How to Setup The Tailscale VPN and Routing on pfsense

  Рет қаралды 92,336

Lawrence Systems

Lawrence Systems

Күн бұрын

Пікірлер: 110
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN kzbin.info/www/bejne/q521mJiZr5WIqbM How Tailscale Makes Managing Wireguard Easy kzbin.info/www/bejne/mJS1h56lmriBZqc Tailscale VS ZeroTier kzbin.info/www/bejne/onLLdWWAebt6Zpo Netgate tailscale Blog post www.netgate.com/blog/tailscale-on-pfsense-software tailsacle NAT write up tailscale.com/blog/how-nat-traversal-works/ Headscale GitHub github.com/juanfont/headscale/tree/main/docs tailsacle userspace kernel tailscale.com/kb/1177/kernel-vs-userspace-routers/ ⏱ Timestamps ⏱ 00:00 pfsense tailscale package 03:31 Headscale server 04:19 Tailscale Web Management 05:26 Tailscale Access Control Security 06:10 Managing Tailscale in pfsense 09:36 pfsense routes and exit node 10:48 Tailscale Connectivity and Firewall Security
@John-vk1ij
@John-vk1ij Жыл бұрын
Another suggestion, when operating on two different pfSense instances, it's easier for the audience to tell which pfSense is currently being configured if they uses different color scheme.
@krenkotv3240
@krenkotv3240 2 жыл бұрын
Headscale videos are non existent! Maybe you could do a quick "How TO - Setup" guide for the people :)
@MrChris79
@MrChris79 2 жыл бұрын
Agreed! I was able to setup and get basic headscale working with my pfbox but stuggle to get acls so I can see my pf lan devices from remote tailscale clients! I have learned lots from Toms videos.
@prashanthb6521
@prashanthb6521 Жыл бұрын
I hope so.
@ColeBlack2
@ColeBlack2 2 жыл бұрын
Been using Tailscale for a while now and been having to use raspberry pi pas at a couple sites at Tailscale subnet routing bridges. This is awesome. Very welcomed plug-in.
@havok4103
@havok4103 Жыл бұрын
tailscale is such an incredible tunnel resource! I have starlink (which has carrier NAT), so making a tunnel home has been troublesome... not with tailscale! it works great! and i can access everything behind pfsense, thank you for this video!!!
@clarkmakoni905
@clarkmakoni905 2 жыл бұрын
Thank you so much Tom for another great tutorial. If you could do a video on Headscale it would be most appreciated.
@GrishTech
@GrishTech 2 жыл бұрын
Time for ZeroTier. It needs to be added to pfsense.
@parl-88
@parl-88 2 жыл бұрын
I second that motion!! Nice 👍
@kc0eks
@kc0eks 2 жыл бұрын
Love zerotier really wish it was an option built into pf
@occamsrazor000
@occamsrazor000 2 жыл бұрын
There was a request thread on the Netgate forum for like 4 years… that never went anywhere. A shame, I like ZT…
@GrishTech
@GrishTech 2 жыл бұрын
@@occamsrazor000 yea I read it. Maybe it doesn’t adhere to some standard? Do packages have to support pfsense HA to be properly supported/implemented by netgate?
@tornadotj2059
@tornadotj2059 2 жыл бұрын
Thanks Tom, this is perfect timing for me. I recently started moving off of my local WISP to T-Mobile and AT&T, and was working through some solutions to get around CGNAT. Although I've been successful so far, I'm not an "all my eggs in one basket" person, so I like options. I'm going through now and setting up a Tailscale configuration. I'd also like to see a Headscale video.
@tornadotj2059
@tornadotj2059 2 жыл бұрын
And, I'm already finished. Fully tested from phone on CGNAT into my network on CGNAT, and everything is perfect. This is simply awesome.
@ws2940
@ws2940 2 жыл бұрын
Thank you for the video. Will definitely take a look at the NAT article.
@irtibatkisileri222
@irtibatkisileri222 2 жыл бұрын
Coming behind the actual tech improvement. May be it is already done. here my upvote for headscale tutorial. Thanks for this one
@amosgiture
@amosgiture 2 жыл бұрын
Tailscale exit node and route advertising make is so much more appealing than nebula & zerotier. Will definitely try out headscale to scale beyond the tailscale 20 free limit. Tailscale on pfsense just blows my mind!!!
@laov6843
@laov6843 6 ай бұрын
Thanks. Great section for the firewall rule. I was wondering why I have no access to my PFsense web UI from tailscale. The rule solved my issue as I needed a quick way to get to the managment UI from anywhere.
