Playing Red Alert 3 on OS X with OpenVPN

Posted on December 13, 2009 by Seb

So I wanted to play Red Alert 3 with my a friend in Germany. We wanted to use the LAN play option, so I decided to install OpenVPN on our FreeBSD server so we both could SSL-VPN into it and presto be on the same LAN (fyi, we are both in different countries and the server in a third country).

Everything seemed to work fine, I’d setup username/password authentication (using SSHD pam module) on top of the digital certificate validation for OpenVPN. There are a number of guides on the Internet if you need to know how to do it.

Because we where going with IP-only, routed connections, we decided to go for TUN interfaces instead of TAP interfaces. So we both logged in did some network tests, where able to ping each other (because I set client-to-client in opevpn.conf on the server), we could use each other network shares etc, so we decided to start a game. Unfortunately any game either of us would start wasn’t detected by the other. The game list stayed empty. The player list showed only our respective usernames twice, but not the username of the other person.

Then we switched to TAP interfaces to allow ethernet broadcast to pass the VPN (we thought that might help) and suddenly the game would show up in the games list, but if we tried to start it the game would time-out. Then we thought we force traffic to the limited broadcast address (LAN broadcast) to be routed/send over the SSL-VPN by adding a local route on our Macs by:

sudo route add -host 255.255.255.255 tap0

and… it worked!

Now to push this route automatically to the clients you can add it to openvpn.conf on the server. However you can’t specify the TAP or TUN interface there, so instead you should use the IP-address of the TAP/TUN interface on the OpenVPN server, basically your next hop into the VPN network. By default this is 10.8.0.1 in OpenVPN world ;) Luckily this IP-address is automatically used if you use the following config line in openvpn.conf:

push “route 255.255.255.255 0.0.0.0″ See update 3 below for an alternate way of doing this.

Basically that is the equivalent to locally adding sudo route add -host 255.255.255.255 10.8.0.1 (10.8.0.1 should then be replaced with your servers TUN/TAN interface).

Update: After some quick Wiresharking, it does look like Red Alert 3 uses subnet broadcasts (for instance 10.255.255.255 for 10.0.0.0/8) to discover other Red Alert daemons, but then switches to LAN/Limited broadcasts (255.255.255.255) for playing the actual game. This is consistent with the behaviour I described above. FYI I’ve tested with TUN interfaces and this doesn’t seem to work. I’m going to do some tests and update this post this weekend.

Update 2: Ok, it looks like Red Alert 3 uses Netbios name service which uses subnet broadcasts like 10.8.255.255/16 to find other Red Alert servers. Then for connecting to an actual game it uses Limited/LAN broadcasts to 255.255.255.255 using UDP from source port 8087:

 
MyMac:~ littlebighuman$ netstat -an | grep 8087
udp4       0      0  *.8087                 *.*

Look up the process listening on 8087:

MyMac:~ littlebighuman $ lsof -i:8087
COMMAND    PID       USER   FD   TYPE    DEVICE SIZE/OFF NODE NAME
cider     4637 littlebighuman  346u  IPv4 0xec5d798      0t0  UDP *:8087
wineserve 4642 littlebighuman  316u  IPv4 0xec5d798      0t0  UDP *:8087

Ah what do you know Red Alert 3 runs in Cider and uses wineserver, but we knew that ;)

I still don’t know why limited/LAN broadcasts aren’t send over the TAP or TUN interfaces. I’ll research that for a bit.

Update 3: Pushing a host route from the OpenVPN server as I have described above doesn’t work, as far as I can tell it turns every pushed route into a net route and this route doesn’t work (you can test by pinging to 255.255.255.255 and see if it gets send out of the TAP interface). So you get 255.255.255.255/32 via 10.8.0.1 instead of 255.255.255.255 via 10.8.0.1. A workaround for this workaround is to add the route via your clients OpenVPN up-script and a delete route statement for your down-script. For Tunnelblick these scripts are in ../Tunnelblick.app/Contents/Resources, client.up.osx.sh and client.down.osx.sh respectively. Quick and dirty fix:

In client.up.osx.sh, probably best to put it right after the export PATH statement at the top:

/sbin/route add -host 255.255.255.255 -interface tap0

In client.down.osx.sh, also probably best to put it right after the export PATH statement at the top:

/sbin/route delete -host 255.255.255.255
This entry was posted in Blogging. Bookmark the permalink.

One Response to Playing Red Alert 3 on OS X with OpenVPN

  1. Robin Landström says:
    August 6, 2010 at 21:48

    Thanks a lot for the tip, I’ve had the same problem with gaming over openvpn on osx

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong> <pre lang="" line="" escaped="">