Allow Tailscale Client in access list (opnsense plugin)

solear · December 23, 2024, 5:35pm

Hello!

1. The problem I’m having:

How can I configure opnsense with the caddy plugin so that I can only access internal domains (https via caddy) from my tailscale clients? it works with the IP. but not via https.

It only works if I enter my public IP of the tailscale client in the access list in caddy. but it changes from time to time…
Access via the IPs works.

Apparently, opnsense/caddy sees the tail client with the public IP and therefore blocks it due to the access list.

2. Error messages and/or full log output:

no error

3. Caddy version:

OPNSENSE 24.7.11_2 with caddy plugin 1.7.6

Basic setup:
opnsense as VM under proxmox
opnsense plugin tailscale (subroutes in my homenet and exit node)
opnsense plugin caddy (followed Caddy: Reverse Proxy — OPNsense documentation)
opnsense plugin adguard home+unbound

4. How I installed and ran Caddy:

Plugin in opnsense

a. System environment:

opnsense as a vm in proxmox

solear · December 24, 2024, 6:27am

I think I found the solution. It does not work if I use tailscale as a Plugin in opnsense. It does work when I use another tailscale exit in my homenetwork.

ATFBooru · December 25, 2024, 8:23am

Thanks a lot for solution.