How to Setup The Tailscale VPN and Routing on pfsense

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Thank you again sharing this great video.

👍︎︎ 4 👤︎︎ u/Adelaide-Guy 📅︎︎ Jul 27 2022 🗫︎ replies

Thanks for the tutorial! Just finished listening to this podcast episode. Love the homelab show!

👍︎︎ 2 👤︎︎ u/tiny_blair420 📅︎︎ Jul 27 2022 🗫︎ replies

Tailscale is hilariously easy, and in my use-case, a lifesaver. My remote cabin has Starlink, which means it's behind a CGNAT. Tailscale makes connecting my home site and cabin site simple and effective.

👍︎︎ 2 👤︎︎ u/burnafterreading91 📅︎︎ Jul 27 2022 🗫︎ replies

Anyone know if this can be done on 2.5.2?

👍︎︎ 1 👤︎︎ u/aathsopaach 📅︎︎ Jul 27 2022 🗫︎ replies

@ u/lawrencesystems can this be set up as an always on VPN? Offsite workstation that connects through pfsense, auth's the user against AD. Is it possible to auth the workstation against AD instead, that way the multiple users at the offsite can just logon? Currently using ipsec and it is just too problematic, and I can't figure out the always on VPN portion.

👍︎︎ 1 👤︎︎ u/DirectAttitude 📅︎︎ Jul 27 2022 🗫︎ replies

Captions

tom here from lauren systems and as of july 2022 tail scale has been added as a package for pf sense plus and pf sense ce i'll leave a link down below to the netgate announcement that also has an embedded video from christian mcdonald where he breaks down the tail scale how it works and a lot of the details that went into writing it because well he's the one that wrote it great video lots of information now what problem does tailscale solve well tailscale's an overlay network and i have a few videos where i've done on tailscale and other overlay networks also linked down below so if you'd like to dive into that topic the problem i see this really solving for a lot of people is with tail scale you load the tail scale client on mac linux windows devices but obviously there's some devices that may not be accessible to you to load tail scale on you know iot devices or camera systems etc by having it on pf sense this allows your tail scale name space that you set up to have apf sense in the mix that can advertise routes and this gives you the ability then to have access to all those non-tail scale devices that are on the network behind pfsense it also offers the opportunity for people who have been stuck with carrier-grade net and can't just put a vpn on pfsense because well no public ip address available for them and tailscale will facilitate routing through the cg nat space and still allow these devices let's say you have a laptop and you want to leave home but be able to still get to all your devices at home no problem half tail scale on laptop tailscon pf sense and that will bridge that access to all the devices behind there now tailscale has a lot of features but one of them is not going to be absolute the best performance speed even though it's based on wireguard and christian mcdonald addresses this in a video it's based on the wireguard go implementation so there are some speed limitations second it's not the same as using a privacy vpn this is a discussion people may go well can i just use it for all my vpn needs not necessarily i have a link down below for setting up openvpn as a privacy vpn with policy routing it's not as much a policy routing type of vpn it is more a connectivity solution with the overlay network so we're going to dive into how simple it is to set up what you need to get going with it and just a couple of parameters and a few security thoughts about it before we dive into the details of this video let's first are you an individual or company looking for support on a network engineering storage or virtualization project is your company or internal i.t team looking for someone to proactively monitor your system's security or offer strategic guidance to keep your it systems operating smoothly not only would we love to help consult on your project we also offer fully managed or co-managed i.t service plans for businesses in need of it administration or it teams in need of additional support with our expert install team we can also assist you with all of your structured cabling and wi-fi planning projects if any of this piques your interest fill out our hire us form at laurentsystems.com so we can start crafting a solution that works for you if you're not interested in hiring us but you're looking for other ways you want to support this channel there's affiliate links down below to get your deals and discounts on products and services we talk about on this channel and now back to our content the first place i want to start is the netgate blog post because the video that's embedded in here by christian mcdonald the developer at netgate who put this plugin together covers how to set up two pf senses that do not have publicly routable wan addresses but allows for the connection of these devices as a site-to-site vpn so that's well covered and well documented along with a lot of other details so i do encourage you to watch christian video if that's the setup today we're going to focus on a setup that is just for connectivity now before we go any further i will mention yes i'm aware and yes i've tested head scale head scale is a open source alternative to tail scale so tail scale has a open source client the protocol they use is wire guard so everything about them is open source except for the coordination server and the back end head scale is an implementation of tail scale that's basically open source it does lack a proper ui it doesn't have a nice web interface on there to make it easy to manage they have documentation how to get it set up i did go through and set it up and make sure it works fine with pfsense and all the other devices but i am not using it for the demo because well it would add a little bit of extra complexity but i'll possibly do a separate video on this if people have trouble getting it set up their documentation is kind of basic but they do have commands you can go through and figure out how it works along with some example configs now the obvious prerequisite for this video is going to be that you have a tailscale account set up you can sign up for free as of july of 2022 they allow you up to 20 devices for free and i mention it like that because one i want to save the date in case they change any of the policies on there but of note the devices this is thomson pf sense lts telescale pf sense lab and a few other things i have in there my tom home pf sense is one we're going to be focusing on but this counts as a device and i have it advertising the subnets behind it this allows connectivity