A background pattern of shaded interlocking triangles

Use TailScale and pfSense to build a free Software Defined Network (SDN)

IT Infrastructure Architect

TailScale is a Wireguard-based hosted SDN and VPN provider with a per-user per-device business model. They have a free tier that enables up to three users access to 100 devices each in a device-to-device virtual mesh network. However, TailScale can be levered in a system, rather than user, context to provide a fast, free and capable inter-site VPN overlay without the cost and complexity associated with traditional IPSec VPNs or established SDN vendors.

In this instance, a single “user” identity owns up to 100 pfSense router “devices” in a manner invisible to your end users and services. As an administrator of such a system, we get the benefit of advanced security, management and access controls via the TailScale web-based control plane, and a very easy setup process, as descibed below.

Prerequisites

You will need a pfSense firewall at each WAN site to be conneted to your SDN. pfSense is free and open-source software provided by NetGate. Commercially supported pfSense firewalls can be purchased from NetGate (via Amica Networks in the UK), or you can self-build on any AMD64 device.

If your pfSense filewall is not directly connected to the Internet (for example, if NAT’d behind a service-provider hub device) then be sure to forward the ports required for Wireguard to your pfSense router.

Your WAN sites to be interconnected will require use of non-overlapping address ranges (as WireGuard cannot perform 1:1 NAT on a netwok range in the manner of IPSec).

Create an Identity

TailScale requires at least one federated identity to create a network. I recommend creating a dedicated GitHub user identity specifically for your TailScale that is not used elsewhere. This way you can record the credentials securely in a centralised location without risking disclosure of access to further data or systems.

Signup to TailScale

Create a TailScale account using the identity you made in the previous step. This creates your “tail net” SDN range and DNS name space.

Pilot (Optional)

I found it useful at this point to install the TailScale VPN client on some device to explore how it works. You can remove the devices fro your “tail net” at a later time.

Install the pfSense TailScale package

Login to the pfSense admin console and install the TailScale package via the System | Package Manager menu.

Configure the pfSense TailScale Package

Within the pfSense VPN menu, there will now be a TailScale option. Configure the TailScale Package by selecting this option and filling-out the fields with your account information from the TailScale web site.

The Authentication and Settings entries are mostly self-explanatory, but pay special attention to the following in both pfSense and the TailScale interfaces:

  • Advertised routes - this option makes the private networks behind your pfSense firewall reachable from the rest of your network. You probably want to advertise your local networks to make them reachable in this manner.
  • Exit nodes - If you have a requirement to drive all WAN traffic to a central site then set that site as an Exit Node. This is useful if you peform content inspection or other centralised policy enforcement.
  • DNS - By default TailScale will try to automatically manage DNS on your behalf. However, if you have internal DNS servers then you may need to override the default behavour by driving all DNS traffic to a specific IP address on your LAN.

Repeat for each site on your WAN

Repeat the above procedure at each site you wish to join to your WAN.

You should also read: