In our recent Tailscale tutorials we covered the installation of Headscale on Ubuntu and Running Headscale in Docker Container. Tailscale enables you to create a private and secure networking between many devices in your local network, cloud and any other external network infrastructure. The network mesh you create makes it easy for your devices to communicate with each other nevertheless their different physical location. Tailscale is considered as a Zero Trust networking setup created on top of popular WireGuard VPN protocol.
In this guide we’ll discuss how you can integrate your pfSense firewall / router devices into existing Tailscale or Headscale VPN Network Mesh. pfSense firewall and router solution is based on FreeBSD and it has extensive set of features used to create a secure networks. The steps provided in this article will work for pfSense running in a Virtual Machine, physical hardware or in Netgate appliance.
Install Tailscale package on pfSense
Login to your pfSense web portal and go to System > Package Manager > Available Packages
Search for “Tailscale” package and install it. When asked to confirm just agree.
Package installation process should begin right away.
Wait for the installation to return success message.
Generate Tailscale Authentication keys
If using native Tailscale, login to the dashboard and generate authentication keys. Navigate to section Settings > Personal Settings > Keys > Auth keys > Generate auth keys
Give it a descriptive name, and configure other options such as expiration, re-usability. Then generate the key.
Copy generated key and store in a secure location.
For Headscale you can generate pre-authentication key using the following command syntax.
headscale --user <username> preauthkeys create --reusable --expiration 24hJoin pfSense to Tailscale / headscale network
Once installed “Tailscale” option should be visible under VPN tab in your pfSense web portal.
In “Authentication” section, set login server and paste generated key from Tailscale portal or Headscale server. For Headscale users the Login server should be value set in server_url or proxy domain configured.
Then Go to Settings and enable Tailscale service.
You can choose the subnets to expose on the router. This is an optional setting. Read Tailscale subnets documentation to learn more.
Under status you can check connection information. If the configurations were successful you should see “Tailscale is online“.
Verify pfSense connection to Tailscale
While in Tailscale portal access connected machines tab.
Click on the device connection to get more details. You can use the three dots to access more configuration options. For example, to configure routes use “Edit route settings“.
Select subnets that you had allowed in pfSense to enable.
In connected clients the route should be available. You can test by pinging a device in the subnet.
$ ip route
default via 172.20.10.1 dev en0
default via link#25 dev utun5
100.64.0.0/10 dev utun5 scope link
100.64.17.26/32 via 100.64.17.26 dev utun5
100.100.100.100/32 dev utun5 scope link
127.0.0.0/8 via 127.0.0.1 dev lo0
127.0.0.1/32 via 127.0.0.1 dev lo0
169.254.0.0/16 dev en0 scope link
172.20.10.0/28 dev en0 scope link
172.20.10.1/32 dev en0 scope link
172.20.10.2/32 dev en0 scope link
192.168.56.0/24 dev utun5 scope link
224.0.0.0/4 dev en0 scope link
224.0.0.0/4 dev utun5 scope link
255.255.255.255/32 dev en0 scope link
255.255.255.255/32 dev utun5 scope linkWe’ll recommend you read official Tailscale guide on pfSense settings to enable direct connections.
More guides to check out:
- How To Install and Configure Tailscale Client on OPNsense
- How To Enable and Start SSH Server on OPNsense
- Install Pi-hole Network Ad Blocker on Debian
Conclusion
By connecting multiple pfSense routers to your Tailscale / Headscale network mesh is useful for people working remotely. They can be working from their homes, or from any other place while enjoying secure connection to multiple remote devices across the internet. This will guarantee a secure remote, home network access, or connection to your cloud instances.
