How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN kzbin.info/www/bejne/q521mJiZr5WIqbM How Tailscale Makes Managing Wireguard Easy kzbin.info/www/bejne/mJS1h56lmriBZqc Tailscale VS ZeroTier kzbin.info/www/bejne/onLLdWWAebt6Zpo Netgate tailscale Blog post www.netgate.com/blog/tailscale-on-pfsense-software tailsacle NAT write up tailscale.com/blog/how-nat-traversal-works/ Headscale GitHub github.com/juanfont/headscale/tree/main/docs tailsacle userspace kernel tailscale.com/kb/1177/kernel-vs-userspace-routers/ ⏱ Timestamps ⏱ 00:00 pfsense tailscale package 03:31 Headscale server 04:19 Tailscale Web Management 05:26 Tailscale Access Control Security 06:10 Managing Tailscale in pfsense 09:36 pfsense routes and exit node 10:48 Tailscale Connectivity and Firewall Security
@John-vk1ij Жыл бұрын
Another suggestion, when operating on two different pfSense instances, it's easier for the audience to tell which pfSense is currently being configured if they uses different color scheme.
@krenkotv32402 жыл бұрын
Headscale videos are non existent! Maybe you could do a quick "How TO - Setup" guide for the people :)
@MrChris792 жыл бұрын
Agreed! I was able to setup and get basic headscale working with my pfbox but stuggle to get acls so I can see my pf lan devices from remote tailscale clients! I have learned lots from Toms videos.
@prashanthb6521 Жыл бұрын
I hope so.
@ColeBlack22 жыл бұрын
Been using Tailscale for a while now and been having to use raspberry pi pas at a couple sites at Tailscale subnet routing bridges. This is awesome. Very welcomed plug-in.
@havok4103 Жыл бұрын
tailscale is such an incredible tunnel resource! I have starlink (which has carrier NAT), so making a tunnel home has been troublesome... not with tailscale! it works great! and i can access everything behind pfsense, thank you for this video!!!
@clarkmakoni9052 жыл бұрын
Thank you so much Tom for another great tutorial. If you could do a video on Headscale it would be most appreciated.
@GrishTech2 жыл бұрын
Time for ZeroTier. It needs to be added to pfsense.
@parl-882 жыл бұрын
I second that motion!! Nice 👍
@kc0eks2 жыл бұрын
Love zerotier really wish it was an option built into pf
@occamsrazor0002 жыл бұрын
There was a request thread on the Netgate forum for like 4 years… that never went anywhere. A shame, I like ZT…
@GrishTech2 жыл бұрын
@@occamsrazor000 yea I read it. Maybe it doesn’t adhere to some standard? Do packages have to support pfsense HA to be properly supported/implemented by netgate?
@tornadotj20592 жыл бұрын
Thanks Tom, this is perfect timing for me. I recently started moving off of my local WISP to T-Mobile and AT&T, and was working through some solutions to get around CGNAT. Although I've been successful so far, I'm not an "all my eggs in one basket" person, so I like options. I'm going through now and setting up a Tailscale configuration. I'd also like to see a Headscale video.
@tornadotj20592 жыл бұрын
And, I'm already finished. Fully tested from phone on CGNAT into my network on CGNAT, and everything is perfect. This is simply awesome.
@ws29402 жыл бұрын
Thank you for the video. Will definitely take a look at the NAT article.
@irtibatkisileri2222 жыл бұрын
Coming behind the actual tech improvement. May be it is already done. here my upvote for headscale tutorial. Thanks for this one
@amosgiture2 жыл бұрын
Tailscale exit node and route advertising make is so much more appealing than nebula & zerotier. Will definitely try out headscale to scale beyond the tailscale 20 free limit. Tailscale on pfsense just blows my mind!!!
@laov68436 ай бұрын
Thanks. Great section for the firewall rule. I was wondering why I have no access to my PFsense web UI from tailscale. The rule solved my issue as I needed a quick way to get to the managment UI from anywhere.
@xellaz Жыл бұрын
My network is something similar but using two firewalla devices in router mode in different locations for site-to-site VPN access between both using Wireguard protocol. I mapped my NAS located on another site using its local IP through the VPN on a PC. It works pretty well.
