"
Hi there,
I have Tailscale set up as an exit node on OPNsense, alongside Windscribe VPN as Wireguard. What I would like to do is connect the two, so that my Tailscale traffic routes through to the Windscribe VPN for internet traffic.
My VPN set up is from this official guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
What I did to try and get Tailscale to work was copy the same logic that you use for routing the LAN subnets through to the VPN gateway, but this doesn't seem to do anything.
Here is what I think the problem is:
- Tailscale peers don't seem to be a routable object. Whilst it does create a [Tailscale] interface which therefore gives it a subnet, making a rule that all traffic from that subnet doesn't do anything. I suspect the OPNsense is expecting it to be the controller of IP assignments, not Tailscale, and as a result, there technically isn't any IP addresses to control.
- Another thing I noticed is my Firewall liveview shows the true IP address for Tailscale peers, not their tailnet IP, getting hits on the firewall including pass and drops. Because of this, I suspect trying to control routing of these IP ranges isn't practical due to these devices being under CG-NAT like mobile devices for example.
- Traffic uses OPNsense's default routing instead of what is set out for Tailscale net
Please feel free to ask me what config or logs I have to assist you with helping me solve this one.
EDIT: I have come to the conclusion this is only possible for peers that use static IP and it is better to use Wireguard for remote connections. Happy to be shown otherwise if someone has the answers though, would love to get it working. The alternative is put an exit node behind the router, and have Tailscale on it.
I have Tailscale set up as an exit node on OPNsense, alongside Windscribe VPN as Wireguard. What I would like to do is connect the two, so that my Tailscale traffic routes through to the Windscribe VPN for internet traffic.
My VPN set up is from this official guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
What I did to try and get Tailscale to work was copy the same logic that you use for routing the LAN subnets through to the VPN gateway, but this doesn't seem to do anything.
Here is what I think the problem is:
- Tailscale peers don't seem to be a routable object. Whilst it does create a [Tailscale] interface which therefore gives it a subnet, making a rule that all traffic from that subnet doesn't do anything. I suspect the OPNsense is expecting it to be the controller of IP assignments, not Tailscale, and as a result, there technically isn't any IP addresses to control.
- Another thing I noticed is my Firewall liveview shows the true IP address for Tailscale peers, not their tailnet IP, getting hits on the firewall including pass and drops. Because of this, I suspect trying to control routing of these IP ranges isn't practical due to these devices being under CG-NAT like mobile devices for example.
- Traffic uses OPNsense's default routing instead of what is set out for Tailscale net
Please feel free to ask me what config or logs I have to assist you with helping me solve this one.
EDIT: I have come to the conclusion this is only possible for peers that use static IP and it is better to use Wireguard for remote connections. Happy to be shown otherwise if someone has the answers though, would love to get it working. The alternative is put an exit node behind the router, and have Tailscale on it.