to the devices behind it so if we look at the diagram here we can see like tom's phone this other lab server we have them across the internet they want to connect to townspf sense each of these is a single device these are not devices these are just extra routes that are advertised by my psns that allow like my phone whether it's connected to the 5g lte network wherever it is or this extra lab server i have at the office that i'll demo to talk to my pf sense and therefore pf sense then handles the routing between all the devices something worth noting as well when it comes to access controls the access controls is how you control all the devices here and their ability to talk to each other the default routing rules are yes they can all talk and yes when you advertise routes any of these devices can talk to these particular devices that are set up behind there the rules have to be done inside of tail scale so you don't control any of the rules inside of pfsense for very specific routing information with the limited exception that we'll get to when we talk about the firewall rules a bit later in the video but for the most part it's relatively easy to set up it's easy to add these devices and we'll start by deleting a device because we already have this one configured but we're going to delete my pfsense lab and show you how to add apf sense to it that part's really simple and pretty easy to get started with now this is the pf synthetic lab and i want to start by actually log out and clean this will forcibly disconnect this particular pf sense so now tail scale is not running and don't worry these keys aren't reusable but this is all a demo account anyways so we've gone into tail scale and we leave this the same this is what you would change if you were using something other than tail scale such as head scales a coordination server so you leave the login server the same and you just put in the pre-authorization key so right now status is not running so we look at the settings even though it's enabled tail scale is not working because we forced a log out and clean now if we go back over to tail scale and look at the machines you can see that it's offline so we'll go ahead and just delete it so this is pfsenselab and we're going to go ahead and remove it so we can add it again so we've deleted it here then we go over to settings and we want to go to keys and we want to generate an auth key we don't want this key to be reusable you could if there's some use case you have for it but it's easy enough to create a key so we don't want a removable ephemeral machines alchemy key will automatically be removed after going offline as in do you want to be temporary probably not tags well you can create tags to automatically put and apply different things to this particular key but we'll go with generate key then we're going to hit copy and we know the key is copied go back over here paste then we just hit save see it's enabled and then hit save again here tails count on refresher check status page we go over to the status page here it's online and ready to go it's pretty much instant in real time i did not have to edit any of that matter of fact the key already went away because it's been used the pfsense lab is already showing up and showing connected it's pretty much instant when you add a device inside of here for it to show up not just for pfsense but for any other ones there's not much of really a delay and down here if we scroll down a little further on the status i've blurred out the bottom where it has my public ip address but it's giving you all the information about that is connected and it can see all the other devices that are within this namespace of tail scale that it can talk to so these are all the other devices that are online of course talk to by default is all these rules are open you can talk to any of these devices but if you change the ecl rules they will still just show up here but you know you'd have control over the inner routings between these now in terms of settings over here this is where do you want to accept subnets that other routes advertise this is where you can get in a more advanced and this is covered in christian's video and it's pretty simple you just accept the route and then add go over here to the routes and for example in my system it's the 192.168.11 network and if we go to this lab pf sense the main screen here that network does not exist over here so it has a three dot network 40 22 and a 10 dot network but we go over here to diagnostics then routes because we're accepting advertised routes there's my tail scale one nine two one six eight zero slash twenty four tail scale 0 route combine that with firewall nat outbound and then we say we would like anything heading to that destination to go out tail scale this is covered as i said in christian's video this lets devices behind here talk to that other system it's probably the easiest i've ever set up a site-to-site vpn using tailscale it just makes it really really simple and if they do have public ip addresses tailskill will have these devices talking directly to each other now back over to my server now my system is already online keep configuration advertise this exit node this is an extra feature that's pretty cool that if you say i want to offer to be an extra node drop on internet traffic you can take and there's options in different tail scale clients to say hey route thinks through an advertised exit node what that means is for example with my phone i can actually have my phone routing all the traffic as if it's coming from my home this is also very handy if you are traveling with your laptop and you would like a vpn to wrap everything in tail scale does have an option for that as long as you have an exit node among the nodes and pfsense can act as an exit node by simply checking the box now this does not need to accept any routes because this is where the routes are coming from not going to so by doing this we don't have to put any special outbound net rules i only had to put in this route that already belongs to this network and say hey advertise this route if i wanted more you can advertise several different routes the only thing i really want access to is things on the 192.1680 network it's called nsfw lan i have a video about setting up pf sense and i've covered why i call it that but essentially it's my untrusted network of devices where things like well and as i mentioned here we have the mb server or the trunas server now let's talk about pinging that server and this is the 192 168 72.110 so this is my little ubuntu lab server it's actually remote it is not