meroxdotdev
diff --git a/‎_config.yml‎
Lines changed: 6 additions & 6 deletions b/‎_config.yml‎
Lines changed: 6 additions & 6 deletions
diff --git a/‎_data/locales/en.yml‎
Lines changed: 91 additions & 0 deletions b/‎_data/locales/en.yml‎
Lines changed: 91 additions & 0 deletions
diff --git a/‎_posts/2024-04-06-tailscale-site-to-site.md‎
Lines changed: 143 additions & 0 deletions b/‎_posts/2024-04-06-tailscale-site-to-site.md‎
Lines changed: 143 additions & 0 deletions
@@ -9,12 +9,12 @@ theme: jekyll-theme-chirpy
 lang: en
 
 # Change to your timezone › https://kevinnovak.github.io/Time-Zone-Picker
-timezone:
+timezone: Europe/Bucharest
 
 # jekyll-seo-tag settings › https://github.com/jekyll/jekyll-seo-tag/blob/master/docs/usage.md
 # ↓ --------------------------
 
-title: Merox # the main title
+title: merox.dev # the main title
 
 tagline: Insights from my tech journey—homelab to real-world IT. # it will display as the subtitle
 
@@ -59,7 +59,7 @@ webmaster_verifications:
 # Web Analytics Settings
 analytics:
   google:
-    id: # fill in your Google Analytics ID
+    id: RXSCNFY5WZ
   goatcounter:
     id: # fill in your GoatCounter ID
   umami:
@@ -109,10 +109,10 @@ toc: true
 
 comments:
   # Global switch for the post-comment system. Keeping it empty means disabled.
-  provider: # [disqus | utterances | giscus]
+  provider: disqus # [disqus | utterances | giscus]
   # The provider options are as follows:
   disqus:
-    shortname: # fill with the Disqus shortname. › https://help.disqus.com/en/articles/1717111-what-s-a-shortname
+    shortname: merox
   # utterances settings › https://utteranc.es/
   utterances:
     repo: # <gh-username>/<repo>
@@ -181,7 +181,7 @@ defaults:
       toc: true # Display TOC column in posts.
       # DO NOT modify the following parameter unless you are confident enough
       # to update the code of all other post links in this project.
-      permalink: /posts/:title/
+      permalink: /blog/:title/
   - scope:
       path: _drafts
     values:
 