@sobesjm Жыл бұрын
Thanks for the video. Clear and concise. I notice on your Tailscale Machines page you have the local subnets listed in the addresses column along with the Tailscale address. While my setup is working just find between 2 subnets, my Machines page is only showing me the Tailscale addresses and not the local subnet addresses. Did I miss how this is enabled? Thanks
@LAWRENCESYSTEMS Жыл бұрын
You can have Tailscale push other routes if needed.
@speedup0706052 жыл бұрын
Thanks for sharing, love your work you give sharing knowledge about pfsense
@troyBORG2 ай бұрын
At 9:30 how do you get the Tailscale Address for the Translation address?
@bsem682 жыл бұрын
This example only allows one direction from all the other sites to tom-home-pfsense. In order for a 2-way site to site vpn using tailscale, it seems that you need to enable subnet routes for the machine in tailscale, and advertise subnet routes on the pfsense eg. lts-tailscale and put the correct outbound NAT on each other pfsense you want to access from. The free version of tailscale only allows 1 free subnet router... they have a soft limit so you could probably add another one like I did to test for a while.
@ALAINCABANDO2 жыл бұрын
followed your guide.. its realy simple and easy..
@JohnFilion4 ай бұрын
Thanks for making this video. I tried to use Christian's video to set up a site-to-site, and I can't get it to work as he described. It looks like the software in the pfSense router has changed, and now things aren't exactly as he described. In his video, he mentions a Tailscale interface that can be ignored, but in my configuration there is no Tailscale interface, only an interface group. When I try to create the outbound NAT rule, I can't specify the interface because it doesn't exist. I can't find any videos on Tailscale site to site that are newer than two years old. Do you know if this feature is still being supported in pfSense? If so, would you consider doing an updated video on how to set this up?
@reijin9992 жыл бұрын
I would like a headscale video (and a pfsense package lol). I basically already have this setup with pure wireguard as a site to point to pfsense installed on a VPS, I then connect other VPS servers to that pfsense install and can access them as if they are a part of my lan but I would really like a UI for scalability. Will have to try tailscale for now.
@remkm1715 Жыл бұрын
id love to see someone going trough the process of setting up ACL on a virgin tailscale network.. for the less network minded folks so to say :)
@universo5network5402 жыл бұрын
Thanks for the video; one question: how did you set up a subnet router in PfSense?
@LAWRENCESYSTEMS2 жыл бұрын
kzbin.info/www/bejne/nKTHnmirmMR_qbc
@scottc22112 жыл бұрын
Greatly appreciate the videos you create. Curious though how much of a performance difference is there between Tailscale and Wireguard? Would love to see the comparison. If it’s drastically different I would consider switching over.
@neosmith80 Жыл бұрын
The open-source software acts in combination with the management service to establish peer-to-peer or relayed VPN communication with other clients using the Wireguard protocol. I would imagine that since tailscale is using the wireguard protocol that there wouldn't be much of a difference between them. Tailscale could be a bit easier to get up and going though, vs wireguard having to get the config to each client.
@JanDemore Жыл бұрын
@@neosmith80 @scottc2211 For me Wireguard is 2x faster than Tailscale,both running in Pfsense
@georgiostsitouridis2 жыл бұрын
Great video! Nice way you put everything in order and made them clear. I would like to see though a video regarding different setups and how to manage pfsense with the tailscale package. For example, is it possible to access a device in tailscale network from behind the pfsense, without having the tailscale client installed?
@LAWRENCESYSTEMS Жыл бұрын
Yes, that is a use case I talked about in the video.
@georgiostsitouridis Жыл бұрын
@@LAWRENCESYSTEMS Indeed you talk about it, but with one difference (I think, if I understood corretly)..... that is you do have the tailscale client installed on the local client and then you add the Tailscale rule, which enables pinging directly to 100.x.x.x. What about a case where there is no tailscale SW installed on local client and use pfsense as a gateway to managmenet plane as well.
@ClanLawrence Жыл бұрын
Awesome video, thanks for creating it. Is there an easy way to get Tailscale traffic bound for the WAN to use a non-default Gateway?
