Messages

[Background:]

Hi,

Background: I have a home battery that needs connection to my utility meter that monitors my current energy usage from/to the grid.
The battery searches for the utility meter in the same subnet via the broadcast address.
However, the battery and utility meter are not in the same subnet.
The app for the battery does not allow manually inputting an IP.

Therefor I am using socat to relay that broadcast package to the utility meter which allows them to find each other:

Code Select Expand

socat UDP4-RECVFROM:1010,fork UDP4-SENDTO:10.10.10.111:1010 &
Problem: I want to run socat, in the background, on startup.

So far I have tried 2 things:

1. Creating an rc service as /usr/local/etc/rc.d/socat_discovery
Contents:

Code Select Expand

#!/bin/sh

# PROVIDE: socat_discovery
# REQUIRE: LOGIN DAEMON
# KEYWORD: shutdown

. /etc/rc.subr

name="socat_discovery"
rcvar="socat_discovery_enable"
command="/usr/local/bin/socat"
command_args="UDP4-RECVFROM:1010,reuseaddr,fork UDP4-SENDTO:10.10.10.111:1010 &"
pidfile="/var/run/${name}.pid"

load_rc_config ${name}
run_rc_command "$@"

I also added socat_discovery_enable="YES" into /etc/rc.conf.local
This works when running ./socat_discovery start but even though the service is mentioned in the startup log of OPNsense as "Starting socat_discovery", once I login to the terminal, socat is not actually running.
Indicated by ps -awx | grep socat and pgrep socat not returning anything and the battery not being able to find the utility meter.

I checked the permissions and no errors are printed.
I tried adding $> /var/log/socat_discovery.log to the command but even though the file was created, nothing was written in the log file.

2. Adding rc.syshook
According to this page, I can also create a syshook to autorun a script.
I added a file named "90-socat" in the start directory with the following contents:

Code Select Expand

#!/bin/sh
/usr/local/bin/socat UDP4-RECVFROM:1010,reuseaddr,fork UDP4-SENDTO:10.10.10.111:1010 &

And here as well, the script is mentioned in the start-up log of OPNsense but once I get into the terminal, it is not actually running.
No further errors here as well. I made sure to add execution permissions to the file.

When both the service and syshook are defined, a message that the port is in use is displayed in the start-up log of OPNsense.
This indicates that the scripts are ran, but somehow they are being stopped.

How can I debug this?
Thanks in advance! :)

I spent quite a while getting this to work as well and wrote a guide here.
For anyone strill struggling to get it to work they could check it out.

Because the request is coming from the open internet, the traffic is not coming through Tailscale correctly.
I spent quite a while getting this to work as well and made a guide here.
You could try it and see if it helps you. :)

I spent quite a bit of time getting this to work so I figured I would share it here in case others have also struggled with this.

I have an OPNsense install working as my main firewall/router. In my home network I have a bunch of self hosted services. They are all accessed through a public domain name so I can use Lets Encrypt for TLS certificates. Some of them though, I want to only be accessible through Tailscale. This is where the problem comes in.

If you use a public domain name and are not at home, the traffic will, by default, be routed through your public IP-address. The reverse proxy or service will think it is just a random outside IP and drop the connection. To access the services through Tailscale, you need to set-up split DNS.

I'm going to list the steps I took. I can't think of a reason this wouldn't work with the old tailscale ports install but I did it with the new Tailscale plug-in so I will list those steps too.

Optional - if Tailscale was already installed

• Uninstall the Tailscale ports install with the following steps in the OPNsense shell:
• service tailscaled stop
  
• service tailscaled disable
• opnsense-code ports
• cd /usr/ports/security/tailscale
• make deinstall
• make clean

Installing and configuring Tailscale

• Install the Tailscale plug-in from the OPNsense GUI - System > Fireware > Plugins
• Video on that here
• Add and enable the Tailscale interface
• Create an allow rule on the Tailscale interface with Source and Destination as Any
• Access is already authenticated through Tailscale so this should be fine
• Add the subnet the webserver is in as an advertised route in the Tailscale plugin settings
• Make sure DNS is enabled on the Tailscale interface
• I'm using UnboundDNS so I go to Services > UnboundDNS > General and check the Tailscale interface under the Network Interfaces setting
• Create overrides for your services
• For UnboundDNS I go to Services > UnboundDNS > Overrides
• In the Hosts section I create an entry for my Nginx Proxy Manager reverse proxy that I use with it's local IP. For example 192.168.1.10
• If you do not use a reverse proxy, enter the local IP of the service you are trying to make accessible and skip the Aliases part below
• In the Aliases section, create an entry per site that is proxied through NPM.
• For Host Override choose the Proxy host created in the previous step
• For website.example.com enter website in the Host field and example.com in the Domain field

The OPNsense part should now be done.
Now for the Tailscale portion
The OPNsense machine should now be visible in the Tailscale admin dashboard

• Accept the shared subnet(s) under the machine menu > Edit route settings
• Go to the DNS tab and click on Add nameserver > Custom...
• Enter the Tailscale IP of your OPNsense machine
• Check Restrict to domain and enter your domain name and save

You should now be able to access your hosted services through Tailscale.
Whether you are connected to Tailscale or not, have enabled the Exit Node or not.

As far as the webserver or proxy is concerned, the traffic is originating from the OPNsense IP so you can base access restrictions around that. In the firewall logs DNS requests are shown correctly with the Tailscale IP of the requester. Routing of traffic itself I believe is handled by Tailscale internally and only shows up as outgoing traffic from the firewall IP to the service on the interface the service is connected to.

Hope this helps anyone running into this problem in the future! :)

I am having the same issue. My setup is also virtualized, though through Proxmox, and just like you I followed the install instructions of Tailscale on their knowledge base that you linked to.
I had made some other configuration changes as well when I experienced this the first time but as I then changed all the settings I made since one by one with a reboot in between, I can definitely confirm this is the Tailscale interface that is the cause.

I noticed the interface has a MAC-address of 00:00:00:00:00:00 and thought this might be the issue but manually setting a MAC-address does not solve the issue.

OPNsense and Tailscale are both fully up to date, running version 24.1.6 and 1.64.1 respecitvely. Don't really know where to go from here since I'm rather new to Tailscale.

That being said, Tailscale does still work regardless of the interface being enabled or not. So I have now resorted to managing my access to the subnets through Tailscale's ACL rather than OPNsense's firewall rules but I would still like to have it as interface in OPnsense so I can manage it and firewall it like any other interface.