Tailscale installer (in OPNSense)

Tailscale is a VPN like software that allows you to create virtual network between your devices.
It also allows for simple in Browser SSH and Exit Node creation if you want to use your server as a VPN aswell.
It also has a lot of other usefull features like file sharing and much more.

Note

This step is optional.
However, I recommend this step because it allows secure and private access to your services or servers without opening any ports.
You can also use it to access your devices from anywhere in the world for debugging purposes.

Installing Tailscale

Tailscale is sadly not directly available as a plugin.
But its still rather simple to install. I mainly followed the official Tailscale guide which isn’t 100% correct at the moment.

Official Tailscale-Guide

First of all, we should download more ports for OPNSense.

• Go to your OPNSense Console
• Choose Option 8 for open shell
• Wirte opnsense-code ports (the download may take some time now)

Now we have to go to our tailscale folder to start the installation there

• Open your Tailscale-Folder with cd /usr/ports/security/tailscale
• Write make install (This will take a few minutes depending on the CPU performance)

Now everything should be installed and we can now start a tailscale demon as well as execute tailscale.

• service tailscaled enable
• service tailscaled start

To test whether Tailscale has actually started, we can enter tailscale version.
If everything has now worked, we can now connect to our Tailscale account.

Connect Tailscale

Now select how you want to connect Tailscale to your OPNsense. There are four different options.

1. tailscale up > Execute this command to establish the simple connection.
2. tailscale up --ssh > This will allow you to establish an SSH connection via tailscale
3. tailscale up --advertise-exit-node > Run this command to use OPNsense as VPN or Exit Node
4. tailscale up --ssh --advertise-exit-node > Establish tailscale with SSH connection and exit node (my choice)

After you have entered your name, a link like “https://login.tailscale.com/a/RANDOMNUMBER” will appear.

Enter this into the browser to log in to Tailscale. Your OPNsense will now automatically be added to your tailscale, as soon as you have confirmed everything you will automatically be taken to your machines

Activating Exit Node

Even tho because of firewall rules Tailscale will not have internet access on the exit node for now you also need to make sure to allow the device to be used as an access node in the Tailscale Admin Console. There you can click the option buttons next to your device and go to Edit route settings.
There you need to enable Use as exit node. This should be everything you need to do.
Now it should be an available option as an exit node on for exampel your desktop or mobile device in the Tailscale app.

Adding the tailscale-interface

• Go to Interfaces > Assignments
• Select your tailscale-interface in “Assign a new interface”
• Provide a description (Use the same description as above - Example: TAILSCALE)
• Click the Add-button

Enable the tailscale-interface

• Go to Interfaces > [Your Interface] (example docker: TAILSCALE)
• Enable the Interface
• Hit Safe and Apply changes

Update RFC1918-Rules

• Go to Firewall > Aliases
• Edit the RFC1918-rule by clicking the pen
• Add content __opt1_network (In future all those beginning with __, but the number can be different)
• Hit Safe and Apply

Add Rule RFC1918 to Interface

We will use RFC1918 to configure firewall rules for internet access.
If you want to give internet access to the tailscale-interface but still restrict access to all other internal IPs
you can do that with the help of a firewall rule that accepts all connections except if they target RFC1918.

• Go to “Firewall > Rules”
• Select the tailscale-interface you want to grant internet access
• Create a new rule if it doesnt already exist by hitting the plus.

We want to allow everything except if the destination is RFC1918.

• Enable Destination / Invert.
• Select RFC1918 as a destination
• Select the Category (optional)
• Safe and Apply Changes

Create NAT-Rule

We now also forward the default port from my Tailscale here.

• Go to Firewall > NAT > Port Forward
• Add Rule by clicking the plus-button
• Enter the following values
• Hit ‘safe’ and then ‘apply’

NATrule-Settings

Port 80 / http

Interface - TAILSCALE
Destination / Invert - false
Destination - TAILSCALE_ADDRESS
Destination port from - http (80)
Destination port to - http (80)
Redirect Target IP - Proxy-Alias (IP: 10.1.2.2)
Redirect Target Port - http (80)

Port 443 / https

Interface - TAILSCALE
Destination / Invert - false
Destination - TAILSCALE_ADDRESS
Destination port from - https (443)
Destination port to - https (443)
Redirect Target IP - Proxy-Alias (IP: 10.1.2.2)
Redirect Target Port - https (443)