@LAWRENCESYSTEMS Жыл бұрын
Not something I've had a need for or tested
@ClanLawrence Жыл бұрын
@@LAWRENCESYSTEMS The use case is that I'd like to have access to my home LAN, but also route internet traffic via my NORD VPN Gateway. I have an Alias list in PfSense for clients that I want to route via NORD and that works nicely. When I used Wireguard it was just a case of creating a Firewall rule on the Wireguard Interface with Nord set as the gateway. This doesn't appear to work the same way with Tailscale however. Love your videos btw, keep up the good work :)
@charlescc10002 жыл бұрын
Pretty cool to see there is now a tailscale pfsense package. I could see this being pretty useful if I were behind a CGNAT ISP, but the tailscale managed connection interface definitely worries me. I essentially view this as opening my local private LAN to an external company. Not worth the risk in my view. Thus headscale is a pretty appealing offering. I’m not behind a CGNAT so I don’t really have much of a usecase for either. I use wireguard to access my LAN remotely and use OpenVPN for a site to site VPN. The only VPN troubles I have is that when traveling I sometimes find hotels block my wireguard remote access VPN. I don’t think tailscale would behave any differently but I haven’t tried it myself. I believe it would use similar ports to any wireguard VPN. Maybe either can be setup to run on 443? Not sure
@Darkk69692 жыл бұрын
There is a discussion on Reddit about free wifi blocking access to wireguard. Fortinet firewall is known to do this. No issues with OpenVPN long as the default port of 1190 is not blocked. I have two OpenVPN server sessions with custom ports for this reason. I share the same security concerns about using TailScale for my network. Headscale is a good open source option but takes bit more work to get it going on the server side and managing it. I am happy to see pfsense now supports it via the package.
@fuseteam Жыл бұрын
Doesn't headscale offer the same challenge as openvpn? To use your own headscale server you need a public ip
@break1146 Жыл бұрын
@@fuseteam You could rent a VPS to run Headscale. The advantage being it can broker a peer to peer connection between client. Using traditional VPN, you would need to route traffic actually through that VPS, which obviously hurts performance, latency and you might have to deal with data caps depending on where the VPS is rented from.
@z1haze7 ай бұрын
If I have tailscale installed on my pfsense router like you do in your video, how can I configure things so that mobile devices connected to tailscale can take advantage of the pihole dns that I use on my network? My pihole service runs on the same network as the pfsense router.
@LAWRENCESYSTEMS7 ай бұрын
It might work if you specify your pi-hole DNS in your Tailscale DNS settings
@f1aziz27 күн бұрын
Damn, this was so easy. Thanks.
@DanielWillen2 жыл бұрын
I have an IPsec established from the pfsense, to a remote subnet. From the LAN it works fine, but when I try to advertise the subnet , clients cannot find it. I tried advertising the LAN like you did, and it worked just fine. Thinking there needs to be some NAT rule or something
@mikescott40088 ай бұрын
Playing round with it, but can't see a use case for me above having Wireguard / OpenVPN on the pfsense. Lack of opening ports is good. Will delve deeper. I'm not behind CGNAT and such.
@ryanroberts2102 жыл бұрын
I've got two networks on two different pfSense boxes talking to each other, accessible, etc... Great, thanks! What I'd like to do though is have one pfSense be the Exit Node for the other, i.e. all the traffic in and out of one pfSense is going through the other. I see how to use Exit Node with a phone or laptop, but not how to tell the pfSense subnet router to use the other one... Any ideas? Thx
@LAWRENCESYSTEMS2 жыл бұрын
I am not aware of a way to currently do that buy they may add the option in the future.
@ryanroberts2102 жыл бұрын
@@LAWRENCESYSTEMS Appreciate the quick response. I left the comment on Christian MacDonalds video as well... :)
@RafedwinAbreu Жыл бұрын
I really wish this tutorial show each step including the firewall rules. I cannot get my subnet routes to work
@LAWRENCESYSTEMS Жыл бұрын
I do cover the firewall rules.
@kc0eks2 жыл бұрын
What happens if I link multiple networks that use the same subnets? Guess I will find out when I add another...
