So when I think back to when I was first learning networking a few years ago, one of the things I found the most challenging is that when you want to break something with your network, you break the network, which means the internet doesn't work, it means your YouTube doesn't work and you can't really learn when your primary sources of information are offline. I've definitely been in a situation where I've broken the internet so badly that I've had to then tether my phone to my laptop to Google how to fix it and then switch back to my old network. Well in today's video I wanted to take you through how you can learn networking in a completely isolated environment that doesn't require any special hardware using Proxmox, OpenSense and TailScale. Alright let's make a start by installing OpenSense. There are a few steps we're going to need to follow here, specifically around the networking adapters to make sure that OpenSense has one leg in my real network so that you can get to the internet and one leg in this virtual network that we're going to create for all of our testing. So we need to add two network adapters to this virtual machine. So let's jump over to Proxmox, and I'll just show you what I do over here. So I'm going to give this a VM ID of 2,000, and I'm going to call this OpenSense demo. Actually, I'm going to call this OpenSense 101, and you'll see why in just a second. If I go to the OS here, I'm going to select my ISOs, and they are genuinely Linux ISOs here. So, well, OpenSense is BSD, isn't it? But there you go. So I'm gonna select the latest version of OpenSense, which is 23.7 at the time of recording. Nothing else here needs to change. I mean, I guess, we'll leave those things alone over there. Under the system here, again, nothing needs to change. We could add the QEMU agent if we wanted to for a test system, not super important in my opinion. I'm gonna tick the discard box under storage and make sure that my storage location is all set correctly. For me, this is exactly what I'm looking for. I'm just gonna drop this down to a 20 gigabyte disk. I mean, OpenSense doesn't really need much space at all. Next, I'm gonna give it four CPU cores, which is hilarious overkill for a firewall, but why not? Two gigs of RAM is plenty. Now, in the network section, I'm gonna leave this page untouched and I'll add the other device in just a second. So I'm gonna make sure this start after created box here is not checked. Once the Proxmox engine has created the virtual machine instance, I'm going to jump straight over to hardware and then add a new network device under here. So I'm still going to use the VM bridge zero, which is what the host uses to do all of the networking stuff in there. But I'm going to add this second network adapter with the VLAN tag of 101, as we alluded to earlier. Now what this will do is it will create a second network adapter you can see down here you've got net zero and net one. Net zero has that leg in my existing LAN so that will get an IP address from my existing DHCP server. Net one is effectively the LAN port inside that virtual network that we're creating. It's a bit inception but I promise it will make sense soon. Alright so now we've got the networking side of things taken care of. I'm going to just jump now into the console here and if you've ever installed OpenSense before this should look entirely familiar. It's booting from the DVD ISO. Doing a bunch of stuff here so we'll just give this a second. Now it's about to prompt us for the manual interface assignment so I'm going to press any key and interrupt that briefly here. So you see it says do you want to configure lags now? No. Do you want to configure VLANs now? Also no. Might sound confusing but we're doing the VLAN configuration on the physical NIC even though it's a virtual NIC we're doing that at the hardware level, the hardware emulation level. We're not going to do that in software which is what OpenSense is asking that question for just here. So I'm going to say do you want to configure VLANs now? No. And for interface name, I'm going to go back and look at my MAC addresses over here. So I've got A1348F as the first interface. And remember that one doesn't have a VLAN tag. So that's effectively our WAN address. So here, let me leave this down here. So for our WAN address I want to select A1348F so that's VTnet0 and then for our LAN address I want to do the other one which is VTnet1 and that's the one with the VLAN tag of 101. So once I've done that I'm gonna press enter to say I finished. Do you want to proceed? Yes please. And it's going to go ahead and configure a bunch of stuff for us. So once it's done that we're ready to go ahead and install OpenSense. We need to log in with the username installer and the password OpenSense. Then we can go ahead just with the install like we normally would. I'm going to fast forward through this in post. Okay, and the installation is complete. I'm going to go ahead and set a root password. Obviously, you should set this to whatever you want. There we are, complete install. Alright, we're ready to go. We can press exit and reboot at this point and the virtual machine is now going to reboot. Back in a sec. Okay, and there we have it. Proxmox has booted the virtual machine for OpenSense with the two network adapters and you can see that we've got two what look like local IP addresses. We've got 