 Tom here from Lawrence Systems and as of July, 2022, Tailscale has been added as a package for PF Sense Plus and PF Sense CE. I'll leave a link down below to the NetGate announcement that also has an embedded video from Christian McDonald where he breaks down the Tailscale, how it works and a lot of the details that went into writing it because well, he's the one that wrote it. Great video, lots of information. Now, what problem does Tailscale solve? Well, Tailscale is an overlay network and I have a few videos where I've done on Tailscale and other overlay networks also linked down below so if you'd like to dive into that topic. The problem I see this really solving for a lot of people is with Tailscale, you load the Tailscale client on Mac, Linux, Windows devices, but obviously there's some devices that may not be accessible to you to load Tailscale on, you know, IoT devices or camera systems, et cetera. By having it on PF Sense, this allows your Tailscale namespace that you set up to have a PF Sense in the mix that can advertise routes and this gives you the ability then to have access to all those non-Tailscale devices that are on the network behind PF Sense. It also offers the opportunity for people who have been stuck with carrier grade NAT and can't just put a VPN on PF Sense because well, no public IP address available for them and Tailscale will facilitate routing through the CG NAT space and still allow these devices. Let's say you have a laptop and you want to leave home but be able to so get to all your devices at home, no problem, have Tailscale on a laptop, Tailscale on PF Sense and it will bridge that access to all the devices behind there. Now, Tailscale has a lot of features but one of them is not going to be absolute the best performance speed. Even though it's based on WireGuard and Christian McDonald addresses this in a video, it's based on the WireGuard Go implementation so there are some speed limitations. Second, it's not the same as using a privacy VPN. This is a discussion people may go, well, can I just use it for all my VPN needs? Not necessarily, I have a link down below for setting up open VPN as a privacy VPN with policy routing. It's not as much a policy routing type of VPN. It is more a connectivity solution with the overlay network. So we're going to dive into how simple it is to set up what you need to get going with it and just a couple of the parameters and a few security thoughts about it. Before we dive into the details of this video, let's first. Are you an individual or a company looking for support on a network engineering, storage, or virtualization project? Is your company or internal IT team looking for someone to proactively monitor your system's security or offer strategic guidance to keep your IT systems operating smoothly? Not only would we love to help consulting your project, we would also offer fully managed or co-managed IT service plans for businesses in need of IT administration or IT teams in need of additional support. With our expert install team, we can also assist you with all of your structured cabling and Wi-Fi planning projects. If any of this piques your interest, fill out our Hire Us form at laurancesystems.com so we can start crafting a solution that works for you. If you're not interested in hiring us but you're looking for other ways you want to support this channel, there's affiliate links down below to get you deals and discounts on products and services we talk about on this channel. And now back to our content. The first place I want to start is the NETGATE blog post because the video that's embedded in here by Christian McDonald, the developer at NETGATE who put this plugin together covers how to set up two PF senses that do not have publicly routable WAN addresses but allows for the connection of these devices as a site to site VPN. So that's well covered and well documented along with a lot of other details. So I do encourage you to watch Christian video if that's the setup. Today, we're going to focus on a setup that is just for connectivity. Now, before we go any further, I will mention yes, I'm aware and yes, I've tested HeadScale. HeadScale is a open source alternative to Tailscale. So Tailscale has a open source client, the protocol that uses WireGuard. So everything about them is open source except for the coordination server and the backend. HeadScale is an implementation of Tailscale that's basically open source. It does lack a proper UI. It doesn't have a nice web interface on there to make it easy to manage. They have documentation on how to get it set up. I did go through and set it up and make sure it works fine with PF sense and all the other devices. But I am not using it for the demo because well, it would add a little bit of extra complexity but I'll possibly do a separate video on this if people have trouble getting it set up. The documentation is kind of basic but they do have commands you can go through and figure out how it works along with some example configs. Now the obvious prerequisite for this video is going to be that you have a Tailscale account set up. You can sign up for free as of July of 2022. They allow you up to 20 devices for free. And I mentioned it like that because one, I wanna say the date in case they change any of the policies on there but of note, the devices, this is Tom's home PF sense, LTS Tailscale, PF sense lab and a few other things I have in there. My Tom home PF sense is one we're gonna be focusing on but this counts as a device and I have it advertising the subnets behind it. This allows connectivity to the devices behind it. So if we look at the diagram here, we can see like Tom's phone, this other lab server, we have them across the internet. They wanna connect to Tom's PF sense. Each of these is a single device. These are not devices. These are just extra routes that are advertised by my PF sense that allow like my phone whether it's connected to the 5G LTA network wherever it is or this extra lab server I have at the office that I'll demo to talk to my PF sense and therefore PF sense then handles the routing between all the devices. Something worth noting as well when it comes to