OPNsense is an open source router and firewall platform built using FreeBSD. Tailscale can be installed on an OPNsense platform, joining it to your WireGuard-based mesh network.

OPNsense is a community supported platform for Tailscale. GitHub user @newmy-de provided these instructions.

Perform the following steps as root:

# opnsense-code ports
# cd /usr/ports/security/tailscale
# make install
# service tailscaled enable
# service tailscaled start
# tailscale up

You’ll be asked to authenticate to Tailscale in your browser.

Make sure to run opnsense-code ports again even if you have done so previously, to update the ports tree to current versions. The version of Tailscale in the FreeBSD ports is periodically updated for new releases.

Once started, Tailscale should appear in the list of interfaces in the OPNsense UI. It can be used in firewall rules and other OPNsense functions.

Direct Connections for LAN Clients

As a router/firewall, OPNsense may also be providing Internet connectivity for LAN devices which themselves have a Tailscale client installed. The NAT implementation in OPNsense is an Endpoint-Dependent Mapping, or “hard” NAT, which means that LAN devices have difficulty making direct connections and often resort to DERP Relays. To learn how to make direct connections, see the OPNsense and pfSense section in our firewall article.

Further reading

Setting up subnet routing or acting as an exit node may be of interest for a router using OPNsense.