192.168.1.1. That's our virtual LAN, our VLAN tagged 101 subnet at this point. the default IP address range that it's picked. Then under the WAN option here, we have 10.42.7.221. That would effectively be what your ISP would give you as a public IP address if you were to install OpenSense on some real hardware and connect it to an Internet-facing modem. This 7.221 is just a DHCP address from my other OpenSense, like real instance, that's in the basement downstairs running the rest of my network over here. We can't access the web UI of OpenSense through this WAN IP. We can try. So if I remember this browser is in my local area network. So I mean, I could go to 0.254, which is where my existing OpenSense box lives. That works obviously because I'm in this network. But if I wanted to go to, what was it, 7.221, it's not going to let me because that's effectively like trying to access your firewall through the public internet on the WAN IP address. It's a really bad idea to do that. So by default, OpenSense doesn't permit that kind of access. So we have a couple of options at this point and my preferred option to access the web UI of OpenSense is to create a virtual machine that lives inside that VLAN. So we're gonna go ahead and create an Ubuntu virtual machine at this point. There's nothing terribly special about what I'm about to do here. I'm just going to call this Ubuntu 101 and then go ahead again and just pick through my ISOs, find the correct one, Ubuntu 2204 desktop, go through here, system, yeah, that all looks fine. QMU agent, 64 gig of disk, 'cause it's a desktop operating system and I might want a little bit more space if I'm creating a development VM. Going to give it six cores of CPU. I'm going to give it 16, is it 384, I think, megabytes of RAM for 16 gigs or so. Now, for starters, I'm not going to give it the VLAN tag. And you'll see why in just a second. When we're installing the Ubuntu operating system, it wants to download a bunch of stuff over the internet, sometimes updates and things like that. And I haven't configured OpenSense yet. So I probably want to go ahead and actually just install a virtual machine on my existing network. So it can pull all the updates and all the rest of it in an environment I'm familiar with and understand and know just fine. And then we can go ahead and add that VLAN tag once it's installed at the virtual hardware level. And at that point, it will get a DHCP address from our virtual OpenSense instance. Now, installing Ubuntu here isn't anything special. So I'm just going to fast forward through this in the edit. Okay, we are at our Ubuntu desktop. Hooray! Let's go ahead and just inspect what our networking situation is for a second, shall we? Under IPA, thanks Ubuntu, IPA, we can see that our IP address right now is 10.42.7.236. Now I know that this is using the firewall in my house for real. Remember what we wanted to do was create a virtual playground in which we can do a bunch of cool stuff. So let's power off the virtual machine. And we're gonna add this to our OpenSense 101 VLAN. Nice and easy. Go ahead over to your Proxmox system over here, click on the hardware, find the virtual network adapter. And all we wanna do is just add this VLAN tag here of 101. When we click okay, we can see that's been added. We'll go back to press start up here. Okay, and then when we type IPA again, we can see, oh look, we have a different IP address this time of 1.100. So what this means is that now this virtual machine lives inside that virtual network we created with OpenSense. What this also means is we can now go ahead and start administering our virtual firewall and start playing around and doing some of the networking stuff that we wanted to figure out in the first place. So by default, OpenSense's IP address is 192.168.1.1. So let's go ahead and accept the default certificate here and then log in with our root username and password. First thing OpenSense is gonna do is prompt us through this initial wizard to do general setup. So I'm just gonna do OpenSense and I'm just gonna call this 101.mysite. So WD is what I call my house, dot my domain name so that it gets a real domain. Gonna click next, next, next through most of this stuff just to make the tutorial a bit easier. Now, I like to match the third octet of this IP address to the VLAN tag that I've given it. Just, this helps my brain remember what I'm doing in six months time. So, this firewall will now have the IP address of 192.168.101.254. I like to put my firewalls on the last IP address in a subnet range. Some people put it on the first. I've been called an animal for doing this. I don't know. This is what I do. So you can give this whatever IP address you want to, but for this demo, we're gonna do 101.254. Root password currently is fine. Now, one thing I wanna show you that's gonna happen as we do this is it's gonna reload the DHCP range. So if we look right now, we've got the IP address here of 192.168.1.100. You can see that right here. When we click reload, it's gonna apply the changes. It's also gonna change the DHCP range to be, what did we pick? 101. So let's just see what happens. Reload is now in progress. And of course this URL isn't gonna work anymore. So let's go ahead and do 101.254. And well, we don't have the correct IP address on this host, do we? Because we've just pulled the rug out from under its feet. So if we go over here