local to me you can see it's not a 10 dot network and this network exists actually over at my office and tail scale is facilitating this individual device connecting through a tailed out coordination server and then getting connected to my pf sense and then having access to the routes so we can do things like ping 192 168 1.8 easy enough to ping it or dot 30 which is the mb server now this is where things get a little tricky and i want to talk about the security concerns of this if we go under firewall then rules please note there are no rules here under tail scale let me explain the reason we're able to and we'll go ahead and open up pf top and we'll filter for host 192.168.1 and then we're going to go and ping it again if we ping 192 168.1.8 you'll see the icmp packets coming from 192.168.11 and the reason why is because the way freebsd is going to handle the routing is it's going to send a packet from the subnet by which there is the most direct path which is going to be 192.168.11. the routing is being handled internally by pf sense so by me pinging even though my origination ip address is this one here the 198 72.110 that ip address isn't going to show up inside of here that ip address so if we go back to painting it is not the source because it's coming to the pf sense ip address that is attached to tailscale might be a little confusing but it's something to think about that the firewall rules do not apply to this traffic because it's handled inside a pf sensor in this way this is where you would need those acl rules that being said what traffic is handled that way and that traffic is going to be mypf census tail scale ip which is 192 61 if i try to ping it there's no response if i were to try to get to the web interface there's no response so let's go ahead and add a rule under tail scale here going to add pass pass any so you just let it all go through this is a wide open rule here we're going to hit apply go back over here and now we can ping it's as simple as that the control it does have is over whether or not you're able to do something with tail scale within that ip address like for example the web admin interface is technically now accessible so if we change this and we don't have a browser on this system but if we did this in 104 3 well i have access to it now so now i'm actually able to from all the other tail scale nodes be able to get into the web interface of pfsense that may be not ideal because they don't need access to that so we're going to go ahead and shut that down so it doesn't need any rules for this scenario but i can still get to 192.168.1.8 so as i said it's coming out and routing as the pf sense now from an ease of use standpoint hands down tail scale is just simple it's probably the easiest if you follow christian's video on setting up site to site which is just adding those couple outbound net rules dropping in tail scale i've never set up a site-to-site vpn so fast it just makes it really easy to do especially because if you want to add things like a phone in the middle of it to also communicate with the devices well advertise the routes on both sides and add your phone and now the phone can actually talk to both sides of those pf senses provided on the routes conflicted with each other so that would be a different problem to start out as long as you have completely separate subnets on all the pf senses as in yes it's not just site to site but site to site to site to site hubspoke setup if you'd like there's a lot of opportunity and a lot of options here so i'm really happy the integrated tail scale in here i will work on if there's enough comments down below about doing a head scale video i kind of want to dive into it i really like the way headscale works it's quite simple because it doesn't need to join in and neither does tail scale by the way the routing that's being done is between the devices it only goes into relay mode where the traffic but unencrypted with a wire guard tunnel would pass through the external server under the circumstance where no way could it negotiate any of the udp hole punching essentially it is used in order to get the devices talking to each other but even without opening any ports all this works extremely smooth and i've talked before and i dove into with the other videos as i mentioned how udp hole punching works and i highly highly recommend you read the entire nat section of tailscale because it explains all the different varied versions of nat networking not as it relates to tail scale but just how nat works in general and it's actually a great lesson i think in network engineering and just a wonderful read for those who go i wonder how nat works and i wonder all the little different facets or how do you deal with something when it's double or triple netted and behind sieging hat or what if two devices were behind cgnat could it work tailscale is a solution for even devices that are on cgnat where it can see the coordination server and still talk and this is still functional inside of pf sense and it's basically the full feature tail scale client on there and whether you use head scale or tail scale it does work so leave your comments down below or head over to the forums for a more in-depth discussion and thank you for making it all the way to the end of this video if you've enjoyed the content please give us a thumbs up if you would like to see more content from this channel hit the subscribe button and the bell icon if you'd like to hire a short project head over to lawrences.com and click the hires button right at the top to help this channel out in other ways there's a join button here for youtube and a patreon page where your support is greatly appreciated for deals discounts and offers check out our affiliate links in the description of all of our videos including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly so check back frequently and finally our forums forums.laurensystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel thanks again for watching and look forward to hearing from you you

Info

Channel: Lawrence Systems

Views: 47,400

Rating: undefined out of 5

Keywords: LawrenceSystems, tailscale setup, tailscale pfsense, how to setup tailscale, tailscale wireguard, tailscale tutorial, virtual private network in computer network, virtual private network explained, tailscale vpn server, tailscale vpn review, pfsense vpn, pfsense vpn site to site, pfsense vpn client, pfsense vpn server setup, pfsense vpn server, pfsense vpn remote access, pfsense vpn tunnel

Id: P-q-8R67OPY

Channel Id: undefined

Length: 17min 9sec (1029 seconds)

Published: Tue Jul 19 2022