简介

Tailscale是一项虚拟专用网络 (VPN) 服务,可以让您从全球任何地方安全轻松地访问您的设备和应用。它使用开源 WireGuard 协议实现安全直接的通信,确保只有您的专用网络内的设备才能相互建立通信。

Tailscale 客户端软件可以安装在多种操作系统上,包括 Linux、Windows、macOS、Android、iOS、OPNsense、pfSense 等。它用于在安全的 Tailscale 网状网络内建立设备之间的连接。与典型的WireGuard服务器配置相比,Tailscale 的优势在于无需进行端口转发。

OPNsense和Tailscale是强大的网络工具和技术,可为网络用户提供显著优势。通过将OPNsense整合到 Tailscale 专用网络中,您不仅可以访问特定设备,还可以访问可通过公布的路由访问的任何其他网络设备。

安装Tailscale

1、通过自定义存储库进行安装

进入OPNsense的shell环境下,运行以下命令添加自定义存储库:

fetch -o /usr/local/etc/pkg/repos/mimugmail.conf https://www.routerperformance.net/mimugmail.conf

接着运行以下命令安装tailscale:

pkg update && pkg install tailscale

如下图所示:

2、通过端口树安装

进入OPNsense的shell环境,运行以下命令下载并更新端口树:

opnsense-code ports

应该会看到类似以下的显示输出:

Updating OPNsense repository catalogue...
OPNsense repository is up to date.
Updating SunnyValley repository catalogue...
SunnyValley repository is up to date.
All repositories are up to date.
The following 2 package(s) will be affected (of 0 checked):
New packages to be INSTALLED:
git: 2.44.0 [OPNsense]
p5-Error: 0.17029 [OPNsense]
Number of packages to be installed: 2
The process will require 24 MiB more space.
4 MiB to be downloaded.
[1/2] Fetching p5-Error-0.17029.pkg: 100% 27 KiB 27.5kB/s 00:01
[2/2] Fetching git-2.44.0.pkg: 100% 4 MiB 2.2MB/s 00:02
Checking integrity... done (0 conflicting)
[1/2] Installing p5-Error-0.17029...
[1/2] Extracting p5-Error-0.17029: 100%
[2/2] Installing git-2.44.0...
===> Creating groups.
Creating group 'git_daemon' with gid '964'.
===> Creating users
Creating user 'git_daemon' with uid '964'.
[2/2] Extracting git-2.44.0: 100%
=====
Message from git-2.44.0:
--
If you installed the GITWEB option please follow these instructions:
In the directory /usr/local/share/examples/git/gitweb you can find all files to make gitweb work as a public repository on the web.
All you have to do to make gitweb work is:
1) Please be sure you're able to execute CGI scripts in
/usr/local/share/examples/git/gitweb.
2) Set the GITWEB_CONFIG variable in your webserver's config to
/usr/local/etc/git/gitweb.conf. This variable is passed to gitweb.cgi.
3) Restart server.
If you installed the CONTRIB option please note that the scripts are
installed in /usr/local/share/git-core/contrib. Some of them require
other ports to be installed (perl, python, etc), which you may need to
install manually.
Cloning into '/usr/tools'...
remote: Enumerating objects: 12943, done.
remote: Counting objects: 100% (1332/1332), done.
remote: Compressing objects: 100% (442/442), done.
remote: Total 12943 (delta 812), reused 1085 (delta 762), pack-reused 11611
Receiving objects: 100% (12943/12943), 10.85 MiB | 1.66 MiB/s, done.
Resolving deltas: 100% (8062/8062), done.
Already on 'master'
Your branch is up to date with 'origin/master'.
Cloning into '/usr/ports'...
remote: Enumerating objects: 2047712, done.
remote: Counting objects: 100% (40869/40869), done.
remote: Compressing objects: 100% (30934/30934), done.
remote: Total 2047712 (delta 9701), reused 38417 (delta 9483), pack-reused 2006843
Receiving objects: 100% (2047712/2047712), 544.18 MiB | 2.43 MiB/s, done.
Resolving deltas: 100% (993993/993993), done.
Updating files: 100% (158731/158731), done.
Already on 'master'
Your branch is up to date with 'origin/master'.

运行以下命令更改工作目录:

cd /usr/ports/security/tailscale

运行下面的命令来构建和安装 Tailscale:

make install

成功安装将显示似于下面的内容:

