Bonjour and VPN or How I Learned To Stop Googling And Love Simplicity

Recently I have been using Quickbooks 2012 to manage my business, and while I can’t say I’m in love with the software by any means, it is what I would consider “good enough” for what I’m doing currently. I have the multi-user edition and run the database using the Quickbooks Server application. I frequently travel or work off site, so having access to this offsite was something that I wanted to do. Since I use the standard OS X Server LT2P VPN server, bonjour services don’t “just work”. This is because L2TP (among others) doesn’t support multicasting, which is what bonjour uses in a local subnet to broadcast. After doing some research, I learned that WAB (Wide-Area-Bonjour) does not support private namespaces, so that was out. The other option was to use a VPN server that supports multicast, like OpenVPN. I liked using the built in Apple VPN client and I didn’t want to go through the hassle of compiling and configuring OpenVPN when my current VPN was working just fine for this.

You might ask, “why are you writing about Quickbooks on a video and storage blog?”. Simple: the tools in use very well may be useful for other Bonjour enabled applications that don’t give you way to connect via direct IP address.

What this will work well with:

  • Any bonjour only server application (ex. MYOB, Quickbooks, Apache, etc)
  • Any client application that is on a fixed host (iTunes on a desktop with a static IP, etc)

What this won’t work well with:

  • Dynamic applications with high likelihood of IP change (Bonjour iChat on a laptop)
  • High bandwidth applications (Compressor Cluster Node, Qmaster, etc)

First, you are going to want to download a few tools:

  • Bonjour Browser – Used to discover services on the network
  • Network Beacon – Used to build a remote proxy for bonjour
  • A working IPSEC/L2TP VPN connection

You can download these tools onto your client system as long it is on your bonjour network to get the info you need.

First things first, we want to fire up Bonjour Browser to get a look at what bonjour services are running on our network. In my network, it looks like this:

Bonjour Browser Screen Shot

Bonjour Browser

You will notice a lot of the “known” services are highlighted in bold as they are published protocols. What you will also notice are a lot of non-bold services in there as well. While it isn’t necessarily easy to know what does what immediately, we can just read the names and figure most of them out. In this case, my PresSTORE bonjour processes are _awcln._tcp (for the client) and _awsrv._tcp (for the server). I also see a few other noticeable broadcasts in there too – ._attocfgd._tcp (ATTO config tool), ._touch-able._tcp (Mobile Mouse), and what I was actually looking for ._qbmu._tcp (Quickbooks server).

Flipping down the toggles for this broadcast gives me all the info I need to build a proxy on a remote connection:

So first it is important to know what it is we are looking at here. You can see the the _qbmu._tcp. This is the PTR service DNS record name. Under each of these is the host itself (qbmac://server.local/PVT.qb2012-3B01AF67-9E67-4944-813C-AD551AE) and beneath that are the TXT record entries (appVersionStageNumber, displayName). We also can see that our QB server connects over port 57219. We are now going to use this information to build a bonjour proxy using Network Beacon so our systems on remote networks can access bonjour only entries across a VPN link.

Fire up Network Beacon and you should have the option to make a new Beacon. We are going to fill in all the information we learned from Bonjour Browser to create a local representation of that Bonjour broadcast (even though we can’t see it) so that our local application can connect to the server.

You’ll notice that I put a “�01” in-between the two individual text records. This is actual how Network Beacon requests separation and you can get more info on modifying TXT records by hovering over the text box in the application. In this case I have called my database “Example” just so we can see both addresses.

What Network beacon is actually doing is firing up a local mDNS broadcaster for that PTR service on your client system connected over VPN. Since you aren’t receiving the multicast broadcast of this info over the VPN link, you are manually recreating it for any services you would like to be able to access remotely. What you end up with is a link back through VPN to a service that doesn’t have any options for manual entry of DNS name/IP address to connect. When I fire up Quickbooks now on my client system (while still on the local LAN), I see both entries and selecting either will connect me to the same database.

If all works properly connecting locally on your new beacon, simply export that beacon and import it onto your remote/VPN system, connect via VPN, and test. You should be able to get access to all sorts of bonjour services over a VPN link using this method, including iTunes sharing, iPhoto sharing, remote screen sharing, and even AFP registration in the Finder if you want to go that deep.