Skip to content
This repository has been archived by the owner on May 20, 2024. It is now read-only.

Latest commit

 

History

History
158 lines (117 loc) · 6.88 KB

SETUP.md

File metadata and controls

158 lines (117 loc) · 6.88 KB

Tailscale Installation

In Progress Table of contents

  1. Why did I use Tailscale?
  2. Create a Account
  3. Download and Install Tailscale on Client
  4. Download and Install Tailscale on OPNsense
  5. 5. Edit RFC1918-Rule
  6. 6. Allowing Access from tailscale to proxy
  7. 7. Allowing Access from tailscale to opnsense
  8. 8. Change DNS-Record
  9. 9. Add a Tailscale Access List



1. Why did I use Tailscale?

  • Better security: With Tailscale, the separation of public and private services on my server is ensured, so that,
    for example, my firewall or other desired services are only accessible to me, i.e. internally.

  • SSh and Filesharing: Tailscale allows me to share files or other things remotely via SSH and or SMTP.
    Which simplifies server management remotely, so you don't always have to be at home

  • Personal VPN: Tailscale offers the ability to turn my server into my own VPN,
    providing an additional layer of privacy and security for my online activities.

  • Cost-effective Solution: Tailscale is free to use, making it an economical choice for securing and managing my server infrastructure.

Again, @Redacks recommended me to use this for all these reasons. As you have probably already noticed that I enjoy working with Redacks often, I also trust his knowledge and his own experiences in this area. And I can link not only my server, but many other accounts and programs with Tailscale.



2. Create a Account

Go to https://tailscale.com/ and Create a Account. I use github access to register, but you can use whatever you like.



3. Download and Install Tailscale on Client

Then click on the download button above to download the current version for your operating system. Download and run the Installer. Click on Log in from the Tailscale icon now in your system tray and authenticate in your browser and
sign up with your provider do you like.

Here you will also find the direct link to the different operating systems:



4. Download and Install Tailscale on OPNsense

After you have successfully registered, we can now start installing Tailscale on our servers.
I'll just start by installing Tailscale on OPNsense, the reason for this is that nobody except me can access my firewall privately to delete,
edit or anything else.

The great thing is that tailscale itself has written a documentation on how to install Tailscale in the OPNsense. Since this is a complete installation guide, I will only link it here.

Link to the documentary

Note

After installation and after connection,
Tailscale writes that in the list of interfaces in the OPNsense interface,
the Tailscale network should appear.

If this is not the case, you should add the interface under Interfaces > Assignments > new interface.


Updating Tailscale in OPNsense

Link to the documentary



5. Edit RFC1918-Rule

To update the private IP addresses and their aliases with the new interface, I would do this next. To do this, proceed as follows

  • Go to Firewall > Aliases
  • Click "edit" on the RFC1918-Rule
  • Add the new network (in my example __opt4_network) in the Content area
  • Safe and Apply

Note

I hope you've added all new interfaces to this rule so far, if not... do it now!



6. Allowing Access from tailscale to proxy

  • Open opnsense.yourdomain.de
  • Go to "Firewall > NAT > Port Forward"
  • Create a new NAT rule
    • Interface: Tailscale
    • Destination: Tailscale_ADDRESS
    • Destination Port from: http (80)
    • Destination Port to: http (80)
    • Redirect Target IP: Proxy-Alias (10.1.2.2)
    • Redirect Target Port: http (80)
  • Safe

Repeat creating a NAT rule only with the ports HTTPS (443)



7. Allowing Access from tailscale to opnsense

  • Open opnsense.yourdomain.de
  • Go to "Firewall > NAT > Port Forward"
  • Create a new NAT rule
    • Interface: Tailscale
    • Destination: Tailscale_ADDRESS
    • Destination Port from: (other) 9443 - Your Opnsense WebPort
    • Destination Port to: (other) 9443 - Your Opnsense WebPort
    • Redirect Target IP: 127.0.0.1
    • Redirect Target Port: (other) 9443 - Your Opnsense WebPort
  • Safe

We took this step for security reasons, so that even if the proxy is turned off, we can still access our OPNsense. Believe me, I managed to do that once during the installation xD



8. Change DNS-Record

Now we have to change our DNS record with our provider to the tailscale address.
After you have successfully authenticated yourself with your browser when connecting to tailscale, you should see your opnsense at https://login.tailscale.com/admin/machines.

In the “Addresses” column you can now copy this IP and change it in your DNS entries. It's best just for proxmox.yourdomain.de at first. You can test this after a while by pinging this subdomain ping proxmox.yourdomain.de.
As the answer IP, your Tailscale address should now appear.

If this worked, you can change the DNS values of all important domains. Among other things, from

  • opnsense.yourdomain.de
  • proxy.yourdomain.de

Important to know: you should change all IP addresses that should not be accessed from outside.



9. Add a Tailscale Access List

We can prevent connections to the outside world with a DNS rebind attack. Our NGINX-Proxy-Manager also helps us to do this.

  • Go to proxy.yourdomain.de
  • Switch to tab Access List and Added a new List
  • Give the list a new name, I call this list "Tailsclale"
  • Go to Access-Tab and enter the Tailscale subnet there.
    • Subnet: 100.64.0.0/10
  • Safe

  • Now Switch to your Host Host > Proxy Hosts
  • Edit the Source proxmox.yourdomain.de
  • Details-Tab
    • Access List: YOUR_LIST
  • Safe

Now only you can access proxmox.yourdomain.de via your Tailscale IP connection.
As soon as your DNS entry has been updated worldwide, you will be directed to this domain.