Use Opnsense as an exit node with internal LAN IP for connected clients

[gio_kiborg]

Hello,

My new ISP has CG-NAT, so I can not use port forwarding,

I configured Zerotier on my OPNSense firewall and home server, so I can connect to them directly (10.X.X.X/24 network)

I also configured Headscale server on Oracle Free Cloud VPS and installed tailscale client on Opnsense firewall and configured it as exit node, so I can route all my tailscale client traffic through it, (100.X.X.X/24 network)

Only thing I have left is, to have full access to my home lan (192.168.2.X/24 network) not only to my firewall/home server, but to other devices, where I can not/do not want to install Zerotier or Tailscale client (for example network video recorder).

So is it possible to rout/translate IP traffic from [Tailscale] or [Zerotier] interface through my internal [LAN] and assign static or DHCP internal LAN ip?
for example, my laptop has zerotier ip 10.151.16.2, it can connect to Firewall 10.151.16.3 and homeserver 10.151.16.4 but not to network video recorder which has static LAN address 192.168.2.2
and similarly my laptop has tailscale ip: 100.1.1.2 can connect to firewall 100.1.1.3, I can even turn firewall to exit node, but I still can not access internal LAN,

I guess there can be a firewall rule, to take IP from one interface [Zerotier] or [Tailscale]and add it to [LAN] interface as static or DHCP? so when I connect to zerotier or tailscale, I am assigned internal LAN IP as well? not just a point to point and/or exit node connection?

[gio_kiborg]

I found out this thread, where author says that has access to LAN through OPNsense fw via tailnet
https://forum.opnsense.org/index.php?topic=35464.0
I tried to run similar command to advertise my LAN route
 

Code: [Select]

tailscale up --advertise-routes=192.168.2.0/24 --advertise-exit-node --accept-dns=false --accept-routesAlso, I found this video, but unfortunately on pfsense, difference is large enough so I can not configure my OPNSense https://www.youtube.com/watch?v=P-q-8R67OPY

As I understand I just need one simple step to achieve my goal (being able to access lan through tailnet) but unfortunately I am not knowledgeable enough to figure it out

[Reiner030]

as you alreaday found out there are many articales and videos about implementing such tunnel.
Important for pfSense/OPNsense is still the opening of the tunnel for needed port 80/443 to let traffic in which can be forgotten for normal routing usage.

Did you allso found this direct configuration guide?
https://tailscale.com/kb/1097/install-opnsense

[gio_kiborg]

as you alreaday found out there are many articales and videos about implementing such tunnel.
Important for pfSense/OPNsense is still the opening of the tunnel for needed port 80/443 to let traffic in which can be forgotten for normal routing usage.

Did you allso found this direct configuration guide?
https://tailscale.com/kb/1097/install-opnsense

Unfortunately since I am behind carrier grade NAT, I can not port forward,
otherwise I do have OpenVPN installed on homeserver and was working fine (with lan access) with previous ISP (which was giving "true" IPv4 addresses)


Thanks, I found that article, but after closer reading a I understand I found KB link there for  subnet routing: https://tailscale.com/kb/1019/subnets

Since I am using Headscale on VPS (which I configured acording to this guide https://www.youtube.com/watch?v=u_6Zd7Bo6J4) I need to adjust settings there, since I am already advartising OPNSense subnet

[Reiner030]

If you have before also OpenVPN used from your hosted VM it is maybe an idea to use an OpenVPN tunneln instead or a wireshark one so you don't have need for external services?

There should be also enough howtos for this setup available and you have the possibility to configure/restrict traffic on hosted site.
For instance you can use an "stonage" service like rinetd which can offer Ports similara to xinetd on hosted side but tunnels it to a different IP address (TCP only).

[gio_kiborg]

Thanks for the suggestion, will look into tunnels as a redundancy

Managed to configure routes correctly and now can access my LAN resources  from outside
For noobs like myself the reference:
I used this video as a main guide: https://www.youtube.com/watch?v=u_6Zd7Bo6J4

1. Install Headscale on a VPS (I used Oracle Free tier VPS, as suggested in video, AWS free also can be used)
2. Install Tailscale client on OPNsense: https://tailscale.com/kb/1097/install-opnsense
3. Add client to Headscale server (refer the video and KB article above)
4. Advertise exit node on OPNSene (refer to video and  https://tailscale.com/kb/1103/exit-nodes)
5. Advertise routes on OPNSense https://tailscale.com/kb/1019/subnets (there is no direct link for OPNsense, or FreeBSD, but you can use linux command, you need to use combined command including login server, exit node and route, but if you only advertise route, CLI will suggest full command including all above)
6. Make sure to enable subnet route as well for the internal LAN

Code: [Select]

sudo headscale routes enable -r ROUTE ID
Route ID can be found using

Code: [Select]

sudo headscale routes list command on your VPS

Optional: install Headscale Web UI on VPS if you prefer it to CLI (there are several options on Github, or use following video tutorial: https://youtu.be/OKwrfmMoAk0?t=1750 for this one: https://github.com/iFargle/headscale-webui)