@xellaz
@xellaz Жыл бұрын
My network is something similar but using two firewalla devices in router mode in different locations for site-to-site VPN access between both using Wireguard protocol. I mapped my NAS located on another site using its local IP through the VPN on a PC. It works pretty well.
@sobesjm
@sobesjm Жыл бұрын
Thanks for the video. Clear and concise. I notice on your Tailscale Machines page you have the local subnets listed in the addresses column along with the Tailscale address. While my setup is working just find between 2 subnets, my Machines page is only showing me the Tailscale addresses and not the local subnet addresses. Did I miss how this is enabled? Thanks
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
You can have Tailscale push other routes if needed.
@speedup070605
@speedup070605 2 жыл бұрын
Thanks for sharing, love your work you give sharing knowledge about pfsense
@troyBORG
@troyBORG 2 ай бұрын
At 9:30 how do you get the Tailscale Address for the Translation address?
@bsem68
@bsem68 2 жыл бұрын
This example only allows one direction from all the other sites to tom-home-pfsense. In order for a 2-way site to site vpn using tailscale, it seems that you need to enable subnet routes for the machine in tailscale, and advertise subnet routes on the pfsense eg. lts-tailscale and put the correct outbound NAT on each other pfsense you want to access from. The free version of tailscale only allows 1 free subnet router... they have a soft limit so you could probably add another one like I did to test for a while.
@ALAINCABANDO
@ALAINCABANDO 2 жыл бұрын
followed your guide.. its realy simple and easy..
@JohnFilion
@JohnFilion 4 ай бұрын
Thanks for making this video. I tried to use Christian's video to set up a site-to-site, and I can't get it to work as he described. It looks like the software in the pfSense router has changed, and now things aren't exactly as he described. In his video, he mentions a Tailscale interface that can be ignored, but in my configuration there is no Tailscale interface, only an interface group. When I try to create the outbound NAT rule, I can't specify the interface because it doesn't exist. I can't find any videos on Tailscale site to site that are newer than two years old. Do you know if this feature is still being supported in pfSense? If so, would you consider doing an updated video on how to set this up?
@reijin999
@reijin999 2 жыл бұрын
I would like a headscale video (and a pfsense package lol). I basically already have this setup with pure wireguard as a site to point to pfsense installed on a VPS, I then connect other VPS servers to that pfsense install and can access them as if they are a part of my lan but I would really like a UI for scalability. Will have to try tailscale for now.
@remkm1715
@remkm1715 Жыл бұрын
id love to see someone going trough the process of setting up ACL on a virgin tailscale network.. for the less network minded folks so to say :)
@universo5network540
@universo5network540 2 жыл бұрын
Thanks for the video; one question: how did you set up a subnet router in PfSense?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
kzbin.info/www/bejne/nKTHnmirmMR_qbc
@scottc2211
@scottc2211 2 жыл бұрын
Greatly appreciate the videos you create. Curious though how much of a performance difference is there between Tailscale and Wireguard? Would love to see the comparison. If it’s drastically different I would consider switching over.
@neosmith80
@neosmith80 Жыл бұрын
The open-source software acts in combination with the management service to establish peer-to-peer or relayed VPN communication with other clients using the Wireguard protocol. I would imagine that since tailscale is using the wireguard protocol that there wouldn't be much of a difference between them. Tailscale could be a bit easier to get up and going though, vs wireguard having to get the config to each client.
@JanDemore
@JanDemore Жыл бұрын
@@neosmith80 @scottc2211 For me Wireguard is 2x faster than Tailscale,both running in Pfsense
@georgiostsitouridis
@georgiostsitouridis 2 жыл бұрын
Great video! Nice way you put everything in order and made them clear. I would like to see though a video regarding different setups and how to manage pfsense with the tailscale package. For example, is it possible to access a device in tailscale network from behind the pfsense, without having the tailscale client installed?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
Yes, that is a use case I talked about in the video.
@georgiostsitouridis
@georgiostsitouridis Жыл бұрын
@@LAWRENCESYSTEMS Indeed you talk about it, but with one difference (I think, if I understood corretly)..... that is you do have the tailscale client installed on the local client and then you add the Tailscale rule, which enables pinging directly to 100.x.x.x. What about a case where there is no tailscale SW installed on local client and use pfsense as a gateway to managmenet plane as well.