and check, yeah, we've still got 1.100. So if we just toggle this off and then on again, got IT crowd in my head, I hope you do too. We can see we've got 192.168.101.10. So that means we've picked up the new IP address range, which also means that if we go over here, we might need to give Firefox a minute just to figure out what's going on in life. And there we go. There's OpenSense in a VLAN dedicated to this purpose. Now what's interesting is, remember I'm in my Ubuntu virtual machine here. I can still access things on my main LAN from inside this test LAN. I mean, you could create a firewall rule in OpenSense to prevent that if you wanted to. But what this does, it gives us a totally isolated playground to make networking changes and play around with subnets and port forwarding if we want to, or even install something like Tailscale. So let's go ahead and do that. I'm gonna show you how to install Tailscale on OpenSense so that you can access this VLAN from anywhere that your Tailscale account is enabled your tail net can reach and allow you to do some testing of things remotely that way. Now we are working on some improvements for the installation process of TailScale on OpenSense but for today we're going to have to drop to the command line so we can't do this through the UI interface. Now the first thing I'm going to do is just go ahead and make sure that my OpenSense instance is up to date. It's a completely fresh install, we haven't touched it so it's likely there's going to be a few package upgrades to do. So whilst Once I go through that process, I'm just gonna speed this up in post, but you want to make sure that all of your firmware packages on your OpenSense box are up to date. All right, so as OpenSense is rebooting, I'm just gonna jump back into my Proxmox instance over here and bring up the console so I can see what that virtual machine is actually doing. We're gonna need the console in just a second anyway. So let's go back to Ubuntu on one side and OpenSense on the other. You can see OpenSense is still booting over here. Shouldn't take very much longer at all. And there we go. So we have OpenSense fully up to date. We can go ahead and just verify that real quick. Log in again with our username and password. Please don't save that. And then click check for updates one more time. Fantastic. No updates are available. That's what we want to see, is this green firmware status just here. Once we have that, we're good to proceed with the next step. So hop over to your OpenSense shell window or whatever you're using to run OpenSense in the VLAN and then log in. Now you'll be given the set of, what is it? 13, 14 different options here. We're gonna pick option eight, which is the option for the shell. Now, TailScale isn't available as a package in OpenSense quite yet, but it is available as part of the free BSD ports project. So we have an article on our tail scale and knowledge base, RK base just here. And these are the steps I'm going to be following throughout the next few minutes. I'll put a link to this down in the description, but for now, let's go ahead and just do this in real time. So I'm just going to do open sense hyphen code space ports. Now this is going to download some information from the FreeBSD ports project and make sure that all of your ports are up to date. Once we've done that, can go ahead and actually install Tailscale by building it from source. Right, once the code ports have downloaded, that took maybe a minute and a half, two minutes on my machine, and we wanna go to this directory. So cd/user/ports/security/Tailscale. And once we're in the Tailscale directory, we'll type make install. This will download a bunch of dependencies and compile Tailscale from source for us. All right, now that's finished building. We want to go ahead and do service tailscale d enable. So that's going to enable the tailscale daemon. And the same thing, tailscale d start, which is going to start the tailscale daemon running right away. Next thing you're going to want to do is do tailscale up. Going to ask us to log in in a web browser. So I have gone ahead and logged in. Now this is on my local laptop. You could just as easily do this in the Ubuntu VM. Doesn't really matter. Login.tailscale.com/F74. Oh my goodness. CB CBC64B0. That would be nice if I had copy and paste from the Proxmox terminal, but I don't unfortunately. So I'm gonna go ahead and authenticate this with the tailnet that I want to use. And we'll see, I now have OpenSense in my tailnet. All right, now that tail scale is built, started, logged in, we need to go and just assign an interface in the OpenSense UI. So let's go ahead and look in interfaces and click on assignments here. We currently have an unassigned interface, which is tail scale. So I'm gonna go ahead and just assign that to, I'm gonna call this one tail scale. And we see on the left-hand side just here, we now have a tail scale interface. I'm going to go ahead and enable that interface. And this will enable us to use this interface in things like firewall rules and do a whole bunch of other cool stuff. I'm going to click apply. And now that's done. We can go back to our overview and see that we have a LAN interface on 101.254. We have a tail scale interface with our tail scale private IP address here. And then also the WAN interface here is connected with 7.221, which remember is not really a