Erik Thorsell

DevOps Transformation Leader trying to automate the world.

3 minute read

Ever since I got my own place I have been hosting my own VPN. The purpose has been both to (1) ensure I can reach my stuff when I’m out and about, and (2) have a way to tunnel traffic when connecting to networks I’m not in control of1. I started my VPN-journey with my good ‘ol Asus RT-N66U which had a rudimentary PPTP VPN built in, but I quickly replaced the default firmware with Tomato and IIRC I ran an OpenVPN Server for a while. I say “for a while”, because I soon upgraded(?) my setup significantly, by building my own Debian-based router where I – again – ran OpenVPN.

pfSense + OpenVPN & Wireguard

Since a couple of years back, I’m running pfSense2 and when I setup my first pfSense box I naturally deployed an OpenVPN Server to go with it. Certificate based auth was just a couple of clicks away and the service has been serving my household very well for several years. I did dabble a little bit with Wireguard too, but truth be told I never really got it to work the way I wanted it to.

Tailscale as a mesh network

A couple of years ago, I first heard about Tailscale. I figured it seemed like a nice product, but I didn’t really have a need for such a solution at the time. This all changed when I wanted to have a NAS at my mother’s place to act as an off-site backup. Her crappy, ISP-provided, little router/firewall/switch combo-box did not have the possibility to run a VPN Server. I also doubt her ISP would provide a public IP for her. Lastly, even if both of these assumptions proved to be incorrect, I would not want to setup port forwarding in her firewall.

Well….

I started to look into Tailscale a little bit more and found that it was perfectly suited for this use case. I sat down to install Tailscale on the NAS and on my laptop, deployed a simple Allow all ACL configuration, and they could talk within minutes. I joined my phone and all three devices were now able to talk to each other as if they were on the same LAN.

Sweet.

Tailscale as a regular VPN

Tailscale solved the problem:

How should I be able to communicate with a device which is not really accessible over the public Internet?

but I still ran my OpenVPN Server in parallel for a long time (years), simply because I wasn’t sure whether Tailscale would be able to satisfy my other VPN-needs.

Until this past weekend.

I did some more reading and learned about two critical features for me:

  1. Subnet routers
  2. Exit nodes

The former let you extend your Tailscale network (known as a tailnet) to include devices that don’t or can’t run the Tailscale client, and the latter can be used to tell your device to route all traffic through your tailnet – not only the traffic that is going between Tailscale-adopted devices.

My Tailscale configuration

In pfSense, I have installed the Tailscale package and configured it s.t. it offers to be an exit node and advertises routes. More specifically, I have advertised the subnet corresponding to the VLAN where I have the things I want to be able to connect to as well as /32-CIDR which points at the IP of my reverse proxy. I have also enabled both Accept DNS and Accept Subnet Routes.

On the Tailscale side I have the following grants:

{
 "grants": [
    // Allow admin-devices to reach everything
    {
      "src": ["tag:admin-devices"],
      "dst": ["*"],
      "ip": ["*"]
    },

    // Allow family-devices to reach HA Proxy VIP
    {
      "src": ["tag:family-devices"],
      "dst": ["10.10.11.1/32"],
      "ip": ["*:80", "*:443"]
    },

    // Allow admins and family members to use Tailscale as an exit node
    {
      "src": ["tag:admin-devices", "tag:family-devices"],
      "dst": ["autogroup:internet"],
      "ip": ["*"]
    },

    // Grant access to Synology NAS @ mom's
    {
      "src": ["tag:admin-devices", "tag:pfsense"],
      "dst": ["tag:synology-mom"],
      "ip": ["*"]
    }
  ]
}

NOTE: The last grant, paired with a NAT rule in pfSense, allows devices on specific IP:s to communicate directly with the off-site NAS even though they do not have Tailscale installed on them. Very convenient.

All in all, my configuration has proven itself over the past week and I have disabled my OpenVPN Server. My only complaint thusfar is that the Tailscale iOS client is quite the battery drainer, so the VPN On Demand feature isn’t really useful.

  1. More recent use cases also includes (3) being able to stream content only available from Sweden, when going abroad. 

  2. This is not a post about Netgate politics and controversies, maybe another post… 

Updated:

You May Also Enjoy

Automate everything and document why

7 minute read

Almost 2 000 comics (and over 12 years) ago1, Randall Munroe created the XKCD Comic Is it worth the time? (seen below). At the time of commit...

Writeup for Cert.se’s CTF 2024

15 minute read

I made an attempt to get as many flags I could in one day because that’s the amount of time I could set aside for this. I got five flags out of nine. I think...