@ClanLawrence
@ClanLawrence Жыл бұрын
Awesome video, thanks for creating it. Is there an easy way to get Tailscale traffic bound for the WAN to use a non-default Gateway?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
Not something I've had a need for or tested
@ClanLawrence
@ClanLawrence Жыл бұрын
​@@LAWRENCESYSTEMS The use case is that I'd like to have access to my home LAN, but also route internet traffic via my NORD VPN Gateway. I have an Alias list in PfSense for clients that I want to route via NORD and that works nicely. When I used Wireguard it was just a case of creating a Firewall rule on the Wireguard Interface with Nord set as the gateway. This doesn't appear to work the same way with Tailscale however. Love your videos btw, keep up the good work :)
@charlescc1000
@charlescc1000 2 жыл бұрын
Pretty cool to see there is now a tailscale pfsense package. I could see this being pretty useful if I were behind a CGNAT ISP, but the tailscale managed connection interface definitely worries me. I essentially view this as opening my local private LAN to an external company. Not worth the risk in my view. Thus headscale is a pretty appealing offering. I’m not behind a CGNAT so I don’t really have much of a usecase for either. I use wireguard to access my LAN remotely and use OpenVPN for a site to site VPN. The only VPN troubles I have is that when traveling I sometimes find hotels block my wireguard remote access VPN. I don’t think tailscale would behave any differently but I haven’t tried it myself. I believe it would use similar ports to any wireguard VPN. Maybe either can be setup to run on 443? Not sure
@Darkk6969
@Darkk6969 2 жыл бұрын
There is a discussion on Reddit about free wifi blocking access to wireguard. Fortinet firewall is known to do this. No issues with OpenVPN long as the default port of 1190 is not blocked. I have two OpenVPN server sessions with custom ports for this reason. I share the same security concerns about using TailScale for my network. Headscale is a good open source option but takes bit more work to get it going on the server side and managing it. I am happy to see pfsense now supports it via the package.
@fuseteam
@fuseteam Жыл бұрын
Doesn't headscale offer the same challenge as openvpn? To use your own headscale server you need a public ip
@break1146
@break1146 Жыл бұрын
@@fuseteam You could rent a VPS to run Headscale. The advantage being it can broker a peer to peer connection between client. Using traditional VPN, you would need to route traffic actually through that VPS, which obviously hurts performance, latency and you might have to deal with data caps depending on where the VPS is rented from.
@z1haze
@z1haze 7 ай бұрын
If I have tailscale installed on my pfsense router like you do in your video, how can I configure things so that mobile devices connected to tailscale can take advantage of the pihole dns that I use on my network? My pihole service runs on the same network as the pfsense router.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 7 ай бұрын
It might work if you specify your pi-hole DNS in your Tailscale DNS settings
@f1aziz
@f1aziz 27 күн бұрын
Damn, this was so easy. Thanks.
@DanielWillen
@DanielWillen 2 жыл бұрын
I have an IPsec established from the pfsense, to a remote subnet. From the LAN it works fine, but when I try to advertise the subnet , clients cannot find it. I tried advertising the LAN like you did, and it worked just fine. Thinking there needs to be some NAT rule or something
@mikescott4008
@mikescott4008 8 ай бұрын
Playing round with it, but can't see a use case for me above having Wireguard / OpenVPN on the pfsense. Lack of opening ports is good. Will delve deeper. I'm not behind CGNAT and such.
@ryanroberts210
@ryanroberts210 2 жыл бұрын
I've got two networks on two different pfSense boxes talking to each other, accessible, etc... Great, thanks! What I'd like to do though is have one pfSense be the Exit Node for the other, i.e. all the traffic in and out of one pfSense is going through the other. I see how to use Exit Node with a phone or laptop, but not how to tell the pfSense subnet router to use the other one... Any ideas? Thx
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
I am not aware of a way to currently do that buy they may add the option in the future.
@ryanroberts210
@ryanroberts210 2 жыл бұрын
@@LAWRENCESYSTEMS Appreciate the quick response. I left the comment on Christian MacDonalds video as well... :)
@RafedwinAbreu
@RafedwinAbreu Жыл бұрын
I really wish this tutorial show each step including the firewall rules. I cannot get my subnet routes to work
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
I do cover the firewall rules.
@kc0eks
@kc0eks 2 жыл бұрын
What happens if I link multiple networks that use the same subnets? Guess I will find out when I add another...
@occamsrazor000
@occamsrazor000 2 жыл бұрын
What did you find?
@rudypieplenbosch6752
@rudypieplenbosch6752 2 жыл бұрын
I can use this as ab alternative to zerotier, which works great but I need a VM to keep it up.
