Skip to main content

Published: in Videos

Deep Dive: Using OPNsense with Tailscale

By Sam Sheridan - 9th November, 2025

In this post, we’ll take a deep dive into integrating OPNsense with Tailscale. Whether you’re looking to access your OPNsense web interface remotely, use it as an exit node, or reach devices behind your firewall via your tailnet, this guide covers it all.

I’ll also touch on SSH access through Tailscale, along with a few important caveats you’ll want to keep in mind.

What You’ll Learn

By the end of this post, you’ll know how to:

  • Access the OPNsense web interface from your Tailscale tailnet

  • Use OPNsense as an exit node for your devices

  • Access devices behind OPNsense via your tailnet

  • SSH into OPNsense securely through Tailscale

Registering OPNsense with Tailscale

To bring OPNsense into your Tailscale network, we’ll first need to create a pre-authentication key. Since OPNsense can’t handle interactive authentication, this step must be done beforehand.

  1. Go to Tailscale.com and sign in to your Admin Console.

  2. Navigate to Settings → Keys.

  3. Under Auth Keys, click Generate Key.

    • Give it a description (e.g. YouTube Demo – OPNsense).

    • Ensure Reusable is off.

    • Leave Expiry at 90 days.

  4. Click Generate Key and note it down.

Once done, log into your OPNsense dashboard and install the Tailscale plugin:

System → Firmware → Plugins → Show Community Plugins → os-tailscale

After installation, go to VPN → Tailscale → Authentication, paste your pre-auth key, and click Apply.

Then enable Tailscale under VPN → Tailscale → Settings, tick Enable, and apply changes.

Back in your Tailscale admin console, you should now see your OPNsense instance appear under Machines. Don’t forget to disable key expiry to keep it permanently connected.

Registering Your Mobile Device

Next, add your phone to your tailnet by installing the Tailscale app and signing in. Once connected, you’ll see both your phone and OPNsense device listed in Tailscale.

This ensures they can see each other, but we still need to adjust OPNsense firewall rules to allow actual access.

Accessing the OPNsense Web Interface from Tailnet Devices

By default, OPNsense blocks all inbound traffic. To fix this:

  1. Go to Interfaces → Assignments.

  2. Add Tailscale0 (ts0) as a new interface.

  3. Enable it and tick Prevent interface removal.

  4. Save and apply changes.

Next, create a firewall rule to allow Tailscale traffic:

Firewall → Rules → ts0 → Add Rule

  • Action: Pass

  • Interface: ts0

  • Source: Any

  • Destination: This Firewall

  • Protocol: IPv4 TCP

Apply the rule. You should now be able to access your OPNsense web interface via its Tailscale IP address.

Securing the Web Interface

Allowing all tailnet devices access isn’t ideal. Let’s tighten it up:

  1. Go to Firewall → Aliases.

    • Create an alias for web ports:

      • Name: OPNsense_Web_Ports

      • Type: Ports → 80, 443

    • Create another alias for trusted devices, e.g.:

      • Name: ts_sam_phone

      • Content: Your phone’s Tailscale IP.

    • Create a group alias:

      • Name: ts_web_access

      • Content: ts_sam_phone

  2. Update your firewall rule on ts0:

    • Source: ts_web_access

    • Destination: This Firewall

    • Port: OPNsense_Web_Ports

Now only your defined devices can access the OPNsense web UI securely.

Using OPNsense as a Tailscale Exit Node

To route traffic through OPNsense:

  1. Go to VPN → Tailscale → Settings.

  2. Enable Advertise Exit Node and click Apply.

  3. In the Tailscale admin console, approve the exit node under Machines → Edit → Routes → Approve.

Your device should now show OPNsense as an available Exit Node. Once enabled on your device, your traffic will route through your OPNsense gateway.

Advertising Local Subnets

Want to access LAN devices behind OPNsense?

  1. Go to VPN → Tailscale → Settings → Advertised Routes.

  2. Add your LAN subnet, e.g. 192.168.69.0/24.

  3. Apply changes, then approve it in the Tailscale admin panel.

Once approved, you can access any internal device via its local IP — securely through your tailnet.

SSH Access via Tailscale

Under VPN → Tailscale → Advanced, you can enable SSH.

This allows Tailscale-managed SSH access — bypassing OPNsense firewall rules. That’s why it’s hidden under Advanced: if enabled carelessly, every tailnet device could SSH into OPNsense.

Always manage access from within Tailscale’s Access Controls.

Dashboard Widget

You can monitor your Tailscale status directly from the OPNsense dashboard.

Go to Lobby → Dashboard → Edit → Add Widget → Tailscale.
You’ll now see connection status, backend state, DNS name, IPs, exit node status, and number of peers.

Advanced Settings Recap

Within VPN → Tailscale → Advanced you’ll find:

  • Advertise Exit Node: Share internet access through OPNsense

  • Use Exit Node: Route OPNsense’s traffic through another node

  • Advertise Routes: Make subnets available to your tailnet

  • Accept Routes: Accept advertised subnets from other nodes

  • Enable SSH: Allow Tailscale-managed SSH access

Wrapping Up

Hopefully, this walkthrough has given you a clear understanding of how to integrate OPNsense with Tailscale, securely access the web interface, and configure routing options such as exit nodes and subnet access.

If you found this guide helpful, please give it a like and consider subscribing to our YouTube channel.

For professional OPNsense consulting, visit SheridanComputers.com.

Tags:

opnsense networking freebsd

Got Questions?

Find quick answers to common IT support questions

How quickly can you respond to IT issues?

While many companies claim a 15-minute response, we guarantee a one-hour response time for urgent issues. This realistic timeframe allows our expert team to mobilise properly and arrive fully prepared to diagnose and resolve the problem efficiently - ensuring quality support rather than a rushed service.

How long has Sheridan Computers been established?

We've proudly been established for over 15 years. Our enduring presence in the IT industry is a testament to our commitment to quality, innovation, and reliable service. We’re here for the long haul, continuously evolving to meet the needs of our customers today - and in the future.

IT Emergency?

24/7 emergency IT support available for existing clients

Call Emergency Support
Help & Support
Standard Support Hours

Monday - Friday 8:00 - 17:00
Saturday Closed
Sunday Closed
Client Access
Remote Support Tool Client Portal Login
Other Ways to Reach Us
Email Support
24/7 Emergency Support

Critical issues? Our emergency team is available 24/7 for existing clients.

Emergency Support Line