Routing clients through Tailscale exit node on pfSense
February 04, 2024 -Have a device that needs to use VPN but don't have any Tailscale client app? Don't give up just yet! It can still be done using pfSense. To future me, here's how I did it:
This post is made for pfSense 2.7.0-RELEASE and Tailscale 1.44.0. There might be changes with different versions of the software.
- First, install Tailscale on pfSense and set it up.
- Next, make Tailscale use an exit node. Go to Diagnostics → Command Prompt, enter this command:
tailscale up --reset --exit-node [TAILSCALE-IP] --accept-routes false
- Next, set up an interface for Tailscale. Go to Interfaces → Assignments, and:
- Create a new interface with the tailscale0 network port
- Use the Tailscale IP for the IPv4 address, set the prefix to /10
- Add a new gateway with the exit node’s Tailscale IP, disable gateway monitoring and gateway monitoring action
- Finally, enable the interface
- Then, create an alias for the devices that's going to use the VPN. Go to Firewall → Aliases, add a new alias. Enter the IP addresses for the clients that are going to be routed through the VPN.
- Last, create a firewall rule to route the devices via the Tailscale exit node. Go to Firewall → Rules, go to the tab for network where the VPN clients are. In this case it is LAN, then add a new rule with the following configuration:
- Action: pass
- Source: Single host or alias, enter the Firewall Alias name from step 4
- Extra Options: display advanced, set Gateway to the gateway made in step 3
Now, check if the device is routed through the exit node using built-in browser or any other means.
Voila! The device is now routed through Tailscale.