How to Setup The Tailscale VPN and Routing on pfsense

How To Setup pfsense OpenVPN Policy Routing With Kill Switch Using A Privacy VPN
th-cam.com/video/ulRgecz0UsQ/w-d-xo.html
How Tailscale Makes Managing Wireguard Easy
th-cam.com/video/bcRVkoeSN0E/w-d-xo.html
Tailscale VS ZeroTier
th-cam.com/video/lAhD2JDVG08/w-d-xo.html
Netgate tailscale Blog post
www.netgate.com/blog/tailscale-on-pfsense-software
tailsacle NAT write up
tailscale.com/blog/how-nat-traversal-works/
Headscale GitHub
github.com/juanfont/headscale/tree/main/docs
tailsacle userspace kernel
tailscale.com/kb/1177/kernel-vs-userspace-routers/
⏱ Timestamps ⏱
00:00 pfsense tailscale package
03:31 Headscale server
04:19 Tailscale Web Management
05:26 Tailscale Access Control Security
06:10 Managing Tailscale in pfsense
09:36 pfsense routes and exit node
10:48 Tailscale Connectivity and Firewall Security

Another suggestion, when operating on two different pfSense instances, it's easier for the audience to tell which pfSense is currently being configured if they uses different color scheme.

Headscale videos are non existent! Maybe you could do a quick "How TO - Setup" guide for the people :)

Been using Tailscale for a while now and been having to use raspberry pi pas at a couple sites at Tailscale subnet routing bridges. This is awesome. Very welcomed plug-in.

Thank you for the video. Will definitely take a look at the NAT article.

Thanks for sharing, love your work you give sharing knowledge about pfsense

Great video Tom, and thankyou for all the great work 👍🏼

tailscale is such an incredible tunnel resource! I have starlink (which has carrier NAT), so making a tunnel home has been troublesome... not with tailscale! it works great! and i can access everything behind pfsense, thank you for this video!!!

Excellent tutorial as usual. Many thanks.

Thank you so much Tom for another great tutorial. If you could do a video on Headscale it would be most appreciated.

Thanks Tom, this is perfect timing for me. I recently started moving off of my local WISP to T-Mobile and AT&T, and was working through some solutions to get around CGNAT. Although I've been successful so far, I'm not an "all my eggs in one basket" person, so I like options. I'm going through now and setting up a Tailscale configuration. I'd also like to see a Headscale video.

followed your guide.. its realy simple and easy..

Coming behind the actual tech improvement. May be it is already done. here my upvote for headscale tutorial. Thanks for this one

My network is something similar but using two firewalla devices in router mode in different locations for site-to-site VPN access between both using Wireguard protocol. I mapped my NAS located on another site using its local IP through the VPN on a PC. It works pretty well.

Thanks. Great section for the firewall rule. I was wondering why I have no access to my PFsense web UI from tailscale. The rule solved my issue as I needed a quick way to get to the managment UI from anywhere.

Tailscale exit node and route advertising make is so much more appealing than nebula & zerotier. Will definitely try out headscale to scale beyond the tailscale 20 free limit. Tailscale on pfsense just blows my mind!!!

12.59 I noticed the option interface has the value Tailscale for the dropdown menu. Does this mean you need to assign Tailscale to a Pfsense interface? Thought that it was mandatory only for geolocation VPN solution

I would like a headscale video (and a pfsense package lol). I basically already have this setup with pure wireguard as a site to point to pfsense installed on a VPS, I then connect other VPS servers to that pfsense install and can access them as if they are a part of my lan but I would really like a UI for scalability. Will have to try tailscale for now.

I have existing ipsec tunnels from different locations connected to 1 pfsense box as a site 2 site connection, how would I go about advertising those subnets with tail scale aswell? I have simply added them to advertised routes but that doesn't seem to be enough.

This example only allows one direction from all the other sites to tom-home-pfsense. In order for a 2-way site to site vpn using tailscale, it seems that you need to enable subnet routes for the machine in tailscale, and advertise subnet routes on the pfsense eg. lts-tailscale and put the correct outbound NAT on each other pfsense you want to access from. The free version of tailscale only allows 1 free subnet router... they have a soft limit so you could probably add another one like I did to test for a while.

can you include/exclude apps to use tailscale and how do you have 1 main tunnel and conect other devices to the tunnel?

I have an IPsec established from the pfsense, to a remote subnet. From the LAN it works fine, but when I try to advertise the subnet , clients cannot find it. I tried advertising the LAN like you did, and it worked just fine. Thinking there needs to be some NAT rule or something

Many Thanks....

Is is possible to show a senario where you have 2 pfsense firewalls where tailscale connects to sites and each site has a few vlans on their lan side and only some vlans is allowed to talk to some vlans at the other site ?

Thanks for the video. Clear and concise. I notice on your Tailscale Machines page you have the local subnets listed in the addresses column along with the Tailscale address. While my setup is working just find between 2 subnets, my Machines page is only showing me the Tailscale addresses and not the local subnet addresses. Did I miss how this is enabled? Thanks

Greatly appreciate the videos you create. Curious though how much of a performance difference is there between Tailscale and Wireguard? Would love to see the comparison. If it’s drastically different I would consider switching over.

Some how I kept missing the part where Tailscale (genx)was talking about adding a firewall rule for Tailscale and was not working not passing traffic or pingable although would try connection till timeout.
I’ll have to do that when I get home.