@occamsrazor0002 жыл бұрын
What did you find?
@rudypieplenbosch67522 жыл бұрын
I can use this as ab alternative to zerotier, which works great but I need a VM to keep it up.
@qcnsllcqcnsupport76162 жыл бұрын
Great video Tom, and thankyou for all the great work 👍🏼
@MrChris792 жыл бұрын
Thanks Tom for the video. Can you please do a basic tutorial on setting up pfsense with headscale including basic acl that allow accessing pfsense vlans or lan devices?
@LAWRENCESYSTEMS2 жыл бұрын
Tailscale pushes networks not VLAN's
@ierosgr2 жыл бұрын
12.59 I noticed the option interface has the value Tailscale for the dropdown menu. Does this mean you need to assign Tailscale to a Pfsense interface? Thought that it was mandatory only for geolocation VPN solution
@taranagnew4362 жыл бұрын
can you include/exclude apps to use tailscale and how do you have 1 main tunnel and conect other devices to the tunnel?
@bmp6361 Жыл бұрын
Great tutorial, wondering why you differed from Christian McDonald's outbound NAT. You set the destination and he set the source. I guess it makes no difference. Thanks Tom, again great tutorial.
@mithubopensourcelab4822 жыл бұрын
Excellent tutorial as usual. Many thanks.
@kimlindberg58152 жыл бұрын
Is is possible to show a senario where you have 2 pfsense firewalls where tailscale connects to sites and each site has a few vlans on their lan side and only some vlans is allowed to talk to some vlans at the other site ?
@DanielWillen2 жыл бұрын
A bit of a stupid question perhaps, but can you run an exit node that that exposes routes on anything other than the pfsense (for example, a machine running Linux in the LAN). Or an Azure VM in the same subnet as other VMs.
@LAWRENCESYSTEMS2 жыл бұрын
Tailscale allows you to choose what endpoints can be exit nodes
@dannymaasland39662 жыл бұрын
I have existing ipsec tunnels from different locations connected to 1 pfsense box as a site 2 site connection, how would I go about advertising those subnets with tail scale aswell? I have simply added them to advertised routes but that doesn't seem to be enough.
@gjkrisa2 жыл бұрын
Some how I kept missing the part where Tailscale (genx)was talking about adding a firewall rule for Tailscale and was not working not passing traffic or pingable although would try connection till timeout. I’ll have to do that when I get home.
@gjkrisa2 жыл бұрын
Yeah added a pass all on tailscale tab and it all works great
@TradersTradingEdge2 жыл бұрын
Hi Tom. Great explanation, thanks. Is it possible to route TS to HA-Proxy to access my services behind HA-Proxy? Any hint for me? TNX
@LAWRENCESYSTEMS2 жыл бұрын
They should work together.
@TradersTradingEdge2 жыл бұрын
@@LAWRENCESYSTEMS TNX Tom. I totally struggle here and can't get it to work. Do you know any website/ressource explaining how to setup TS & HA-P. in pfsense? tnx Mate.
@Rookie23095 Жыл бұрын
Tailscale could be just what we need, can you limit access to just a couple of ports on a windows device in your network eg. camera DVR? I have other apps on this server that I don't not want to open up particularly with limited or no access logging available. As the DVR needs a username and password, I am ok with that level of risk. If this is doable, how could you do it securely?
@LAWRENCESYSTEMS Жыл бұрын
Yes, you can create limiting rules in Tailscale.
@lolololowbx2802 жыл бұрын
Would to see selfhosted zerotier network via zero-ui
@sebastianpulver36042 жыл бұрын
is it possible to use ospf over tailscale to advertise the routes instead of tailscale itself?
@LAWRENCESYSTEMS2 жыл бұрын
Don't think Tailscale has OSPF support
@patrickFREE.11 ай бұрын
Does it even works on opnsense?
@yuriw777 Жыл бұрын
Assuming I don't plan to access my firewall pfsense directly from the open internet and want only to access some boxes where I have TS clients installed, why do I even need TS on my router? Happy New Year all!
@LAWRENCESYSTEMS Жыл бұрын
Having it on the router allows easy access to all devices across all networks, even the devices that do not have Tailscale.
