Absolutely the best video on wireguard and pfsense! I have re-watched it several times because your teaching of routing, interface, firewall rules, wireguard config, and how it all relates is explained so clearly and thorough. Thank you!
Thanks for putting this video together. Is it still necessary to create the outbound NAT rules? I tried setting this up, and I can't specify "Tailscale address" for the NAT Address. Has the procedure changed, or did I do something wrong?
Great video. Thank you. A tip would be that when working with internet dynamic IP we can use a dynamic DNS for endpoint IP, that way if our public IP changes we should be good establishing the tunnel. I've been using Duck DNS and so far so good.
why pfsense will not control traffic tailscale...WTF, i should trust to tailscale .....by fact i will not trust, and by that reason rules on tailscale admin panel will not help me to trust 22:00
Hi, Can you please do an updated setup video of Koha ? Debian 12.5 or/& Ubuntu 24.04 Koha 23.11 with Latest supported versions of ElasticSearch, Plack, Memcached, and MariaDB. Please & Thanks.
i'm at my wits end. I have two pfsense devices 1. PFSense Plus behind StarLink and 2. PFSense CE behind T-Mobile. I have tailscale running on both with nat rules on both and I can get from the Tmobile device to the StarLink device but I can't get from the StarLink device to the TMobile device. both show routes correctly in pfsense and both ping using tailscale ping but when I tried to reach the Tmobile router from the StarLink Router I get nothing. HELP! I have scanned the web and watched every YT video I can... don't know what's happening. ... only thing I can think is starlink is a 100. network....$ This doesn't happen if i'm on a phone using tailscale and try to get to either. I can get to both via my phone just not from the starlink device to the tmobile device.
Maybe I'm stupid or I miss somethinh essential. When I try to set up the Hybrid Outbound NAT I stumble on some problem. I set Interface to Tailscale as you showed, I set Source to Network or Alias and insert the subnet of my LAN interface Then down at Translation when I try to set Address to Tailscale address I can't find it in the dropdown list. I first thought you made an alias, but I see a space. Why can't I see the Tailscale Address under Translation Address?
I have the same problem. Under routes the Tailscale subnets show up there but the gateway is listed as link# and not tailscale. So there is no tailscale gateway to point to
For anyone following this guide still, make sure you use different listening ports for each tunnel. When you make the config file, after generating the private key, you should be able to enter a custom listening port by clicking "advanced settings." If you don't use different listening ports, one of the tunnel gateways will remain offline.
Thanks for this awesome indepth video. But how can you ping devices on the tailscale network from behind the pfSense? I tried to setup a outbound NAT rule but the nat alias is missing. I've tried to setup it via an network alias, but this isn't working sadly. Seems this part is broken in the latest 23.09.1 update.
Fantastic Guide! and with well delivered insights into the workings of pfsense and the pitfalls one could encounter. Thank you for all your hard work creating the wireguard package and this great video!
Great video! Still having something wrong... If I test with ping in the pfsense diagnostic tool it works perfect, but it doesn't work if i do ping from y pc, I do research with no success, do yo have some clue?
24:57 I couldn't do this part. When I went to NAT, select hybrid, and then create the mapping, on the interface, I could select Mullvad(interface group), but for the Translation Address the option to select the interface address wasn't there, so I just had to create 2 maps, 1 for each of the tunnels but still using Mullvad(interface group) for the interface, and use each Mullvad interface for the translation address. It works, just annoying to have to create 2 mappings per vlan
@Christian McDonald We haven't seen any updates to WireGuard in a long time. Could you please provide information on the current status? Are you still actively working on it??
Wait a minute: Aren't you supposed to add "Site 2"-IPs to the "Site 1 AllowedIPs" in order to make sure, that "When calling an IP in the range of Site2 on Site 1, it goes through the tunnel"? At around 19:00, you add "Site 1 IPs" to the "Allowed IPs" of "Site 1". Nevermind: I skipped over your explanation that "white theme = Site 1 & dark theme = Site 2". You did all correct and I was just confused/skipped too much.
Awesome video. I used this setup for a Wiregaurd VPN connection from my phone to my home, and my mobile laptop to my home. When I connect to my home via the wireguard vpn from my laptop, on the interface statistics widget I get around 20-40 "errors out" per minute. I don't get the same result when connecting via wireguard vpn from my phone, that doesn't give me any "errors out" on the interface statistics widget on the dashboard. The connection works from my laptop, but I'm not sure why I'm getting these errors. Running the VPN for about a half hour gives me 1000 "errors out." Any idea where I can start to try and fix this?
Is the Outbound NAT rule still necessary or maybe set under the hood by the package already? testing this in dec-2023 and I can't even choose "Tailscale address" as NAT interface in a new Outbound NAT rule. Trying to route to a subnet connected via IPSEC ...
seems like on pfsense new version (23.09) you cannot assign NAT translation to Tailscale IP / 32. anyone experience this or am I missing something. I was able to follow instructions with out a problem on the last version
@@8095945088 I reported this to netgate and they admit is was abug that was going to be cover in the next release. the solution is to manually add the 100.x.x tailscale IP /32 to the fields. They released a new update and now it shows tailscale networks but its wrong, I still need to use a direct (hardcoded) value in the field. hope this helps.
Stumbled across a thread on netgate forums , for the latest version you only need to create a wan rule for udp destination port 41641, for any source and any destination (could play about with exact addresses if you want to make more secure). This allowed all my clients roaming to have a direct connection to my home network, especially my jellyfin server for on the go streaming.
great explanation, I have one question for yourself or anyone else reading this, so in this site1 to site2 setup pfsense1 to pfsense2 for a device behind pfsense 1 router how do you get it to be able to use the DNS from pfsense 2 to resolve and connect to a device behind pfsens2 router
I would love to see a video with a more complex setup, i.e. failover with two providers while at the same time having site-to-site wireguard vpn and road warrior vpn. May be even hub and spoke wireguard VPN setup with failover to two different ISPs.
I was following all the way to the firewall rules. I don't have a wireguard remote access tunnel and I got completely lost after this. I'm literally stuck at 22 minutes in.
Just an FYI to others. You don't really need to do the firewall rules and it seems to be working fine without it. @22min, your system should be working
Excellent tutorial! Had site to site (one site behind double NAT) Tailscale up and running in 30 minutes. Any chance multicast (aka. Bonjour) can be advertised across Tailnet to allow automatic discovery? Maybe with rules or IGMP proxy in pfSense?
"basic" *me crying in the corner [edit] *frankly speaking, your explaination is amazing. very detail. you surely know how thing works. thanks for sharing. i will watch 100 times more
14:18 - I have a question about this listening port. For some reasons external devices that are behind their own NAT that can't be punched through fail to establish a direct connection with the pfsense firewall, even if I have an allow rule in WAN. However, any devices behind the pfsense firewall can establish a direct connection for inbound attempts. What gives that the pfsense firewall itself is not able to receive inbound direct connection attempts? I tried static port via manual NAT rules, upnp, etc.
Thanks! I was having a heck of a time with wireguard with my iPhones and it was the keepalive tip that helped. Without that on, the iPhones connections are very unstable.
