Comment on Opnsense, tailscale and headscale
thehamzan6@sh.itjust.works 5 days agoIt doesn’t make sense to me to expose it to the tailnet even with ACL, on opnsense there is a bug where it would request re-authentication so that’s an added negative for me when it comes to adding it.
But what exactly do I benefit from adding the firewall directly part of the tailnet?
irmadlad@lemmy.world 5 days ago
Protection of the firewall via it’s overlay VPN characteristics, and communication to the server behind the firewall via an encrypted tunnel.
Have you considered using Cloudflare Tunnels/Zero Trust? With Cloudflare Tunnels/Zero trust, you don’t need to open or close ports, fiddle with NAT, or any of that. You install it on your server, connect to Cloudflare, it punches a hole for the encrypted tunnel. I personally use Cloudflare Tunnels/Zero Trust. Their free tier is quite generous and has many options like Anti-AI scrapers, etc. The caveat to using Cloudflare Tunnels/Zero Trust is that you have to have a domain name that you can edit the nameservers thereof to Cloudflare’s assigned nameservers for obvious reasons. Cloudflare will sell you a domain name, but a lot of people just get a cheapy from NamesCheap or Pork Bun. I got one for less than $5 USD that renews at $15 USD annually.
So, in the scenario that I described in my first response:
modem —>wireless router —> managed switch —> pFsense with Tailscale overlay —> server (separate VLAN) with Tailscale overlay
…is all done through Cloudflare Tunnels/Zero Trust with Tailscale on the server and Tailscale on the standalone pFsense firewall as an overlay VPN protection. Additionally, Tailscale makes for a very secure, emergency ‘backdoor’ to your server should you ever screw up and lock yourself out.
I’ll have to defer to someone more experienced with Opnsense.