automatically propagate across the VPN tunnel. This creates significant workflow disruptions for remote team members who need access to network services like Bento databases, printers, or file shares.
Bonjour relies on multicast DNS (mDNS) which by default only operates within a single broadcast domain. VPN connections create separate network segments that don't automatically forward these multicast packets. The solution involves configuring both the server and client sides to bridge this gap.
On your Mountain Lion Server, you'll need to modify the mDNSResponder configuration:
# Create or modify the mDNS responder configuration
sudo nano /etc/mDNSResponder.conf
# Add these critical parameters:
port=5353
allow-interfaces=ppp0,tun0
enable-wide-area=yes
For L2TP VPN connections (common in Mountain Lion Server setups), you'll need to ensure proper packet forwarding:
# Enable multicast forwarding
sudo sysctl -w net.inet.ip.multicast_forwarding=1
# Configure pf to handle VPN traffic
echo "pass in proto udp from any to 224.0.0.251 port 5353" | sudo pfctl -ef -
Remote machines need corresponding adjustments to discover services:
# On client Macs:
defaults write com.apple.mDNSResponder ForceMulticastDNSOnVPN -bool YES
defaults write com.apple.mDNSResponder UseUnicastDotLocal -bool YES
After implementation, verify the setup with these commands:
# Check active Bonjour services
dns-sd -B _services._dns-sd._udp
# Monitor mDNS traffic
tcpdump -i ppp0 -n port 5353
When implementing this solution, be aware that:
- Multicast traffic can increase VPN bandwidth usage
- Service discovery may take 15-30 seconds longer over VPN
- Consider implementing service filters if you have many Bonjour services
For environments with many remote users, consider these additional options:
# Apple-recommended alternative for large deployments
sudo defaults write /Library/Preferences/com.apple.mDNSResponder \
WideAreaBonjour -bool YES