Headscale Configuration | NAT-PMP | Policy Routing via Exit Node


Since my ISP was not helpful in providing me with a bridge mode cable router/modem, I decided to set up my own Tailnet via Headscale (open source, self-hosted). So far so good, and I am able to use direct connections for fast speeds to all major devices. However, I have a few questions and it would be great if someone could help me out.


  1. As described in the Tailscale documentation, I have NAT-PMP enabled for direct connections. However, is this a security issue and would it be better to open some ports explicitly (if possible)? It would be great if I could get some explanation on this topic.

  2. Additionally, I would like to know if it is possible to policy route inbound traffic through a Tailscale exit node (with Tailscale I don’t have a Gateway like with WireGuard/OpenVPN). If possible, how would I configure pfSense to do this? Alternatively, I would deploy a WireGuard VPN on the same server and use that one, but that seems redundant and not necessary.

  3. A Headscale user is a real person with their devices, right? Meaning Headscale is for explicitly one Tailnet with multiple users with their own devices. If this is correct, which user should manage my pfSense box (and my friend’s pfSense box) to establish a site-to-site connection?

My idea is this: My phone, laptop, etc. share one username. My pfSense box has a different username. The same goes for my friend’s devices and his pfSense box. This would be up to four users. I separate my devices from my friends devices for security and easy ACL rules. Also, my pfSense box and my friend’s pfSense box don’t have to be part of the user’s devices (for example, I don’t want someone using Taildrop with my pfSense box). Does this make sense?

Also, I deployed some exit nodes on public VPS servers which I add to my Tailnet. What user should these exit servers have? Different users or one exit node user?

  1. Additionally, I watched Christian McDonald’s video about Tailscale. He is the package maintainer at Netgate. Sadly, he missed out a bit one explaining which firewall rules should be used to make the usage with Tailscale secure. He mentioned that most of security restrictions are done via Tailscale’s ACLs on the Headscale server. Nevertheless, which rules should I define?

I probably have more questions, but these are the most important ones.

Thanks for all your kind help!

If you are behind your ISP NAT then you can’t open ports so I am not clear on the question. I have a video on setting up headscale here: (I think they have since added phone support which was not available when I made this video)

And a pfsense Tailscale video here:

Your questions are not clear, but this videos should give you a better understanding of how it all works.

I know both videos! Great work! What questions aren’t clear?

  1. Is there a way to privacy vpn / policy based route traffic out via Tailscale exit nodes in pfSense? My problem is that I don’t have a Tailscale Gateway (like with WireGuard/OpenVPN) which I can select in the firewall rules.

  2. Do you think NAT-PMP is better than open a port directly from a security standpoint?

I figured out that the Headscale ACLs aren’t feature complete. This should be noted here and in your next video to avoid unnecessary frustration.

For example the autogroups aren’t supported yet.

  1. Tailscale / Headscale configure the routing policies for exit nodes, not pfsense
  2. It’s always safer to keep ports closed so NAT is safer.

Thanks for your reply. Honestly, I have learned a lot from your YouTube channel. Not specifically through the videos (which are great!), but more through you pointing me to great projects and helping me develop an interest of my own. Keep up the great work!

  1. I know it is more secure to keep ports closed. My question is more about a comparison between NAT-PMP (in pfSense) vs. directly opening ports without NAT-PMP. Tailscale recommends NAT-PMP in the documentation. On the one hand, you have NAT-PMP, which gives more control to devices on the network, so there are more things that can go wrong, but at least the ports aren’t open when needed. On the other hand, manually opened ports are more controllable, but are always open. Are there other things to consider? What is your opinion?

  2. Is there a fully open source, community developed NAT traversal/overlay network solution? I know Tailscale, which seems to be the most open source option (especially with Headscale). Nebula is not pfSense compatible, is it?

  3. Have you looked at OpenZiti?

  4. Before I run off in the wrong direction, I would also like to double check that an overlay network like Tailscale is the best solution for a site-to-site network and remote access if these networks are on problematic networks (I have changed my ISP and devices several times, but a simple modem or device with working bridge mode is unfortunately not an option). So Tailscale would be the next best thing?

  5. Also, if you don’t know about Tailnet Lock, you should take a look at it. The biggest external/outside threat to any Tailnet is a compromise of the coordination server, which can be avoided with Tailnet Lock (besides a compromised device in the Tailnet itself). Basically, each device will only accept new ones if the information distributed by the coordination server is signed by per-defined Tailnet devices. Headscale dev likes the idea of implementing this feature as well, but it is not currently on the roadmap.

  6. If you want to make another video about Headscale, please mention that it is not feature complete with Tailscale’s ACLs. This is super frustrating because the Headscale docs point to Tailscale’s ACL docs.

  7. Is it true that there is no way to policy route Tailscale to my exit nodes within my Tailnet for privacy VPN purposes? I added the same server that was my privacy WireGuard server to my Tailnet so that I could continue to use my WireGuard deployment, but for simplicity I would like to drop it.

  8. To double check: For site-to-site functionality, do I need to touch any firewall rules within pfSense regarding Tailscale? Is any form of hardening possible? It seems a little scary to me to just drop it in and control everything through external ACL policies. That way my pfSense box loses protective powers.

Thanks for your hep!

  1. Using NAT-PMP allows the system to open the ports up automatically, I prefer to open up ports manually so I know what was done.
  2. Not sure
  3. nope
  4. try things and see what works for you, Tailscale is probably the easiest way.
  5. not sure, have not tested
  6. Tailscale acts as an interface so it has a lot of access to pfsense. I covered the rules in the video
1 Like