@qcnsllcqcnsupport7616
@qcnsllcqcnsupport7616 2 жыл бұрын
Great video Tom, and thankyou for all the great work 👍🏼
@MrChris79
@MrChris79 2 жыл бұрын
Thanks Tom for the video. Can you please do a basic tutorial on setting up pfsense with headscale including basic acl that allow accessing pfsense vlans or lan devices?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Tailscale pushes networks not VLAN's
@ierosgr
@ierosgr 2 жыл бұрын
12.59 I noticed the option interface has the value Tailscale for the dropdown menu. Does this mean you need to assign Tailscale to a Pfsense interface? Thought that it was mandatory only for geolocation VPN solution
@taranagnew436
@taranagnew436 2 жыл бұрын
can you include/exclude apps to use tailscale and how do you have 1 main tunnel and conect other devices to the tunnel?
@bmp6361
@bmp6361 Жыл бұрын
Great tutorial, wondering why you differed from Christian McDonald's outbound NAT. You set the destination and he set the source. I guess it makes no difference. Thanks Tom, again great tutorial.
@mithubopensourcelab482
@mithubopensourcelab482 2 жыл бұрын
Excellent tutorial as usual. Many thanks.
@kimlindberg5815
@kimlindberg5815 2 жыл бұрын
Is is possible to show a senario where you have 2 pfsense firewalls where tailscale connects to sites and each site has a few vlans on their lan side and only some vlans is allowed to talk to some vlans at the other site ?
@DanielWillen
@DanielWillen 2 жыл бұрын
A bit of a stupid question perhaps, but can you run an exit node that that exposes routes on anything other than the pfsense (for example, a machine running Linux in the LAN). Or an Azure VM in the same subnet as other VMs.
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Tailscale allows you to choose what endpoints can be exit nodes
@dannymaasland3966
@dannymaasland3966 2 жыл бұрын
I have existing ipsec tunnels from different locations connected to 1 pfsense box as a site 2 site connection, how would I go about advertising those subnets with tail scale aswell? I have simply added them to advertised routes but that doesn't seem to be enough.
@gjkrisa
@gjkrisa 2 жыл бұрын
Some how I kept missing the part where Tailscale (genx)was talking about adding a firewall rule for Tailscale and was not working not passing traffic or pingable although would try connection till timeout. I’ll have to do that when I get home.
@gjkrisa
@gjkrisa 2 жыл бұрын
Yeah added a pass all on tailscale tab and it all works great
@TradersTradingEdge
@TradersTradingEdge 2 жыл бұрын
Hi Tom. Great explanation, thanks. Is it possible to route TS to HA-Proxy to access my services behind HA-Proxy? Any hint for me? TNX
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
They should work together.
@TradersTradingEdge
@TradersTradingEdge 2 жыл бұрын
@@LAWRENCESYSTEMS TNX Tom. I totally struggle here and can't get it to work. Do you know any website/ressource explaining how to setup TS & HA-P. in pfsense? tnx Mate.
@Rookie23095
@Rookie23095 Жыл бұрын
Tailscale could be just what we need, can you limit access to just a couple of ports on a windows device in your network eg. camera DVR? I have other apps on this server that I don't not want to open up particularly with limited or no access logging available. As the DVR needs a username and password, I am ok with that level of risk. If this is doable, how could you do it securely?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
Yes, you can create limiting rules in Tailscale.
@lolololowbx280
@lolololowbx280 2 жыл бұрын
Would to see selfhosted zerotier network via zero-ui
@sebastianpulver3604
@sebastianpulver3604 2 жыл бұрын
is it possible to use ospf over tailscale to advertise the routes instead of tailscale itself?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
Don't think Tailscale has OSPF support
@patrickFREE.
@patrickFREE. 11 ай бұрын
Does it even works on opnsense?
@yuriw777
@yuriw777 Жыл бұрын
Assuming I don't plan to access my firewall pfsense directly from the open internet and want only to access some boxes where I have TS clients installed, why do I even need TS on my router? Happy New Year all!
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
Having it on the router allows easy access to all devices across all networks, even the devices that do not have Tailscale.
@NyarUhc
@NyarUhc 7 ай бұрын
Hi brother .. Is there a NAT punch hole in a Tailscale? I want to redirect ports from our Huawei router to my computer to be able to utilize it. The Port Forwarding in our router is not working cuz something is blocking it. Please acknowledge my comment.Thank you very much
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 7 ай бұрын
Yes, you can use Tailscale behind NAT.
@NyarUhc
@NyarUhc 7 ай бұрын
@@LAWRENCESYSTEMS how to do it? Sorry, I really have no idea since I'm not that techie..
@Th3H4cK3r
@Th3H4cK3r 2 жыл бұрын
A headscale video would be greate
@Saturn2888
@Saturn2888 Жыл бұрын
Man, none of that automated Tailscale routing happened for me. All my stuff looks like yours, but I don't have any firewall NAT or outbound rules. I can't even ping the box from the Tailscale network even though everything looks good. Something's gotta be messed up here.
