"Recent posts
#21
Virtual private networks / Routing Tailscale traffic thro...
Last post by Recess1537 - Today at 05:24:19 AMHi there,
I have Tailscale set up as an exit node on OPNsense, alongside Windscribe VPN as Wireguard. What I would like to do is connect the two, so that my Tailscale traffic routes through to the Windscribe VPN for internet traffic.
My VPN set up is from this official guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
What I did to try and get Tailscale to work was copy the same logic that you use for routing the LAN subnets through to the VPN gateway, but this doesn't seem to do anything.
Here is what I think the problem is:
- Tailscale peers don't seem to be a routable object. Whilst it does create a [Tailscale] interface which therefore gives it a subnet, making a rule that all traffic from that subnet doesn't do anything. I suspect the OPNsense is expecting it to be the controller of IP assignments, not Tailscale, and as a result, there technically isn't any IP addresses to control.
- Another thing I noticed is my Firewall liveview shows the true IP address for Tailscale peers, not their tailnet IP, getting hits on the firewall including pass and drops. Because of this, I suspect trying to control routing of these IP ranges isn't practical due to these devices being under CG-NAT like mobile devices for example.
- Traffic uses OPNsense's default routing instead of what is set out for Tailscale net
Please feel free to ask me what config or logs I have to assist you with helping me solve this one.
EDIT: I have come to the conclusion this is only possible for peers that use static IP and it is better to use Wireguard for remote connections. Happy to be shown otherwise if someone has the answers though, would love to get it working. The alternative is put an exit node behind the router, and have Tailscale on it.
I have Tailscale set up as an exit node on OPNsense, alongside Windscribe VPN as Wireguard. What I would like to do is connect the two, so that my Tailscale traffic routes through to the Windscribe VPN for internet traffic.
My VPN set up is from this official guide: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html
What I did to try and get Tailscale to work was copy the same logic that you use for routing the LAN subnets through to the VPN gateway, but this doesn't seem to do anything.
Here is what I think the problem is:
- Tailscale peers don't seem to be a routable object. Whilst it does create a [Tailscale] interface which therefore gives it a subnet, making a rule that all traffic from that subnet doesn't do anything. I suspect the OPNsense is expecting it to be the controller of IP assignments, not Tailscale, and as a result, there technically isn't any IP addresses to control.
- Another thing I noticed is my Firewall liveview shows the true IP address for Tailscale peers, not their tailnet IP, getting hits on the firewall including pass and drops. Because of this, I suspect trying to control routing of these IP ranges isn't practical due to these devices being under CG-NAT like mobile devices for example.
- Traffic uses OPNsense's default routing instead of what is set out for Tailscale net
Please feel free to ask me what config or logs I have to assist you with helping me solve this one.
EDIT: I have come to the conclusion this is only possible for peers that use static IP and it is better to use Wireguard for remote connections. Happy to be shown otherwise if someone has the answers though, would love to get it working. The alternative is put an exit node behind the router, and have Tailscale on it.
#22
General Discussion / Re: assigning static IP addres...
Last post by passeri - Today at 04:53:23 AMQuote from: Hollywood on Today at 04:50:53 AMI just noticed this...Are both the control agent and Kea DHCPv4 enabled?
Edit to add: This is additional to my comments above, not in lieu.
#23
General Discussion / Re: assigning static IP addres...
Last post by passeri - Today at 04:52:19 AMWords matter. You are looking at ISC leases. Please look under Kea in the menu I gave. I trust also that you have verified that ISC is not enabled. Kea is not ISC DHCP. You cannot run both and neither will inform you about the other.
In your first screenshot, Kea is not listening on any interface. Try adding your LAN, or all the networks you need there.
From your original description, your range, pool and reservation look OK but the above problems most likely mean that nothing is happening and you are looking in the wrong place to know it anyway.
In your first screenshot, Kea is not listening on any interface. Try adding your LAN, or all the networks you need there.
From your original description, your range, pool and reservation look OK but the above problems most likely mean that nothing is happening and you are looking in the wrong place to know it anyway.
#24
General Discussion / Re: assigning static IP addres...
Last post by Hollywood - Today at 04:50:53 AMI just noticed this...
#25
General Discussion / Re: Web Interface Not Secure
Last post by OPNenthu - Today at 03:49:12 AMYou didn't say which browser but what you're describing is typical for self-signed certs. OPNsense creates one (it's the "Web GUI TLS certificate" under System->Trust->Certificates) which is just to provide HTTPS support for internal access. If that's your use case then you can ignore it and add a browser exception to silence the warning.
