I’ve decided to implement monitoring for my homelab through a cloud virtual machine.
As cloud provider I’ve opted for Hetzner, but more on that in a future post.
To enhance the security of this setup, I’ve chosen to establish the cloud VM from Hetzner as the single entry point to my infrastructure. For this purpose, I’ve opted to use Tailscale for tunneling, not only for client-to-site but also for site-to-site connectivity.
Informations provided by tailscale:
In my case, there are two private subnets without any connectivity between them.
Subnet 1 - Homelab: 10.57.57.0/24
Subnet 2 - Cloudlab: 192.168.57.0/24
IP addresses of the routers for each subnet:
Subnet 1 -> 10.57.57.1 ( pfSense )
Subnet 2 -> 192.168.57.254 ( Linux VM )
Setting up Tailscale site-to-site on pfSense Subnet I#
Let’s dive into the configuration. Due to pfSense being based on FreeBSD and Tailscale not offering as much support for pfSense as for other platforms, this configuration is a bit trickier. But let’s see how it looks.
Install tailscale on pfSense#
Navigate to Package Manager: Go to System > Package Manager in the pfSense web interface.
Install Package: Click on the “Available Packages” tab. Search for tailscale and click “Install”.
Configure tailscale on pfSense#
Navigate to Tailscale: VPN -> Tailscale
Authentication#
- Copy auth-key from https://login.tailscale.com/admin/settings/keys
- Generate Auth keys
#
- Check: “Enable tailscale”
- Listen port: leave it as it is
- Check: Accept Subnet Routes
- Optional check: Advertise Exit Node
- Advertised Routes: 10.57.57.0/24
Tricky part: Outbound NAT Rules#
Navigate to Firewall-> NAT-> Outbound
Make sure Outbound NAT Mode is configured to be configured as#
Hybrid Outbound NAT
Create next manual mapping#
- Interface: Tailscale
- Address Family: IPV4+IPV6
- Protocol: Any
- Source Network or Alias: 10.57.57.0/24
- Destination: Any
This part is broken from last update [ 23.09.1 ] so NAT Alias is missing.
Workaround:
- Translation section:
- Address: Network or Alias
- Put the tailscale ip address 100.xx.xx.xx/32
This is how should look like:
Configure tailscale site-to-site on Linux VM Subnet II#
Install tailscale and activate routing:#
1 curl -sSL https://tailscale.com/install.sh | sh #Install tailscale
2 echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf #Activate routing for IPv4
3 echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf #Activate routing for IPv6
4 sudo sysctl -p /etc/sysctl.conf # Apply routing configuration at kernel levelOn the 192.168.57.254 device, advertise routes for 192.168.57.0/24:#
1 tailscale up --advertise-routes=192.168.57.0/24 --snat-subnet-routes=false --accept-routesCommand explained:
–advertise-routes: Exposes the physical subnet routes to your entire Tailscale network.
–snat-subnet-routes=false: Disables source NAT. In normal operations, a subnet device will see the traffic originating from the subnet router. This simplifies routing, but does not allow traversing multiple networks. By disabling source NAT, the end machine sees the LAN IP address of the originating machine as the source.
–accept-routes: Accepts the advertised route of the other subnet router, as well as any other nodes that are subnet routers.
Enable subnet routes from the admin console#
Open the Machines page of the admin console, and locate the devices that you configured as subnet routers. You can look for the Subnets badge in the machines list, or use the property:subnet filter to see all devices advertising subnet routes. For each device that you need to approve, click the ellipsis icon menu at the end of the table, and select Edit route settings. In the Edit route settings panel, approve the device.
Credits#
- 📝 Tailscale - Seamless networking for secure connections.
- 📹 Christian McDonald - YouTube Channel.