this is one of those things that seems like black magic even after I get it working. I installed (with apt-get) pimd, added a couple lines in pimd.conf to keep it from working on my public-facing interface, then added a line to my shorewall rules file like this:
ACCEPT all vpnserver:188.8.131.52 udp 5353
Restart Shorewall, and BAM, i’m set. Thanks, but this could really do with a lot more documentation.