The traffic is still encrypted. It's only the browser warning you because the cert is not signed by a public CA or any private one that the browser knows about. Different browsers show this in different ways, but you can check the certificate from within the browser and confirm that it's being used.
Your web interface is secure assuming you have working authentication (at least a decent password) and that you haven't opened the management port(s) on WAN. That would be a different matter.
The traffic is still encrypted. It's only the browser warning you because the cert is not signed by a public CA or any private one that the browser knows about. Different browsers show this in different ways, but you can check the certificate from within the browser and confirm that it's being used.
Your web interface is secure assuming you have working authentication (at least a decent password) and that you haven't opened the management port(s) on WAN. That would be a different matter.
#26
General Discussion / Re: assigning static IP addres...
Last post by Hollywood - Today at 03:33:42 AMQuote from: passeri on Today at 02:39:13 AMDid you mean to write "Services>Kea DHCP>Leases DHCPv4"?Thanks for your reply. A lot if this stuff has similar wording and abbreviations. It's confusing, so I hope these screen shots explain what I have.
I ask because you see no leases at all, and I lack information on whether Kea is set up correctly, ISC off. Are interfaces set? Are there devices which should have dynamic addresses?
Thanks again!
#27
Tutorials and FAQs / Re: What is the recommended fo...
Last post by LGDL - Today at 03:14:51 AMThank you, after some trail and error a width of 330 pixels worked for me, I used the PNG format.
The picture can be uploaded under System: Settings: General: Picture.
The picture can be uploaded under System: Settings: General: Picture.
#28
General Discussion / Re: assigning static IP addres...
Last post by passeri - Today at 02:39:13 AMDid you mean to write "Services>Kea DHCP>Leases DHCPv4"?
I ask because you see no leases at all, and I lack information on whether Kea is set up correctly, ISC off. Are interfaces set? Are there devices which should have dynamic addresses?
I ask because you see no leases at all, and I lack information on whether Kea is set up correctly, ISC off. Are interfaces set? Are there devices which should have dynamic addresses?
#29
General Discussion / assigning static IP address' t...
Last post by Hollywood - Today at 02:18:35 AMHello again,
2nd post here.
I set up my opnsense computer to be my router connected to a Zyxel managed switch. So far I have internet and can lists the connected clients via Interfaces>Diagnostics>ARP Table. My question for help here is with reserving a static IP for some of those devices. On some of the devices I was able to set the IP in the device itself and opnsense shows those properly. I would like to setup other devices at router level.
I *tried* some things. I may be missing something or be completely of track, but here is what I have so far.
Under Services>Kea DHCP>Kea DHCPv4,
under the tab Settings I clicked Enable.
under the tab Subnets I created 192.168.1.1/24 with a pool of 192.168.1.100 - 192.168.1.254
under the tab Reservations I chose that above Subnet, entered (pasted) the MAC address, and assigned 192.168.1.24 to be the IP and applied.
After rebooting both the router and the device (a Raspberry pI), it still gets assigned a random dynamic IP.
I searched Google and it said to go to
Am I completely off? Can anyone tell me what I need to do to assign static IPs?
Thanks!
2nd post here.
I set up my opnsense computer to be my router connected to a Zyxel managed switch. So far I have internet and can lists the connected clients via Interfaces>Diagnostics>ARP Table. My question for help here is with reserving a static IP for some of those devices. On some of the devices I was able to set the IP in the device itself and opnsense shows those properly. I would like to setup other devices at router level.
I *tried* some things. I may be missing something or be completely of track, but here is what I have so far.
Under Services>Kea DHCP>Kea DHCPv4,
under the tab Settings I clicked Enable.
under the tab Subnets I created 192.168.1.1/24 with a pool of 192.168.1.100 - 192.168.1.254
under the tab Reservations I chose that above Subnet, entered (pasted) the MAC address, and assigned 192.168.1.24 to be the IP and applied.
After rebooting both the router and the device (a Raspberry pI), it still gets assigned a random dynamic IP.
I searched Google and it said to go to
QuoteGo to Services > DHCPv4 > Leases .Under Services > DHCPv4 > Leases I do not have anything listed. I think that might be a clue as to the problem, but at this point I need help.
Find your device: in the list of current leases (look for its MAC address) or click the + button to add a new entry.
Am I completely off? Can anyone tell me what I need to do to assign static IPs?
Thanks!