tailscale.com/ipn/localapi
tailscale.com/ipn/ipnserver
tailscale.com/net/proxymux
tailscale.com/net/socks5
github.com/creack/pty
github.com/kr/fs
github.com/pkg/sftp/internal/encoding/ssh/filexfer
golang.org/x/crypto/ssh/internal/bcrypt_pbkdf
golang.org/x/crypto/ssh
github.com/pkg/sftp
github.com/u-root/u-root/pkg/termios
log/syslog
github.com/anmitsu/go-shlex
tailscale.com/tempfork/gliderlabs/ssh
tailscale.com/ssh/tailssh
github.com/djherbis/times
container/heap
github.com/tailscale/xnet/webdav/internal/xml
github.com/tailscale/xnet/webdav
tailscale.com/tailfs/tailfsimpl/shared
tailscale.com/tailfs/tailfsimpl/compositefs
golang.org/x/sync/singleflight
github.com/jellydator/ttlcache/v3
github.com/tailscale/gowebdav
tailscale.com/tailfs/tailfsimpl/webdavfs
tailscale.com/tailfs/tailfsimpl
tailscale.com/tsweb/varz
tailscale.com/types/flagtype
gvisor.dev/gvisor/pkg/sleep
gvisor.dev/gvisor/pkg/tcpip/header/parse
gvisor.dev/gvisor/pkg/tcpip/transport
gvisor.dev/gvisor/pkg/tcpip/transport/internal/network
gvisor.dev/gvisor/pkg/tcpip/transport/internal/noop
gvisor.dev/gvisor/pkg/tcpip/transport/packet
gvisor.dev/gvisor/pkg/tcpip/transport/raw
gvisor.dev/gvisor/pkg/tcpip/transport/tcp
gvisor.dev/gvisor/pkg/tcpip/transport/udp
gvisor.dev/gvisor/pkg/tcpip/adapters/gonet
gvisor.dev/gvisor/pkg/tcpip/link/channel
gvisor.dev/gvisor/pkg/tcpip/network/hash
gvisor.dev/gvisor/pkg/tcpip/network/internal/fragmentation
gvisor.dev/gvisor/pkg/tcpip/network/internal/ip
gvisor.dev/gvisor/pkg/tcpip/network/internal/multicast
gvisor.dev/gvisor/pkg/tcpip/network/ipv4
gvisor.dev/gvisor/pkg/tcpip/network/ipv6
gvisor.dev/gvisor/pkg/tcpip/transport/icmp
tailscale.com/wgengine/netstack
tailscale.com/cmd/tailscaled
===> Staging for tailscale-1.60.1_1
===> tailscale-1.60.1_1 depends on package: ca_root_nss>0 - found
===> Generating temporary packing list
for t in ./cmd/tailscale ./cmd/tailscaled; do dst=$(echo ${t} | /usr/bin/sed -Ee 's/^[^:]*:([^:]+).*$/\1/' -e 's/^\.$/tailscale/'); src=$(/usr/bin/basename ${dst}); case ${dst} in /*) dst=/usr/obj/usr/ports/security/tailscale/work/stage${dst}; /bin/mkdir -p $(/usr/bin/dirname ${dst}) ;; *) dst=/usr/obj/usr/ports/security/tailscale/work/stage/usr/local/bin/${src} ;; esac; echo "===> Installing ${src} as ${dst}"; install -s -m 555 /usr/obj/usr/ports/security/tailscale/work/bin/${src} ${dst}; done
===> Installing tailscale as /usr/obj/usr/ports/security/tailscale/work/stage/usr/local/bin/tailscale
===> Installing tailscaled as /usr/obj/usr/ports/security/tailscale/work/stage/usr/local/bin/tailscaled
====> Compressing man pages (compress-man)
===> Staging rc.d startup script(s)
===> Installing for tailscale-1.60.1_1
===> Checking if tailscale is already installed
===> Registering installation for tailscale-1.60.1_1
Installing tailscale-1.60.1_1...

配置Tailscale

1、配置开机自启

service tailscaled enable

2、启动tailscale

service tailscaled start

3、获取登录链接,配置路由

tailscale up

复制显示的地址,并在浏览器中打开,使用谷歌或微软帐号登录Tailscale的管理主页进行验证。

4、开启子网网路由

在OPNsense的shell环境运行以下命令,开启子网路由(子网为OPNsense的LAN网络):

tailscale up --accept-routes=true --accept-dns=false --advertise-routes=192.168.20.0/24

在Tailscale的管理页面上,单击设备列表右侧的更多图标,禁用密钥过期,并打开子网路由。


添加Tailscale接口

进入OPNsense的Web设置界面,添加Tailscale接口。接口地址输入在Tailscale上分配的地址。选中防止接口删除选项。

添加防火墙规则

在tailscal接口选项卡上,添加一个any to any的规则。

10、安装UPnP插件并启用

添加出站规则

将自动出站改为混合或手动出站,并添加Tailscal的出站映射规则。

测试连接

在远程节点上ping OPNsense防火墙:

在OPNsense防火墙上ping远程节点:

在OPNsense防火墙后面的客户端上Ping远程节点:

至此配置完成。

注意:如果防火墙后面的客户端不能与远程客户端连接,可以启用UPnP和NAT-PMP设置,并选中允许NAT-PMP端口映射选项。详细原因参见这里。

  • 无标签

0 评论

你还没有登录。你所做的任何更改会将作者标记为匿名用户。 如果你已经拥有帐户,请登录