VPN IPSec and Apple HomeKit

hendrik · 6 March 2024 09:05

Hi all, i am a happy user of IPFire for a bit more than a year now, IPFire running on an IBM SFF ThinkCentre. Also for quite some time I have a well working IPSec VPN road warrior setup.

Now, I started to use Apple HomeKit and would also like to be able to control devices while not at home (without the need to buy an Apple HomeKit Controller - currently I use HomeAssistant with HomeKit Bridge). With my current setup, this is not working yet. I read I need to use mDNS-Repeater, so I installed the respective package via Pakfire.

But now I am struggling to set it up properly. In a setup with „normal“ interfaces (e.g. BLUE and GREEN) it seems rather straightforward. But in my setup with GREEN and VPN I dont get how to do it. What is the second interface to put? Looking at ifconfig I do not see an interface for the VPN.

Is here anyone who could help?

Thanks in advance and best wishes
Hendrik

pike_it · 6 March 2024 11:22

Apple. Which heavily rely in subnet access to feature.
I know, they won’t.

hendrik · 6 March 2024 11:37

I meant more in the direction of telling me where to look for the VPN interface I can pass to mDNS-repeater…

bonnietwin · 6 March 2024 11:48

If you only have IPSec VPN running then when you look at the interfaces with ip or ifconfig you will see one labelled tun0 This is the VPN interface.

If you have IPSec and OpenVPN running then you will have tun0 & tun1 and you will need to figure out from the IP address which is related to IPSec.

Then use the tun0 or tun1 as appropriate in your mdns-repeater configuration.

EDIT:

Sorry above is wrong. I was looking at my vm system that had both OpenVPN and IPSec enabled. However in my case the tun0 and tun1 were for my OpernVPN RW and N2N connections respectively.

Will need to investigate further how IPSec connects.

Have found that IPSec does not use tun connections at all. I have not yet figured out how it connects or if that will work with mdns-repeater or not.

IPSec does not use interfaces for its RW connections. If you have a net2net IPSec connection then you can choose to have the default no interface connection or you can use GRE or VTI.

I just did a test N2N IPSec connection and then I got an interface gre3.

So it looks like IPSec can’t be used with mdns-repeater as it does not use interfaces.

If you were using OpenVPN for your RW connection then you could use it with mdns-repeater.

Just to note, all above is my interpretation as I don’t use mdns-repeater myself and don’t yet have a working IPSec connection.

hendrik · 6 March 2024 13:10

Hi Adolf, thanks for your support. I am shying away from OpenVPN as I want to keep my setup as simple as possible.

And exactly what you have seen is the issue I faced: No interface for IPSec. I will also continue to dig a little further. Lets see if we find a way.

jon · 6 March 2024 17:03

You might need this if you have a GREEN zone and a BLUE zone and you want HomeKit commands to go between those two zones. Do you have two zones?

So I know HomeKit loves to stay in its own zone and hates to cross zones.

I can control my HomeKit devices just fine from my iPhone using cell service (not my wifi). But I know nothing about the HomeAssistant with HomeKit Bridge.

I think the thing that will prevent you from doing this is not having an AppleTV (or maybe an Apple iPad) to use as the HomeKit hub.

jon · 6 March 2024 17:08

I believe mdns-repeater only works with BLUE and GREEN as it currently is configured in the IPFire code.

jon · 6 March 2024 17:12

One other thought to ask the HomeAssistant group: Can mDNS-Repeater (or something like it) help with IPsec?

bonnietwin · 6 March 2024 18:19

Yes, the initscript for mdns-repeater starts it with the blue0 and green0 interfaces by default in the code.

However you might be able to run mdns-repeater manually, specifying the interfaces you want to use, so you might be able to run it with green0 and tun0 but it would have to be tried out to find out if it works or not.

jon · 6 March 2024 18:50

Hmmm… I don’t think tun0 is correct. And I do not know what is right.

On my iPhone I see an IP that looks familiar 192.168.68.1 and that is part of the subnet I set-up for IPsec at 192.168.68.0/24.

But I do not see anything like that with ifconfig for tun0:

And it looks like tun0 points to OpenVPN from my Home page.

So this looks correct:

hendrik · 6 March 2024 18:59

After some more searching and reading I tend to conclude that apparently using mDNS-Forwarder with IPSec indeed is not possible. This is a pitty. So i will need to switch to OpenVPN then to get a proper interface I can push Multicast traffic to.

hvacguy · 6 March 2024 22:35

From what I’ve read this would be the only.
Possible solution.
Don’t know how this is implemented.
I would guess mdns repeater would travel over GRE tunnel.

bonnietwin · 6 March 2024 22:37

The IPFire code for an IPSec RW tunnel does not have the option to use GRE. That is only available in the code for an IPSec N2N connection.

hvacguy · 7 March 2024 00:12

Not sure of the differences
Of road warrior vs N2N

pike_it · 7 March 2024 18:49

@hendrik hi, I have some grudge with Apple products and protocols (which now CUPS is). Unfortunately… they publish the product but usually works the way Apple decide, not the way that users would love to.

I can understand how adding more VPN services might be percepted as “not efficient”, however IPSec and L2TP can be deactivated from source (client) or destination (server) ISP in a blink of the eyes, killing UDP access to 500, 1701, 4500.

OpenVPN like wireguard (latter currently not part of IPFire) can have customized ports if any kind of ISP try to sawzall once for all VPN access. Last but not least: I’m not willing to say “buy homekit hub” but for several reasons might be a versatile way for allowing more network ideas.

Please, if you find any solution, report it here.