Pfsense configure tailscal site to site connection

Tailscale Is a software defined mesh VPN Solution , It makes it easy to create a secure network .Tailscale The data plane is built on a secure and lightweight WireGuard The agreement above , Unlike other solutions , It can realize some powerful functions , For example, automatic key rotation 、NAT Traversal and single sign on with two factor authentication . Similar solutions include Zerotier, Both have their own advantages and disadvantages .

2022 year 7 month 15 Japan ,netgate Officially released for pfSense Of Tailscale Plug in for , Now you can pfSense Experience this powerful function on the firewall .

Here are two different places pfSense Take the firewall to establish a site to site connection as an example , Introduce Tailscale Configuration process .

The software used is ​ ​pfSense plus 22.05 Chinese customized version ​​, A firewall A The subnet of is 192.168.11.0/24, A firewall B The subnet of is 192.168.21.0/24. For the convenience of readers to distinguish , A firewall A Dark theme , A firewall B Light color theme .

A firewall A To configure

Navigate to plug-in management > Available plug-ins , find Tailscale And install . After installation , go to VPN>Tailscale, Go to the authentication tab , Access the address on the login server , Register with an account such as Google or Microsoft Tailscale. After registration , go to tailscale Control panel , In the settings bar , Find the key option , Generate a new key .

​​

Click generate key ：

​​

Copy the generated key to the pre authentication key column ：

Click save .

Go to the Settings tab , Check enable Tailscale, The listening port uses the default value , Select the authorized subnet route , In the announcement routing options , Enter the subnet used by the firewall . Here for 192.168.11.0/24.

Click save... When finished .

Then go to firewall > Rule strategy , stay Tailscale On the tab , Add a rule that allows access to any target, as shown in the following figure ：

​​

go back to Tailscale Control panel , You can see that this firewall is already in the device list . Click the more icons on the right , Disable key expiration .

Click Edit routing settings , Enable subnet routing ：

​​

thus , A firewall A Setup completed .

A firewall B To configure

Configuration process and firewall A identical , Note to generate a new pre authorization key , Enter different firewall subnets .

Disable key expiration , Configure subnet routing .

​​

thus , The firewall configuration on both sides is completed .

test

Firewalls on both sides are mutually ping For terminal network address , Test connectivity .

At the firewall A On ,ping A firewall B Of LAN Address ：

At the firewall B On ,ping A firewall A Of LAN Address ：

​​

There is no problem with the test connection .

Use iperf Ran a speed measurement (300M On 、 Downlink peer-to-peer bandwidth )：

​​

There seems to be no surprise , ha-ha .

Tailscale High order application of , Such as remote outbound , Later on .