WAN address. It's just in my local area network outside of this sandbox that we created. So remember the entire purpose of doing this and creating this OpenSense instance, this networking playground, was to be able to break stuff. And so what I wanted to show you is that on my local Mac here, so this terminal window right here is running on my local MacBook. I can't connect to any of these devices. So if we have a look at the Ubuntu virtual machine and see what the IP address of this guy is, 192.168.10.10. If I try and ping that address, not an awful lot happens as we would expect. We created this isolated area so that we can break stuff and have an isolated instance of a whole set of virtual machines, a dedicated Kubernetes cluster that lives somewhere else so we can test ingress and egress, or maybe we wanted to run a database but pretend it's offsite so we could do some testing of our CI pipeline. I don't know, whatever you wanna do with this, you can, and we've created this environment. So let's go ahead and try and figure out how we can actually connect into it now we've got Tailscale running on OpenSense. Now, we always recommend wherever possible that you install the Tailscale client on any operating system or device that supports it. Ubuntu does support it, but for the purposes of our demo today, I just wanted to show you how you can use OpenSense as a subnet router. This means that any traffic that goes through OpenSense can now reach any client in the network behind OpenSense. And this is particularly powerful in the real world when you want to install OpenSense, say, at a parent's house and access any device behind that firewall using the local IP address, so the 192.168 address, rather than having to walk them through installing tail scale or whatever remotely. We've all been in that situation, I think, as tech guys, tech people, that have to install those things remotely, and it can be a bit tricky. So the subnet router just removes all of that pain. You know, maybe there's a printer or something behind the firewall you want to access that you genuinely can't install Tailscale on yet. That's where the subnet router comes in. So let's hop back over to our OpenSense command line and do Tailscale up again. And this time we're going to do advertise routes 192.168.101.0/24. And this basically means that every device now that lives in that 101 subnet behind OpenSense is reachable from a device outside, as long as it's on the tail net. So my laptop here that I'm recording this demo on, for example, I can now connect to this Ubuntu VM through OpenSense using the subnet router functionality. Now, of course, remember whenever you share a subnet like that using a subnet router, there are two steps involved. The first of which is to advertise the route on the remote client. So in this case, OpenSense, we're advertising the route there but when you go back to your TailScale admin console, your dashboard over here, you'll see that this machine has unapproved routes. So we need to click over here and go to edit route settings and make sure that we have the route shared And this way we're able to actually, let me bring this terminal window in over here. Remember this one's on my local Mac. So this is in the .7 IP range. And if I do the ping 101.10, I'm able to access that Ubuntu virtual machine through OpenSense using the subnet router functionality without having Tailscale installed directly on the Ubuntu client. So I hope this demo gave you a good overview of just what's possible using some simple VLAN tags in Proxmox. So let's just recap what we did. We created an OpenSense virtual machine that had two network interfaces. One of those network interfaces lives on my current local area network, on my current LAN, and uses the DHCP that all of the other devices in this house use. That's the 10.42.7 range. We then added a second NIC, virtual NIC, to that OpenSense virtual machine that had a VLAN tag of 101. that meant that it didn't have a DHCP server. So it went ahead and thought, right, well, I'm gonna go and be the default. I'm gonna go and create one for myself. We then also created a Ubuntu virtual machine with a virtual NIC with the tag of 101, so that it got an IP address from that virtualized OpenSense instance. And from there, you can extrapolate that, you know, you could create a bunch of virtual machines, do whatever you want and treat that OpenSense instance just as if it is your real firewall. You can break stuff without the Netflix going down or getting texts from friends and family asking you why Plex is off this week or whatever it might be. And I think those of us who are in this space where we're learning and trying to be practitioners and IT people in general, we don't often have the space available to us to learn networking techniques without breaking some eggs. And this gives us the opportunity to do just that. And then the final icing on the cake is that using Tailscale, we're able to use a subnet routing functionality to reach inside that remote network and pretend and context switch using our Tailscale accounts. And context switch to different VLANs, if you like, for want of a better word. And so I hope you found this video useful. Remember, there'll be links in the description to all the materials I used throughout this video down below. And until next time, I've been Alex from Tailscale. (whooshing) [BLANK_AUDIO]