@NyarUhc7 ай бұрын
Hi brother .. Is there a NAT punch hole in a Tailscale? I want to redirect ports from our Huawei router to my computer to be able to utilize it. The Port Forwarding in our router is not working cuz something is blocking it. Please acknowledge my comment.Thank you very much
@LAWRENCESYSTEMS7 ай бұрын
Yes, you can use Tailscale behind NAT.
@NyarUhc7 ай бұрын
@@LAWRENCESYSTEMS how to do it? Sorry, I really have no idea since I'm not that techie..
@Th3H4cK3r2 жыл бұрын
A headscale video would be greate
@Saturn2888 Жыл бұрын
Man, none of that automated Tailscale routing happened for me. All my stuff looks like yours, but I don't have any firewall NAT or outbound rules. I can't even ping the box from the Tailscale network even though everything looks good. Something's gotta be messed up here.
@Saturn2888 Жыл бұрын
Third time's the charm! Now it's showing up some stuff. Still can't ping the box, but now I finally have routes! Still no Outbound mappings though.
@JPEaglesandKatz2 жыл бұрын
great video again.. One thing I'm worried about is the fact that there is no login on the android tailscale app... it authenticates without any login/credentials, totp... if someone gets their hands on your phone and unlock it they are free to do whatever they want... Unless ofc I'm missing something, which is very possible :)
@LAWRENCESYSTEMS2 жыл бұрын
It relies on the security of your phone so use a good phone lock password.
@JPEaglesandKatz2 жыл бұрын
@@LAWRENCESYSTEMS Yup!!! Still would love to see something like otp or yubikey support added for logging in to the app!
@LAWRENCESYSTEMS2 жыл бұрын
@@JPEaglesandKatz Tailscale does not handle logins, that is why they use third parties.
@mithubopensourcelab4822 жыл бұрын
Tailscale is based on Wireguard. What secret sauce Tailscale added publish routes so that non-tailscale (client install ) can be easily reached via overlay network ? Can some one explain this.
@KhatabAhmed2 жыл бұрын
Many Thanks....
@crites572 жыл бұрын
Tailscale won't let me generate a key, I think because my role is an Owner. Can anyone tell me how to change my role to Admin or Network Admin?
@chromerims Жыл бұрын
Tailscale is backed by CRV, Insight Partners, Accel, Heavybit, Uncork Capital, and individual investors. Its May 2022 Series B added $100 million in funding.
@falazarte2 жыл бұрын
This might be an answer to my prayers.. LOL. Do you think it's possible to have, for example, Unifi software to control Hotspots in different offices with different IPs, but have the same WiFi mesh?
@LAWRENCESYSTEMS2 жыл бұрын
I don't understand the goal.
@falazarte2 жыл бұрын
THe goal is to have one mesh across multiple offices in different towns. Offices have different DHCP's connected via iPsec at the present time.
@DrDingus Жыл бұрын
but why@@falazarte
@falazarte Жыл бұрын
@DrDingus when you connect to the AA (Aerolineas Argentina) WiFi , no matter which city Airport in Argentina, you are part of the same WiFi and you do not have to enter credentials in each city. I'd lime to build something like that for this company different offices in different cities so roaming employees don't have ro be entering credencial at each office.
@DrDingus Жыл бұрын
@@falazarte radius
@ikkuranus2 жыл бұрын
Don't bother trying to install this with 2.5.x It shows up but will just error trying to install a dependency.
@denix02 жыл бұрын
Why wouldn't this be prevented in the Package Manager?? Bad packager, bad packager!
@VillSid2 жыл бұрын
I have set tailscale up on OpenWRT but be very mindful that it will om nom nom your CPU if your's is not ARM 64 or x86 even if it has crypto accelerators.
@ssspop85 Жыл бұрын
Tailscale and Ubiquti USG firewall rules , can you hellp me ?
@LAWRENCESYSTEMS Жыл бұрын
Tailscale does not work on a Ubiquti USG
@AgentLokVokun2 жыл бұрын
I never knew this existed. NOICE.
@zyghom10 ай бұрын
the settings are not easy and the video is so convoluted... ehhhh