this post was submitted on 05 Mar 2026
23 points (100.0% liked)

Selfhosted

56957 readers
483 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
23
Opnsense, tailscale and headscale (sh.itjust.works)
submitted 7 hours ago by thehamzan6@sh.itjust.works to c/selfhosted@lemmy.world
4 comments fedilink hide all child comments
 

Hey guys, so I've been self hosting for 2 years, making small upgrades until I reached this point where I replaced my router with one of those Chinese fanless firewalls running Intel n150 and running a proxmox homelab.

I am self hosting headscale with many of my buddies connected, including ny own services. Everything was working great until I setup OPNsense.

The firewall was not easy to setup, but after I set it up, I discovered odd behaviors from tailscale.

The firewall was blocking all connections from the ip 100.60.0.0/24, I had to explicitly allow it and change the forewall state to hybrid

What happens is that my LXC containers running tailscale would receive requests from tailscale0 interface but respond via LAN.

Apparently as I understood, consumer routers have assymetric NAT so that works fine, but not with opnsense.

Every guide I read online talks about installing tailscale on the opnsense router directly but I do not want to expose it to the tailscale network.

For now temporarily I set an ip route to tailscale0 and resolved it that way temporarily, but I still cannot get a solution that can help without compromising the firewall.

It's also very cumbersome to do this for 50+ LXC containers over and over, even with running systemd scripts a problem might happen in the future

If you guys have any experience with this it would help a lot.

you are viewing a single comment's thread
view the rest of the comments
[–] thehamzan6@sh.itjust.works 2 points 2 hours ago* (last edited 2 hours ago) (1 children)

It doesn't make sense to me to expose it to the tailnet even with ACL, on opnsense there is a bug where it would request re-authentication on each restart so that's an added negative for me when it comes to adding it.

But what exactly do I benefit from adding the firewall directly part of the tailnet? It's kinda weird when you think about it, this bad boy is the highest tier device where internet comes from and having it to connect to my homelab that depends on it for internet and having the firewall depend on the homelab for tailscale

[–] irmadlad@lemmy.world 1 points 2 hours ago

But what exactly do I benefit from adding the firewall directly part of the tailnet?

Protection of the firewall via it's overlay VPN characteristics, and communication to the server behind the firewall via an encrypted tunnel.

Have you considered using Cloudflare Tunnels/Zero Trust? With Cloudflare Tunnels/Zero trust, you don't need to open or close ports, fiddle with NAT, or any of that. You install it on your server, connect to Cloudflare, it punches a hole for the encrypted tunnel. I personally use Cloudflare Tunnels/Zero Trust. Their free tier is quite generous and has many options like Anti-AI scrapers, etc. The caveat to using Cloudflare Tunnels/Zero Trust is that you have to have a domain name that you can edit the nameservers thereof to Cloudflare's assigned nameservers for obvious reasons. Cloudflare will sell you a domain name, but a lot of people just get a cheapy from NamesCheap or Pork Bun. I got one for less than $5 USD that renews at $15 USD annually.

So, in the scenario that I described in my first response:

modem —>wireless router —> managed switch —> pFsense with Tailscale overlay —> server (separate VLAN) with Tailscale overlay

.....is all done through Cloudflare Tunnels/Zero Trust with Tailscale on the server and Tailscale on the standalone pFsense firewall as an overlay VPN protection. Additionally, Tailscale makes for a very secure, emergency 'backdoor' to your server should you ever screw up and lock yourself out.

on opnsense there is a bug where it would request re-authentication on each restart so that’s an added negative for me when it comes to adding it.

I'll have to defer to someone more experienced with Opnsense.