I am trying to use tailscale as a VPN for my home network so that I can connect to my home network from other networks. The setup for my home network is quite trivial, the only thing that is non standard is that my LAN is setup as a bridge since I have multiple NIC's on my router where opnsense is installed and hence I have each of these NIC's connected to their own switches.
The bridge is setup as so
https://imgur.com/WgzLDE7
And here is the NIC/interface setup
https://imgur.com/2i5g8DI
What I am trying to get working is subnet routes (https://tailscale.com/kb/1019/subnets), basically rather than having to have a tailscale client installed on every machine on my home network instead I would like to connect to those machines using LAN IP's (in my case specifically 192.168.1.0/24)
These are the settings for my tailscale
https://imgur.com/gDA8rGs
And here are the advertised routes
https://imgur.com/hfH2xCD
I followed the guide on https://tailscale.com/kb/1097/install-opnsense which means that aside from having "randomizeClientPort": true in my tailscale ACL, I also have the following tailscale settings added
https://imgur.com/Z522uW0
That last "Tailscale outbound NAT rule" setting is a result from https://forum.opnsense.org/index.php?topic=35464.msg177360#msg177360
https://imgur.com/uBq4tww
https://imgur.com/IiVaZcP
The issue is that even with all of these settings enabled and everything looking from tailscales side looking like its okay, if I use a network aside from my home one (i.e. my phone hotspot that I use for testing), and then connect to tailscale I cannot reach the machines on my LAN.
Even standard pings don't work, i.e. if I am directly connected to my home network and want to ping my NAS which is on 192.168.1.100, that will obviously work but when connected via tailscale pinging 192.168.1.100 fails. Interestingly pings to my opnsense router also fail (192.168.1.1) and even more interestingly pinging the tailscale assigned IP to my opnsense router (the ones that start with 100) also fail.
Does anyone have any idea what the issue could be?
Did you approve the subnet route in your tailnet admin console? It's under edit route settings for the firewall node.
Quote from: bartjsmit on March 14, 2025, 07:31:23 AMDid you approve the subnet route in your tailnet admin console? It's under edit route settings for the firewall node.
Yes I did and its approved
https://imgur.com/FeGogO3
https://imgur.com/FdeWJHF
https://imgur.com/nhDJZKt
Here are also the settings of the machine
https://imgur.com/RR5gZ4L
I'm having a similar problem except that I can reach my Opnsense router and the switch everything else is connected to, but I cannot reach what is on the other side of the switch.
That said, from my research I believe you need to advertise exit node and then connect to your exit node on the client side.
Quote from: Sage_viper on March 14, 2025, 10:10:38 PMThat said, from my research I believe you need to advertise exit node and then connect to your exit node on the client side.
You mean that I need to enable the exit node on tailscale running on opnsense via this setting https://imgur.com/SQro32E? I tried doing that before and it didn't help but I can re-enable it to try it again.
Also does the client connecting to tailscale need to enable any of these settings https://imgur.com/K1StxPd ?
You'll advertise exit node from Opnsense, approve on tailscale, then from your client outside of the network, connect to tailscale and use the Opnsense exit node.
I believe the two settings shown are asking if you want to run the client as an exit node and subnet router, which is not necessary or wanted.
Quote from: Sage_viper on March 14, 2025, 11:51:16 PMYou'll advertise exit node from Opnsense, approve on tailscale, then from your client outside of the network, connect to tailscale and use the Opnsense exit node.
I believe the two settings shown are asking if you want to run the client as an exit node and subnet router, which is not necessary or wanted.
Thanks so much! I figured it out and now its working as expected, turns out you need to use it as an exit node as well and explicitly connect to the machine as an exit node.
The only issue right now is that mDNS doesn't work. I tried using mDNS-repeater plugin using LAN and TLSCL interfaces but it doesn't seem to be working. Looks like a fundamental issue behind tailscale https://github.com/tailscale/tailscale/issues/1013 ?