@Saturn2888
@Saturn2888 Жыл бұрын
Third time's the charm! Now it's showing up some stuff. Still can't ping the box, but now I finally have routes! Still no Outbound mappings though.
@JPEaglesandKatz
@JPEaglesandKatz 2 жыл бұрын
great video again.. One thing I'm worried about is the fact that there is no login on the android tailscale app... it authenticates without any login/credentials, totp... if someone gets their hands on your phone and unlock it they are free to do whatever they want... Unless ofc I'm missing something, which is very possible :)
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
It relies on the security of your phone so use a good phone lock password.
@JPEaglesandKatz
@JPEaglesandKatz 2 жыл бұрын
@@LAWRENCESYSTEMS Yup!!! Still would love to see something like otp or yubikey support added for logging in to the app!
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
@@JPEaglesandKatz Tailscale does not handle logins, that is why they use third parties.
@mithubopensourcelab482
@mithubopensourcelab482 2 жыл бұрын
Tailscale is based on Wireguard. What secret sauce Tailscale added publish routes so that non-tailscale (client install ) can be easily reached via overlay network ? Can some one explain this.
@KhatabAhmed
@KhatabAhmed 2 жыл бұрын
Many Thanks....
@crites57
@crites57 2 жыл бұрын
Tailscale won't let me generate a key, I think because my role is an Owner. Can anyone tell me how to change my role to Admin or Network Admin?
@chromerims
@chromerims Жыл бұрын
Tailscale is backed by CRV, Insight Partners, Accel, Heavybit, Uncork Capital, and individual investors. Its May 2022 Series B added $100 million in funding.
@falazarte
@falazarte 2 жыл бұрын
This might be an answer to my prayers.. LOL. Do you think it's possible to have, for example, Unifi software to control Hotspots in different offices with different IPs, but have the same WiFi mesh?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS 2 жыл бұрын
I don't understand the goal.
@falazarte
@falazarte 2 жыл бұрын
THe goal is to have one mesh across multiple offices in different towns. Offices have different DHCP's connected via iPsec at the present time.
@DrDingus
@DrDingus Жыл бұрын
but why@@falazarte
@falazarte
@falazarte Жыл бұрын
@DrDingus when you connect to the AA (Aerolineas Argentina) WiFi , no matter which city Airport in Argentina, you are part of the same WiFi and you do not have to enter credentials in each city. I'd lime to build something like that for this company different offices in different cities so roaming employees don't have ro be entering credencial at each office.
@DrDingus
@DrDingus Жыл бұрын
@@falazarte radius
@ikkuranus
@ikkuranus 2 жыл бұрын
Don't bother trying to install this with 2.5.x It shows up but will just error trying to install a dependency.
@denix0
@denix0 2 жыл бұрын
Why wouldn't this be prevented in the Package Manager?? Bad packager, bad packager!
@VillSid
@VillSid 2 жыл бұрын
I have set tailscale up on OpenWRT but be very mindful that it will om nom nom your CPU if your's is not ARM 64 or x86 even if it has crypto accelerators.
@ssspop85
@ssspop85 Жыл бұрын
Tailscale and Ubiquti USG firewall rules , can you hellp me ?
@LAWRENCESYSTEMS
@LAWRENCESYSTEMS Жыл бұрын
Tailscale does not work on a Ubiquti USG
@AgentLokVokun
@AgentLokVokun 2 жыл бұрын
I never knew this existed. NOICE.
@zyghom
@zyghom 10 ай бұрын
the settings are not easy and the video is so convoluted... ehhhh
@TechySpeaking
@TechySpeaking 2 жыл бұрын
First
Which VPN To Use In pfsense?
11:43
Lawrence Systems
Рет қаралды 90 М.
pfsense: Blocking Threats With pfblockerNG Lists
18:30
Lawrence Systems
Рет қаралды 112 М.
Гениальное изобретение из обычного стаканчика!
00:31
Лютая физика | Олимпиадная физика
Рет қаралды 4,8 МЛН
99.9% IMPOSSIBLE
00:24
STORROR
Рет қаралды 31 МЛН
A Tailscale Package for pfSense!
30:18
Christian McDonald
Рет қаралды 43 М.
Which is Better: Overlay Networks or Traditional VPN?
10:36
Lawrence Systems
Рет қаралды 104 М.
Self Host Tailscale with Headscale - How To Setup
21:51
Jim's Garage
Рет қаралды 82 М.
Basic Site-to-Site VPN Using WireGuard and pfSense
45:07
Christian McDonald
Рет қаралды 70 М.