Access OPNsense GUI via Tailscale IP address on TLSCL (opt1) Interface

Started by chris.dempsey, March 17, 2023, 04:49:22 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
March 17, 2023, 04:49:22 PM Last Edit: March 20, 2023, 12:30:57 PM by chris.dempsey
Objective
To access the OPNsense GUI, using the Tailscale IP address assigned to the OPNsense appliance from any Machine connected to Tailscale.

Overview
After much trial and error this was working last night but I broke it by removing what I thought were irrelevant settings.  Despite restoring config files from `System: Configuration: History` I've been unable to reach the previous state and regain access the OPNsense GUI from Machines on Tailscale.

Can anyone help me figure the correct configuration please?


Steps taken
- Installed Tailscale following the instructions at https://tailscale.com/kb/1097/install-opnsense/
- Failed to gain access to the OPNsense GUI from Machines on Tailscale so in desparation removed Tailscale and reinstalled with
```
make deinstall
make clean
make install
```
- From memory this removed the `TLSCL` Interface so I added it back in from `Interfaes > Assignments` as `TLSCL (opt1)` on `Network Port taiulscale0`
- Created Firewall Rule for the `TLSCL` Interface allow traffic form the network to the interface address - as far as I understand this is the same as the default LAN rules except for net traffic on the TLSCL interface, and should allow traffic to Tailscale IP of the OPNsense appliance 100.11.22.33 on port 443
```
   IPv4 *   TLSCL net   *   *   *   *   *      Default allow TLSCL to any rule
```
- Discovered I need to update System > Settings > Administration: Listen Interface to include `TLSCL` alongside the default `LAN`
- Assigned the Tailscale IP of OPNsense Machine as a Static IPv4 to the TLSCL Interface at `Interfaces: [TLSCL]` - this seemed to be the key step in finally getting access to the GUI on the Tailscale IP of the OPNsense appliance
- Can ping a Tailscale Machine IP when logged into the OPNsense appliance via SSH (the first 3 responses are via DERP, the final response via the remote Machine's true Public IP)
- Can ping the Tailscale IP of the OPNsense appliance from another Machine on the Tailnet
```
chris@DO-XLR:~$ tailscale ping 100.11.22.33
pong from opnsense (100.11.22.33) via 81.82.83.84:37216 in 16ms
chris@DO-XLR:~$ tailscale ping 100.11.22.33
pong from opnsense (100.11.22.2339) via 81.82.83.84:37216 in 15ms

```
- this logs errors in the Firewall
```
TLSCL      2023-03-17T15:00:14   100.44.55.66:41244   100.11.22.33:443   tcp   Default deny / state violation rule
```
- Detailed output from the block is
```
Detailed rule info
__timestamp__   2023-03-17T15:18:53
ack   
action    [block]
anchorname   
datalen   0
dir    [in]
dst   100.11.22.33
dstport   443
ecn   
id   50907
interface   tailscale0
interface_name   TLSCL
ipflags   DF
ipversion   4
label   Default deny / state violation rule
length   60
offset   0
protoname   tcp
protonum   6
reason   match
rid   02f4bab031b57d1e30553ce08e0ec131
rulenr   4
seq   2736343943
src   100.44.55.66
srcport   47084
subrulenr   
tcpflags   S
tcpopts   
tos   0x0
ttl   64
urp   64480
```



Environment
- OPNsense 23.1.3_4-amd64
- FreeBSD 13.1-RELEASE-p7
Print
Go Up Pages1
User actions