access controls, the access controls is how you control all the devices here and their ability to talk to each other. The default routing rules are yes, they can all talk and yes, when you advertise routes any of these devices can talk to these particular devices that are set up behind there. The rules have to be done inside of Tailscale. So you don't control any of the rules inside a PF sense for very specific routing information with the limited exception that we'll get to when we talk about the firewall rules a bit later in the video. But for the most part, it's relatively easy to set up. It's easy to add these devices and we'll start by deleting a device because we already have this one configured but we're gonna delete my PF sense lab and show you how to add a PF sense to it. That part's really simple and pretty easy to get started with. Now this is the PF sense in my lab and I wanna start by actually log out and clean. This will forcibly disconnect this particular PF sense. So now Tailscale is not running and don't worry, these keys aren't reusable but this is all a demo account anyways. So we've gone into Tailscale and we leave this the same. This is where you would change if you were using something other than Tailscale such as headscales of coordination server. So you leave the login server the same and you just put in the pre-authorization key. So right now status is not running. So we look at the settings even though it's enabled, Tailscale is not working because we forced a log out and clean. Now if we go back over to Tailscale and look at the machines, you can see that it's offline. So we'll go ahead and just delete it. So this is PF sense lab and we're gonna go ahead and remove it so we can add it again. So we've deleted it here. Let me go over to settings and we want to go to keys and we wanna generate an auth key. We don't want this key to be reusable. You could if there's some use case you have for it but it's easy enough to create a key. So we don't wanna remove, ephemeral machines on the key will automatically removed after going offline as in do you want it to be temporary? Probably not. Tags, well you can create tags to automatically put and apply different things to this particular key but we'll just go with generate key. Then we're gonna hit copy and we know the key is copied. Go back over here, paste. Then we just hit save. See it's enabled and hit save again here. Tailscale not on, refresh or check status page. We go over to the status page here and it's online and ready to go. It's pretty much instant in real time. I did not have to edit any of that. Matter of fact, the key already went away because it's been used. The PFSense lab is already showing up and showing connected. It's pretty much instant when you add a device inside of here for it to show up. Not just for PFSense but for any other ones. There's not much of really a delay. And down here, if we scroll down a little further on the status, I blurred out the bottom where it has my public IP address but it's giving you all the information about that it's connected and it can see all the other devices that are within this namespace of Tailscale that it can talk to. So these are all the other devices that are online. Of course, to talk to by default is all these rules are open. It can talk to any of these devices but if you change the ACL rules, they would still just show up here but you'd have control over the inner routings between these. Now in terms of settings over here, this is where do you want to accept subnets that other routes advertise. This is where you can get in a more advanced and this is covered in Christian's video and it's pretty simple. You just accept the routes and then add, go over here to the routes and for example, in my system, it's the 192.168.11 network and if we go to this lab PF sense, the main screen here, that network does not exist over here. So it has a three dot network, 40, 22 and a 10 dot network but we go over here to diagnostics then routes because we're accepting advertised routes. There's my Tailscale 192.168.0 slash 24, Tailscale zero route. Combine that with firewall NAT outbound and then we say we would like anything heading to that destination to go out Tailscale. This is covered as I said in Christian's video. This lets devices behind here talk to that other system. It's probably the easiest I've ever set up a site to site VPN using Tailscale. It just makes it really, really simple. And if they do have public IP addresses, Tailscale will have these devices talking directly to each other. Now back over to my server. Now my system is already online, keep configuration, advertises exit node. This is an extra feature that's pretty cool that if you say I want to offer to be an exit node for up on internet traffic, you can take and there's options in different Tailscale clients to say, hey, route things through an advertised exit node. What that means is for example, with my phone, I can actually have my phone routing all the traffic as if it's coming from my home. This is also very handy if you are traveling with your laptop and you would like a VPN to wrap everything in. Tailscale does have an option for that as long as you have an exit node among the nodes and PF Sense can act as an exit node by simply checking the box. Now this does not need to accept any routes because this is where the routes are coming from, not going to. So by doing this, we don't have to put any special outbound net rules. I only had to put in this route that already belongs to this network and say, hey, advertise this route. If I wanted more, you can advertise several different routes. The only thing I really want to access to is things on the 192.1680 network. It's called NSFW LAN. I have a video about setting up PF Sense and I've covered why I call it that. But essentially it's my untrusted network of devices where things like, well, and as I mentioned here, we have the MB server or the TrueNAS server. Now let's talk about pinging that server. And this is the 192.16872.110. So this is my little Ubuntu lab server. It's actually remote. It is not local to me. You can see it's not a 10.network and this network exists