@@ -0,0 +1,91 @@
+# The layout text of site
+
+# ----- Commons label -----
+
+layout:
+  post: Post
+  category: Category
+  tag: Tag
+
+# The tabs of sidebar
+tabs:
+  # format: <filename_without_extension>: <value>
+  home: Home
+  categories: Categories
+  tags: Tags
+  archives: Archives
+  about: About
+
+# the text displayed in the search bar & search results
+search:
+  hint: search
+  cancel: Cancel
+  no_results: Oops! No results found.
+
+panel:
+  lastmod: Recently Updated
+  trending_tags: Trending Tags
+  toc: Contents
+
+copyright:
+  # Shown at the bottom of the post
+  license:
+    template: This post is licensed under :LICENSE_NAME by the author.
+    name: CC BY 4.0
+    link: https://creativecommons.org/licenses/by/4.0/
+
+  # Displayed in the footer
+  brief: Some rights reserved.
+  verbose: >-
+    Except where otherwise noted, the blog posts on this site are licensed
+    under the Creative Commons Attribution 4.0 International (CC BY 4.0) License by the author.
+
+meta: „Sutor, ne ultra crepidam”
+
+not_found:
+  statement: Sorry, we've misplaced that URL or it's pointing to something that doesn't exist.
+
+notification:
+  update_found: A new version of content is available.
+  update: Update
+
+# ----- Posts related labels -----
+
+post:
+  written_by: By
+  posted: Posted
+  updated: Updated
+  words: words
+  pageview_measure: views
+  read_time:
+    unit: min
+    prompt: read
+  relate_posts: Further Reading
+  share: Share
+  button:
+    next: Newer
+    previous: Older
+    copy_code:
+      succeed: Copied!
+    share_link:
+      title: Copy link
+      succeed: Link copied successfully!
+
+# Date time format.
+# See: <http://strftime.net/>, <https://day.js.org/docs/en/display/format>
+df:
+  post:
+    strftime: "%b %e, %Y"
+    dayjs: "ll"
+  archives:
+    strftime: "%b"
+    dayjs: "MMM"
+
+# categories page
+categories:
+  category_measure:
+    singular: category
+    plural: categories
+  post_measure:
+    singular: post
+    plural: posts
@@ -0,0 +1,143 @@
+---
+title: Tailscale site-to-site pfSense - Linux
+date: 2024-04-06 10:00:00 +0200
+categories: [Networking, VPN]
+tags: [vpn, security, tutorial, tailscale, pfsense]
+description: Setting up Tailscale site-to-site connection between pfSense and Linux
+image:
+  path: /assets/img/posts/tailscale-pfsense-banner.webp
+  alt: Tailscale Site-to-Site VPN Setup
+---
+
+I've decided to implement monitoring for my homelab through a cloud virtual machine. As cloud provider I've opted for Hetzner, but more on that in a future post.
+
+To enhance the security of this setup, I've chosen to establish the cloud VM from Hetzner as the single entry point to my infrastructure. For this purpose, I've opted to use Tailscale for tunneling, not only for client-to-site but also for site-to-site connectivity.
+
+## Tailscale Site-to-Site Networking
+
+Information provided by Tailscale:
+
+> Use site-to-site layer 3 (L3) networking to connect two subnets on your Tailscale network with each other. The two subnets are each required to provide a subnet router but their devices do not need to install Tailscale. This scenario applies to Linux subnet routers only.
+{: .prompt-info }
+
+> This scenario will not work on subnets with overlapping CIDR ranges, nor with 4via6 subnet routing.
+{: .prompt-warning }
+
+## Network Architecture
+
+In my case, there are two private subnets without any connectivity between them:
+
+- **Subnet 1 - Homelab**: 10.57.57.0/24
+- **Subnet 2 - Cloudlab**: 192.168.57.0/24
+
+IP addresses of the routers for each subnet:
+- **Subnet 1**: 10.57.57.1 (pfSense)
+- **Subnet 2**: 192.168.57.254 (Linux VM)
+
+## Setting up Tailscale on pfSense (Subnet I)
+
+Let's dive into the configuration. Due to pfSense being based on FreeBSD and Tailscale not offering as much support for pfSense as for other platforms, this configuration is a bit trickier.
+
+### Install Tailscale on pfSense
+
+1. Navigate to **System > Package Manager** in the pfSense web interface
+2. Click on the **Available Packages** tab
+3. Search for `tailscale` and click **Install**
+
+### Configure Tailscale on pfSense
+
+Navigate to **VPN > Tailscale**
+
+#### Authentication
+
+1. Copy auth-key from [https://login.tailscale.com/admin/settings/keys](https://login.tailscale.com/admin/settings/keys)
+2. Generate Auth keys
+
+![Tailscale pfSense Configuration](/assets/img/posts/blog-tailscale-pfsense.png){: width="700" height="400" }
+_Tailscale authentication setup in pfSense_
+
+#### Basic Configuration
+
+- ✅ **Enable tailscale**
+- **Listen port**: leave as default
+- ✅ **Accept Subnet Routes**
+- ✅ **Advertise Exit Node** (optional)
+- **Advertised Routes**: 10.57.57.0/24
+
+### Tricky Part: Outbound NAT Rules
+
+Navigate to **Firewall > NAT > Outbound**
+
+#### Configure Outbound NAT Mode
+
+Set to: **Hybrid Outbound NAT**
+
+#### Create Manual Mapping
+
+- **Interface**: Tailscale
+- **Address Family**: IPv4+IPv6
+- **Protocol**: Any
+- **Source Network or Alias**: 10.57.57.0/24
+- **Destination**: Any
+
+> This part is broken from last update [23.09.1] so NAT Alias is missing.
+{: .prompt-warning }
+
+**Workaround**:
+- Translation section:
+  - **Address**: Network or Alias
+  - Put the tailscale IP address: `100.xx.xx.xx/32`
+
+This is how it should look:
+
+![Tailscale pfSense NAT Rules](/assets/img/posts/blog-tailscale-pfsense2.png){: width="700" height="400" }
+_Outbound NAT configuration for Tailscale_
+
+## Configure Tailscale on Linux VM (Subnet II)
+
+### Install Tailscale and Enable Routing
+
+```bash
+# Install tailscale
+curl -sSL https://tailscale.com/install.sh | sh
+
+# Activate routing for IPv4
+echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.conf
+
+# Activate routing for IPv6
+echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.conf
+
+# Apply routing configuration at kernel level
+sudo sysctl -p /etc/sysctl.conf
+```
+
+### Advertise Routes on Linux
+
+On the 192.168.57.254 device, advertise routes for 192.168.57.0/24:
+
+```bash
+tailscale up --advertise-routes=192.168.57.0/24 --snat-subnet-routes=false --accept-routes
+```
+
+**Command explained**:
+- `--advertise-routes`: Exposes the physical subnet routes to your entire Tailscale network
+- `--snat-subnet-routes=false`: Disables source NAT. In normal operations, a subnet device will see the traffic originating from the subnet router. This simplifies routing, but does not allow traversing multiple networks. By disabling source NAT, the end machine sees the LAN IP address of the originating machine as the source
+- `--accept-routes`: Accepts the advertised route of the other subnet router, as well as any other nodes that are subnet routers
+
+## Enable Subnet Routes from Admin Console
+
+> This step is not required if using autoApprovers.
+{: .prompt-info }
+
+1. Open the **Machines** page of the admin console
+2. Locate the devices configured as subnet routers (look for the **Subnets** badge or use the `property:subnet` filter)
+3. For each device, click the ellipsis icon menu and select **Edit route settings**
+4. In the Edit route settings panel, approve the device
+
+> The Tailscale side of the routing is complete!
+{: .prompt-tip }
+
+## Credits
+
+- [Tailscale Documentation](https://tailscale.com/kb/1214/site-to-site#step-2-enable-subnet-routes-from-the-admin-console) - Official site-to-site networking guide
+- [Christian McDonald](https://www.youtube.com/watch?v=Fg_jIPVcioY) - Helpful YouTube tutorial on pfSense Tailscale setup