Playing round with it, but can't see a use case for me above having Wireguard / OpenVPN on the pfsense. Lack of opening ports is good. Will delve deeper. I'm not behind CGNAT and such.

id love to see someone going trough the process of setting up ACL on a virgin tailscale network.. for the less network minded folks so to say :)

A bit of a stupid question perhaps, but can you run an exit node that that exposes routes on anything other than the pfsense (for example, a machine running Linux in the LAN). Or an Azure VM in the same subnet as other VMs.

Great video! Nice way you put everything in order and made them clear. I would like to see though a video regarding different setups and how to manage pfsense with the tailscale package. For example, is it possible to access a device in tailscale network from behind the pfsense, without having the tailscale client installed?

I can use this as ab alternative to zerotier, which works great but I need a VM to keep it up.

A headscale video would be greate

Time for ZeroTier. It needs to be added to pfsense.

If I have tailscale installed on my pfsense router like you do in your video, how can I configure things so that mobile devices connected to tailscale can take advantage of the pihole dns that I use on my network? My pihole service runs on the same network as the pfsense router.

Thanks Tom for the video. Can you please do a basic tutorial on setting up pfsense with headscale including basic acl that allow accessing pfsense vlans or lan devices?

Pretty cool to see there is now a tailscale pfsense package. I could see this being pretty useful if I were behind a CGNAT ISP, but the tailscale managed connection interface definitely worries me. I essentially view this as opening my local private LAN to an external company. Not worth the risk in my view.
Thus headscale is a pretty appealing offering.
I’m not behind a CGNAT so I don’t really have much of a usecase for either. I use wireguard to access my LAN remotely and use OpenVPN for a site to site VPN.
The only VPN troubles I have is that when traveling I sometimes find hotels block my wireguard remote access VPN. I don’t think tailscale would behave any differently but I haven’t tried it myself. I believe it would use similar ports to any wireguard VPN. Maybe either can be setup to run on 443? Not sure

Great tutorial, wondering why you differed from Christian McDonald's outbound NAT. You set the destination and he set the source. I guess it makes no difference. Thanks Tom, again great tutorial.

Thanks for the video; one question: how did you set up a subnet router in PfSense?

Tailscale is based on Wireguard. What secret sauce Tailscale added publish routes so that non-tailscale (client install ) can be easily reached via overlay network ? Can some one explain this.

I've got two networks on two different pfSense boxes talking to each other, accessible, etc... Great, thanks! What I'd like to do though is have one pfSense be the Exit Node for the other, i.e. all the traffic in and out of one pfSense is going through the other. I see how to use Exit Node with a phone or laptop, but not how to tell the pfSense subnet router to use the other one... Any ideas? Thx

Awesome video, thanks for creating it. Is there an easy way to get Tailscale traffic bound for the WAN to use a non-default Gateway?

Hi Tom. Great explanation, thanks.
Is it possible to route TS to HA-Proxy to access my services behind HA-Proxy? Any hint for me? TNX

Tailscale won't let me generate a key, I think because my role is an Owner. Can anyone tell me how to change my role to Admin or Network Admin?

Would to see selfhosted zerotier network via zero-ui

What happens if I link multiple networks that use the same subnets? Guess I will find out when I add another...

is it possible to use ospf over tailscale to advertise the routes instead of tailscale itself?

Does it even works on opnsense?

Tailscale could be just what we need, can you limit access to just a couple of ports on a windows device in your network eg. camera DVR? I have other apps on this server that I don't not want to open up particularly with limited or no access logging available. As the DVR needs a username and password, I am ok with that level of risk. If this is doable, how could you do it securely?

Hi brother .. Is there a NAT punch hole in a Tailscale? I want to redirect ports from our Huawei router to my computer to be able to utilize it. The Port Forwarding in our router is not working cuz something is blocking it. Please acknowledge my comment.Thank you very much

Assuming I don't plan to access my firewall pfsense directly from the open internet and want only to access some boxes where I have TS clients installed, why do I even need TS on my router?
Happy New Year all!

Man, none of that automated Tailscale routing happened for me. All my stuff looks like yours, but I don't have any firewall NAT or outbound rules. I can't even ping the box from the Tailscale network even though everything looks good. Something's gotta be messed up here.

I really wish this tutorial show each step including the firewall rules. I cannot get my subnet routes to work

great video again.. One thing I'm worried about is the fact that there is no login on the android tailscale app... it authenticates without any login/credentials, totp... if someone gets their hands on your phone and unlock it they are free to do whatever they want... Unless ofc I'm missing something, which is very possible :)

I never knew this existed. NOICE.

This might be an answer to my prayers.. LOL. Do you think it's possible to have, for example, Unifi software to control Hotspots in different offices with different IPs, but have the same WiFi mesh?

I have set tailscale up on OpenWRT but be very mindful that it will om nom nom your CPU if your's is not ARM 64 or x86 even if it has crypto accelerators.

Tailscale is backed by CRV, Insight Partners, Accel, Heavybit, Uncork Capital, and individual investors. Its May 2022 Series B added $100 million in funding.

Tailscale and Ubiquti USG firewall rules , can you hellp me ?

Don't bother trying to install this with 2.5.x It shows up but will just error trying to install a dependency.

the settings are not easy and the video is so convoluted... ehhhh

First