Messages

Hello,

I have an issue with Tailscale.
I have configured Tailscale on two OPNSense to establish a site-to-site connection and this was working great. Plus from my mobile phone I could access both subnets published by the OPNSense and use either of the two as exit node.

I suddenly realized this was not working properly anymore, not sure if it was one upgrade of the Tailscale or OPNSense.

I realized that in the OPN Dashboard Tailscale reports the the agent Green but Online "No" following:

You cannot view this attachment.

looking at the details in VPN: Tailscale: Status > General I see the agent running

You cannot view this attachment.

under VPN: Tailscale: Status > Peers I see the other connected peers

On the Tailscale website this shows the OPNSense nodes offline.

If I reboot OPNSense this stays online and shows online on the Tailscale website only 10 seconds.

The other wired thing is that with a previous version of the app/agent, although the OPNSense was clearly offline on the mobile app and the website console, while being on a public network I was able to reach the OPNSense from my mobile (via Tailscale). Now it's no more the case.

Any idea or test I can run please?

Kind regards,
dk

OPNSense version: 25.1.10
Tailscale version: 1.84.2

[OPNSense_A]

I have partially solved this with the following:

- Configured Tailscale as above, including advertised subnets
- Added the Tailscale interface and enabled it (OPT1)
- Added two firewall rules on the OPT1 interface accepting in/out any any traffic
- Set Firewall: NAT: Outbound as Hybrid and added the following rules

OPNSense_A

Code Select Expand

Interface    Source    Source Port    Destination      Destination Port    NAT Address          NAT Port    Static Port
OPT1         LAN net   *              192.168.3.0/24   *                   Interface address    *           YES

OPNSense_B

Code Select Expand

Interface    Source    Source Port    Destination      Destination Port    NAT Address          NAT Port    Static Port
OPT1         LAN net   *              192.168.2.0/24   *                   Interface address    *           YES


I did not activated "Allow PCP/NAT-PMP Port Mapping" nor the "Disable SNAT" options

so far the few test performed, looks like it's working properly.

[What works:]

I have simplified the environment hopefully to make it work. Here the design:

Code Select Expand

[Lan A .2.0/24 ]---[192.168.2.1 OPNSense_A 192.168.1.2]---|
                                                          | 192.168.1.1 ISP router (public_ip) ---
[Lan B .3.0/24 ]---[192.168.3.1 OPNSense_A 192.168.1.3]---|
I have done the following:
- Installed tailscale plugin, defined subnets and approved on the adminconsole
- Created new interface OPT1 for tailscale and enabled it
- Installed upnp plug in and enabled it with check on "Allow PCP/NAT-PMP Port Mapping"
- Routes shows the correct way as below table
- Both WAN interfaces have the "Block private networks" disabled
- Both OPNSense are able to connect to the internet and resolve DNS
- Firewall rules are the standard ones automatically created.

Routes
OPNSense_A

Code Select Expand

ipv4    192.168.3.0/24    link#9    US    NaN    1280    tailscale0    OPT1       
ipv4    192.168.2.0/24    link#1    U     NaN    1500    igc0        LAN
OPNSense_B

Code Select Expand

ipv4    192.168.2.0/24    link#8    US    NaN    1280    tailscale0    OPT1       
ipv4    192.168.3.0/24    link#1    U     NaN    1500    igc0        LAN
What works:
- from OPNSense_A/B I can ping and reach any device on subnet B/A
- from a device outsise of Lan A/B via tailscale client in can access any device on Lan A/B

What does not work:
- from Lan A/B devices I cannot reach any device on Lan B/A nor the OPNSense_B/A.

I tried adding any any firewall rule on OPT1 and add NAT outbound hybrid adding the following rule:

Code Select Expand

Interface    Source    Source Port    Destination    Destination Port    NAT Address    NAT Port    Static Port
OPT1         LAN net   *              *              *                   OPT1 address   *           NO

Any suggestion or further tests I can perform to troubleshoot this please?
Kind regards.
dk

Thanks for the note Bart, yes I activated the subnet router and authorized those on the tailscale portal.
I also created an interface, enabled it, and in the "Interfaces: Overview" I see it as active and see in the "Routes" the two /24 remote networks and the tailscale ips as well for the tailscale interface.
If SSH into the OPNSense I can ping the remote addresses, and access the remote web portals, but not from a client in the Lan network where the OPNSense is my gateway.
Getting a bit crazy...

Appreciate the feedback. Unfortunately I was not able to make it work.
I did installed Tailscale, this works partially, from the OPNsense I can access any remote ip but unfortunately from any other machine on the network of the OPNSense I cannot reach the remote network.

I created an interface for Tailscale, added any-any rule on the firewall even tried configuring a gateway and adding route for the remote network but nothing. It's not working still...

EDIT: changed title to reflect new solution from WireGuard to Tailscale, see issue from post #7

Hello,

I'm following this https://docs.opnsense.org/manual/how-tos/wireguard-s2s.html document to configure a site-to-site VPN with WireGuard.

My current situation is the following:

[Net A]-[OPNSense A]-[Router A]-(internet)-[Router B]-[OPNSense B]-[Net B]

Router A and B are directly exposed to the internet and have dynDNS configured. I replaced "Endpoint Address" with the two DNS.

In VPN: WireGuard: Status I see interface and peer both green, only peer has the handshake and few KB in sent and received. Which should mean that the the WireGuard is enabled and the connection established.
Unfortunately when from OPNSense A Interfaces: Diagnostics: Ping I try to ping the address of OPNSense B or any address on the Net B this fails.

both routers have the 51820 port open and forwarding traffic on the same port of OPNSense.

Any idea please?
Is not there the need to define a specific rule/gateway all traffic for Net B needs to go via WireGuard?

In addition in step 3a is using Allowed IPs: 10.2.2.2/32 but in step 2b in Tunnel Address is using 10.2.2.2/24 can anyone explain why is that?

Kind regards,
dk