OPNsense is an open source router and firewall platform built using FreeBSD. Tailscale can be installed on an OPNsense platform, joining it to your WireGuard-based mesh network.

OPNsense is a community supported platform for Tailscale. GitHub user @newmy-de provided these instructions.

Perform the following steps as root:

# opnsense-code ports
# cd /usr/ports/security/tailscale
# make install
# service tailscaled enable
# service tailscaled start
# tailscale up

Make sure to run opnsense-code ports again even if you have done so previously, to update the ports tree to current versions. The version of Tailscale in the FreeBSD ports is periodically updated for new releases.

Once started, Tailscale should appear in the list of interfaces in the OPNsense UI. It can be used in firewall rules and other OPNsense functions.

Direct Connections for LAN Clients

As a router/firewall, OPNsense may also be providing Internet connectivity for LAN devices which themselves have a Tailscale client installed. The NAT implementation in OPNsense is an Endpoint-Dependent Mapping, or “hard” NAT, which means that LAN devices have difficulty making direct connections and often resort to DERP Relays.

Enabling NAT-PMP in OPNsense can enable devices on the LAN to make direct connections to remote Tailscale nodes. NAT-PMP is a protocol by which LAN clients can ask the firewall to temporarily create port mappings.

To do this, first install the os-upnp plugin in “Firmware > Plugins”.

Then enable the plugin and “Allow NAT-PMP Port Mapping” in “Services > Universal Plug and Play > Settings”. Only NAT-PMP is needed for Tailscale’s use, but enabling UPnP can be helpful for other applications like gaming consoles.

Further reading

Setting up subnet routing or acting as an exit node may be of interest for a router using OPNsense.