How to Set Up Tailscale on OPNsense

  • Post author:WunderTech
  • Post published:March 17, 2023
  • Post last modified:May 10, 2024
  • Post category:OPNsense
  • Reading time:10 mins read

Share what you're reading!

In this article, we will look at how to set up Tailscale on OPNsense.

Tailscale is a zero-configuration VPN, which means that without any port forwarding, you’ll be able to access all the devices on your local network. If you’re using OPNsense, it’s a great location to run Tailscale.

Please keep in mind that if you’d like to utilize a more traditional VPN, you can still set up OpenVPN or WireGuard. However, both of these options require port forwarding, whereas Tailscale doesn’t. From a pure configuration standpoint, Tailscale is incredibly easy to set up and we’ll look at how to set up Tailscale on OPNsense below.

Before we proceed, I want to be clear that there is no package or plugin for Tailscale on OPNsense. Therefore, we will be utilizing SSH.

How to Set Up Tailscale on OPNsense

We will look at how to set up Tailscale on OPNsense below.

1. As mentioned above, there is no package for Tailscale on OPNsense. In order to get it running, we must SSH into our OPNsense device. Select System, then Settings, then Administration.

opnsense administration section. how to set up Tailscale on OPNsense.

2. Under Secure Shell, enable the three options below:

  • Enable Secure Shell
  • Permit Root User Login
  • Permit Password Login

When you are finished setting up Tailscale, DISABLE ALL THREE OPTIONS ABOVE!

enabling ssh support in OPNsense.

3. SSH into OPNsense using your favorite SSH client or by running the command below in Windows PowerShell or the MacOS Terminal.

ssh root@[OPNSENSE_IP]

4. Enter 8 to access the Shell.

accessing the shell in OPNsense.

5. Run the commands below, step by step, in order (one line at a time).

opnsense-code ports
cd /usr/ports/security/tailscale
make install

6. After Tailscale is fully installed (it will take a few minutes), run the commands below to enable, start, and bring up the Tailscale tunnel.

NOTE: If you would like to advertise a local subnet (so that you can access it from outside of your local network), add the advertise routes section below with the subnet that you’d like to use.

If you’d like to advertise an exit node (explained in a later step for a full-tunnel VPN), you must use the exit node section below.

service tailscaled enable
service tailscaled start
tailscale up --advertise-routes=[SUBNET] --advertise-exit-node
bringing up the tailscale server.

Example using a Local Subnet

advertising a route in tailscale.

7. At the bottom of the screen above, a URL will be listed. Navigate to that URL.

accessing the webpage to connect tailscale.

8. After navigating to the webpage and logging in, select Connect to connect OPNsense to your Tailscale account.

connecting tailscale to opnsense.

9. Head back to OPNsense, select Interfaces, then Assignments, and add the Tailscale interface.

adding the interface in opnsense.

10. After adding the interface, select the name, then enable the interface and prevent interface removal. Give it a description, then save and apply.

enabling the interface in opnsense.

Exit Node/Subnet Routes – How to Set Up Tailscale on OPNsense

If you set up Tailscale as an Exit Node, the Exit Node can be used as a full-tunnel VPN. The image below shows what a full-tunnel vs split-tunnel VPN is, but the important point is that all traffic will be routed through Tailscale if you use an exit node.

Therefore, if you’re on public Wi-Fi, it’s probably a good idea to use this feature as you’ll be tunneling all traffic through Tailscale (thus, securing the connection).

showing how a split-tunnel vpn routes only local traffic to the network while a full tunnel routes everything.

A few things must be configured to set this an exit node in Tailscale:

1. On the Tailscale website, select Machines, then the three ellipses next to your OPNsense system, then Edit Route Settings.

editing route settings in tailscale.

3. If you want to use a full-tunnel VPN, enable the subnet route and use as exit node. This will configure a full-tunnel VPN.

If you only want to use a split-tunnel VPN (meaning only being able to access the 192.168.100.0/24 subnet in the screenshot below), select that option, but do not select the “use as exit node” option.

subnet/exit node settings in tailscale.

4. If you want to use an exit node, select Use Exit Node (on whatever application you’re using) and change the exit node to the Docker machine.

If you do not want to use the exit node, select None, but ensure that Allow LAN Access is enabled so that you’re able to connect to your local devices.

NOTE: The screenshot below uses pfSense, but it’ll be the same for your OPNsense configuration.

forcing the android tailscale app to use the exit node of pfsense.

5. Tailscale is now configured! You can now add other devices or simply connect to Tailscale from an external network to access all of your local devices.

Make sure you go back into OPNsense and disable SSH.

Conclusion: How to Set Up Tailscale on OPNsense

This tutorial looked at how to set up Tailscale on OPNsense. Tailscale is slightly more confusing to set up on OPNsense than other operating systems (due to the fact that there’s no package/plugin on OPNsense), but it’s still one of the easiest and fastest ways of setting up a VPN server on OPNsense.

It is important to note that this isn’t a traditional VPN the way that OpenVPN or WireGuard is, but it’s the fastest way to access your local network and doesn’t require any port forwarding.

Thanks for checking out the tutorial on how to set up Tailscale on OPNsense. If you have any questions on how to set up Tailscale on OPNsense, please leave them in the comments!