plugins icon indicating copy to clipboard operation
plugins copied to clipboard
verified publisher icon opnsense

os-tailscale ignores Firewall Rules altogether.

Open jmb988 opened this issue 2 months ago • 1 comments

Important notices Before you add a new report, we ask you kindly to acknowledge the following:

  • [ X] I have read the contributing guide lines at https://github.com/opnsense/plugins/blob/master/CONTRIBUTING.md
  • [X ] I have searched the existing issues, open and closed, and I'm convinced that mine is new.
  • [ X] The title contains the plugin to which this issue belongs

Describe the bug Tailscale traffic is treated as local traffic separate from the usual interfaces and firewall rules under the tailscale interface don't apply any changes at all. Example: I set a pass rule with the source being tailscale net, destination !Private_Networks, gateway selected was my VPN gateway. Outbound NAT setup on VPN interface with tailscale. DNS allow rule to :53 This firewall. When I then connect to the exit node, I still see my public WAN IP, and ISP DNS. I can only produce this in the tail scale interface rules. All my other interfaces with those tules support this and behave as expected.

Tip: to validate your setup was working with the previous version, use opnsense-revert (https://docs.opnsense.org/manual/opnsense_tools.html#opnsense-revert)

To Reproduce Steps to reproduce the behavior:

  1. Go to 'Tailscale interface rules'
  2. Add any rule (DNS, gateway policy routing)
  3. Log the rules while using tailscale
  4. They don't see tailscale at all, bypassing all rules and giving me default DNS and WAN.

Expected behavior Tailscale would behave as set in it's firewall rules. Sending it through a gateway or using my DNS resolver after setting outbound NAT.

Screenshots If applicable, add screenshots to help explain your problem.

Relevant log files If applicable, information from log files supporting your claim.

Additional context Add any other context about the problem here.

Environment Software version used and hardware type if relevant. e.g.:

OPNsense 23.7.8 (amd64). Intel® Xeon™ E3-1225V5 3.3Ghz Quad Core Network Intel® I210-AT

jmb988 avatar Nov 15 '25 08:11 jmb988

The tailscale daemon handles it's it routing internally. For example, enable ssh in the plugin options and you'll be able to ssh in from any node on the tailnet without allowing it in any firewall rules. OPNsense can't see tailscale traffic.

sheridans avatar Dec 05 '25 02:12 sheridans

I found this thread on reddit which answers your problem : https://www.reddit.com/r/opnsense/comments/1mbs6iq/help_me_understand_how_to_secure_tailscale/ This solution is the following (I pasted it here in case it gets deleted)

I just had the same issue and what worked for me was to Disable SNAT (you'll find that under VPN > Tailscale > Settings and enabling the "advanced mode" option) and then setup Outbound NAT rules (Firewall > NAT > Outbound) now that OPNsense has to directly handle the NAT of the Tailscale IPs. Putting the Outbound NAT in Hybrid mode I added two rules for the IPv4 and IPv6 traffic over Tailscale: For the first rule, for IPv4, keep all the defaults except change Source address to Single Host or Network and enter 100.64.0.0 with 10 as the subnet. For the second rule, if using IPv6, keep all the defaults except change the TCP/IP Version to IPv6 and the Source address to Single Host or Network and enter fd7a:115c:a1e0:: with 48 as the subnet.

The problem is that disabling SNAT also seems to disable subnet routing. So if you have a solution for that I’m interested.

To be honest, not being able to filter tailscale’s trafic kinda defeats the purpose of deploying it on OPNsense... At least for me. If I can’t fix this I’d rather deploy tailscale on a VM on its own virtual interface and then filter that.

sheepNo avatar Dec 21 '25 21:12 sheepNo