WireGuard mesh network using OPNsense

OPNsense is an open source router and firewall platform built using FreeBSD. Tailscale can be installed on an OPNsense platform, joining it to your WireGuard-based mesh network.

OPNsense is a community supported platform for Tailscale. GitHub user @newmy-de provided these instructions.

Perform the following steps as root:

# opnsense-code ports
# cd /usr/ports/security/tailscale
# make install
# service tailscaled enable
# service tailscaled start
# tailscale up

You’ll be asked to authenticate to Tailscale in your browser.

Make sure to run opnsense-code ports again even if you have done so previously, to update the ports tree to current versions. The version of Tailscale in the FreeBSD ports is periodically updated for new releases.

Once started, Tailscale should appear in the list of interfaces in the OPNsense UI. It can be used in firewall rules and other OPNsense functions.

A screenshot of the OPNSense UI

Direct Connections for LAN Clients

As a router/firewall, OPNsense may also be providing Internet connectivity for LAN devices which themselves have a Tailscale client installed. The NAT implementation in OPNsense is an Endpoint-Dependent Mapping, or “hard” NAT, which means that LAN devices have difficulty making direct connections and often resort to DERP Relays.

There are a few options in which OPNsense can enable devices on the LAN to make direct connections to remote Tailscale nodes. Static NAT port mapping and NAT-PMP.

Static NAT port mapping

By default, OPNsense software rewrites the source port on all outgoing connections to enhance security and prevent direct exposure of internal port numbers.

Static port mapping in OPNsense involves creating a fixed association between a specific external port number and an internal IP address and port, allowing incoming traffic to be directed to the correct destination within the local network.

Navigate to Firewall > NAT, Outbound tab. Select Hybrid Outbound NAT rule generation. Click Save. Click ↑ Add to create a new NAT rule to the top of the list

Configure the rule to match UDP traffic as shown below. Note, for each rule, select the appropriate Address Family (IP version), IPv4 for one and IPv6 for the other.

Example Static NAT port mapping configuration in Firewall : NAT : Outbound

Check Static Port in the Translation section of the page. Click Save. Click Apply Changes.

In your ACLS, set randomizeClientPort.

  // ACLs and other configurations
  "randomizeClientPort": true


NAT-PMP is a protocol by which LAN clients can ask the firewall to temporarily create port mappings.

Enable the UPnP service and Allow NAT-PMP Port Mapping in Services > Universal Plug and Play. Only NAT-PMP is needed for Tailscale’s use, but enabling UPnP can be helpful for other applications like gaming consoles.

Enabling Allow NAT-PMP Port Mapping in Services : Universal Plug and Play : Settings

Further reading

Setting up subnet routing or acting as an exit node may be of interest for a router using OPNsense.

Last updated