Hey guys, so I’ve been self hosting for 2 years, making small upgrades until I reached this point where I replaced my router with one of those Chinese fanless firewalls running Intel n150 and running a proxmox homelab.
I am self hosting headscale with many of my buddies connected, including ny own services. Everything was working great until I setup OPNsense.
The firewall was not easy to setup, but after I set it up, I discovered odd behaviors from tailscale.
The firewall was blocking all connections from the ip 100.60.0.0/24, I had to explicitly allow it and change the forewall state to hybrid
What happens is that my LXC containers running tailscale would receive requests from tailscale0 interface but respond via LAN.
Apparently as I understood, consumer routers have assymetric NAT so that works fine, but not with opnsense.
Every guide I read online talks about installing tailscale on the opnsense router directly but I do not want to expose it to the tailscale network.
For now temporarily I set an ip route to tailscale0 and resolved it that way temporarily, but I still cannot get a solution that can help without compromising the firewall.
It’s also very cumbersome to do this for 50+ LXC containers over and over, even with running systemd scripts a problem might happen in the future
If you guys have any experience with this it would help a lot.
You must log in or register to comment.
Every guide I read online talks about installing tailscale on the opnsense router directly but I do not want to expose it to the tailscale network.
Opnsense is not my forte, but I do run it’s counterpart pFsense. I use Tailscale as an overlay VPN on both the server and on my standalone pfsense firewall as a pFsense package. Is there a reason you don’t want Opnsense firewall via tailscale? My set up is as follows:
modem —>wireless router —> managed switch —> pFsense with Tailscale overlay —> server (separate VLAN) with Tailscale overlay
It doesn’t make sense to me to expose it to the tailnet even with ACL, on opnsense there is a bug where it would request re-authentication on each restart so that’s an added negative for me when it comes to adding it.
But what exactly do I benefit from adding the firewall directly part of the tailnet? It’s kinda weird when you think about it, this bad boy is the highest tier device where internet comes from and having it to connect to my homelab that depends on it for internet and having the firewall depend on the homelab for tailscale
But what exactly do I benefit from adding the firewall directly part of the tailnet?
Protection of the firewall via it’s overlay VPN characteristics, and communication to the server behind the firewall via an encrypted tunnel.
Have you considered using Cloudflare Tunnels/Zero Trust? With Cloudflare Tunnels/Zero trust, you don’t need to open or close ports, fiddle with NAT, or any of that. You install it on your server, connect to Cloudflare, it punches a hole for the encrypted tunnel. I personally use Cloudflare Tunnels/Zero Trust. Their free tier is quite generous and has many options like Anti-AI scrapers, etc. The caveat to using Cloudflare Tunnels/Zero Trust is that you have to have a domain name that you can edit the nameservers thereof to Cloudflare’s assigned nameservers for obvious reasons. Cloudflare will sell you a domain name, but a lot of people just get a cheapy from NamesCheap or Pork Bun. I got one for less than $5 USD that renews at $15 USD annually.
So, in the scenario that I described in my first response:
modem —>wireless router —> managed switch —> pFsense with Tailscale overlay —> server (separate VLAN) with Tailscale overlay
…is all done through Cloudflare Tunnels/Zero Trust with Tailscale on the server and Tailscale on the standalone pFsense firewall as an overlay VPN protection. Additionally, Tailscale makes for a very secure, emergency ‘backdoor’ to your server should you ever screw up and lock yourself out.
on opnsense there is a bug where it would request re-authentication on each restart so that’s an added negative for me when it comes to adding it.
I’ll have to defer to someone more experienced with Opnsense.
No experience with tailscale, but I have opnSense on a firewall appliance like yours and run two wireguard networks one from the opn itself and one from my home server, which is in the DMZ. They all work just fine…
They have different scope and remote peers, but both use my VPS as enter gateway since I am CGNATted.
