Headscale on pfS?

chudak

Re: Headscale?

Has anybody successfully setup Headscale on pfS?

TIA

mrpink57

I have headscale setup as a container on my server behind pfS and under authentication I just put the server IP:Port and a auth key created and that was it.

chudak

@mrpink57 said in Headscale on pfS?:

I have headscale setup as a container on my server behind pfS and under authentication I just put the server IP:Port and a auth key created and that was it.

Interesting thx

I’d like to try
But by looking at the UI I don’t see TS allowing multi server setup, unlike OpenVPN and WG

voigon

I don't think TS allows to be connected to multiple tailnets at once (in any of their clients).
You would probably want to use node sharing instead but HS doesn't support it since its single tenant

rcfa

Would be nice if there were a Headscale module, so pfSense could act as the server, just like it can act as server for other VPN types.

chudak

@rcfa said in Headscale on pfS?:

Would be nice if there were a Headscale module, so pfSense could act as the server, just like it can act as server for other VPN types.

My understanding is that you can do it now, just change in TS Authentication/Login Server to HS (from "https://controlplane.tailscale.com")

(fine print: I have not tried it)

rcfa

@chudak I wasn't talking about pfSense USING a headscale server, that it can, but of pfSense actually BEING the headscale server and having all the necessary web UI to configure it.

chudak

@rcfa said in Headscale on pfS?:

@chudak I wasn't talking about pfSense USING a headscale server, that it can, but of pfSense actually BEING the headscale server and having all the necessary web UI to configure it.

Well, IMHO you can install HS on the pfS box or any other box in your network.
Don't see much difference.

But if pfS had such a pre-configured option, I would not mind.

rcfa

@chudak Yes, it's likely possible.

But such "extra installs" won't be backed up with a configuration backup.

So one must document and keep track of all the small manual changes and twists one makes to the system and redo everything from scratch when setting up a new box or when a hw failure forces one to restore from backup.
So a supported HS-server module, which stores all relevant parameters in the configuration one backs up regularly, would significantly increase peace of mind...

...also, since the people writing pfSense are a lot more familiar with security related issues, whenever I modify the standard setup with tweaks, I run an increased risk of introducing security holes. Thus someone familiar with the full system architecture and security model is much less likely to make mistakes in that regard.