actually over at my office and Tailscale is facilitating this individual device connecting through a tail-toe coordination server and then getting connected to my PF Sense and then having access to the routes. So we can do things like pinging 192.168.1.8. Easy enough to ping it or .30, which is the MB server. Now this is where things get a little tricky and I want to talk about the security concerns of this. If we go under firewall then rules, please note there are no rules here under Tailscale. Let me explain. The reason we're able to and we'll go ahead and open up PF Top and we filter for host 192.168.1.8. And then we're gonna go and ping it again. If we ping 192.168.1.8, you'll see the ICMP packets coming from 192.168.1.1. And the reason why is because the way FreeBSD is gonna handle the routing is it's going to send a packet from the subnet by which there is the most direct path, which is gonna be 192.168.1.1. The routing's being handled internally by PF Sense. So by me pinging, even though my origination IP address is this one here, the 198.72.110, that IP address isn't going to show up inside of here. That IP address, so if we go back to pinging it is not the source because it's coming to the PF Sense IP address that is attached to Tailscale. Might be a little confusing, but it's something to think about that the firewall rules do not apply to this traffic because it's handled inside of PF Sense in this way. This is where you would need those ACL rules. That being said, what traffic is handled that way? And that traffic's going to be my PF Sense's Tailscale IP, which is 192.196.1. If I try to ping it, there's no response. If I were to try to get to the web interface, there's no response. So let's go ahead and add a rule under Tailscale here. Gonna add, pass, pass, any. So just let it all go through. This is a wide open rule here. We're gonna hit apply, go back over here, and now we can ping. It's as simple as that. The control it does have is over whether or not you're able to do something with Tailscale within that IP address. Like for example, the web admin interface is technically now accessible. So if we change this, and we don't have a browser on this system, but if we did this in 10443, well, I have access to it now. So now I'm actually able to, from all the other Tailscale nodes, be able to get into the web interface of PF SenseNet. Maybe not ideal, because they don't need access to that. So we're gonna go ahead and shut that down so it doesn't need any rules for this scenario, but I can still get to 192.1681.8. So as I said, it's coming out and routing as the PF Sense. Now from an ease of use standpoint, hands down, Tailscale is just simple. It's probably the easiest, if you follow Christian's video on setting up site to site, which is just adding those couple outbound net rules, dropping in Tailscale. I've never set up a site to site VPN so fast. It just makes it really easy to do, especially because if you wanna add things like a phone in the middle of it to also communicate with the devices, well, advertise the routes on both sides and add your phone. And now the phone could actually talk to both sides of those PF Senses provided on the routes conflicted with each other. So that would be a different problem to sort out, as long as you have completely separate subnets on all the PF Senses as in, yes, is not just site to site, but site to site to site to site, hub spoke setup, if you'd like. There's a lot of opportunity and a lot of options here. So I'm really happy the integrated Tailscale in here. I will work on if there's enough comments down below about doing a headscale video. I kind of wanna dive into it. I really like the way headscale works. It's quite simple because it doesn't need to join in and neither does Tailscale, by the way. The routing that's being done is between the devices. It only goes into relay mode where the traffic but an encrypted with a wire guard tunnel would pass through the external server under the circumstance where no way could it negotiate any of the UDP hole punching essentially it is used in order to get the devices talking to each other. But even without opening any ports, all this works extremely smooth. And I've talked before and I dove into the other videos as I mentioned, how UDP hole punching works. And I highly, highly recommend you read the entire NAT section of Tailscale because it explains all the different varied versions of NAT networking, not as it relates to Tailscale, but just how NAT works in general. And it's actually a great lesson I think in network engineering and just a wonderful read for those of you who go, I wonder how NAT works and I wonder all the little different facets or how do you deal with something when it's double or triple NAT it and behind CG NAT or what if two devices were behind CG NAT, could it work? Tailscale is a solution for even devices that are on CG NAT where it can see the coordination server and still talk. And this is still functional inside of PF Sense. And it's basically the full feature Tailscale client on there. And whether you use headscale or Tailscale, it does work. So leave your comments down below or head over to the forums for a more in-depth discussion. And thank you for making it all the way to the end of this video. If you've enjoyed the content, please give us a thumbs up. If you would like to see more content from this channel, hit the subscribe button and the bell icon. If you'd like to hire a short project, head over to lauranceystems.com and click the hires button right at the top. To help this channel out in other ways, there's a join button here for YouTube and a Patreon page where your support is greatly appreciated. For deals, discounts and offers, check out our affiliate links in the description of all of our videos, including a link to our shirt store where we have a wide variety of shirts that we sell and designs come out well randomly. So check back frequently. And finally our forums, forums.laurancesystems.com is where you can have a more in-depth discussion about this video and other tech topics covered on this channel. Thanks again for watching and look forward to hearing from you.