Tailscale WAN Port and pfSense

[fvultee]

Just curious to get some feedback on a Security Now discussion of an externally facing Tailscale WAN port and pfSense. During the past few episodes, there's been a discussion of the hypothetical security ramifications of a listening Tailscale port on the public facing side of our internet hardware. Since I'm a long time pfSense user and recently installed Tailscale on my pfSense box, I thought I'd look into this as well. My issue is that I can't seem to verify that there is a public facing Tailscale port for incoming connections. With Tailscale installed and running, my WAN interface doesn't indicate that there is an externally accessible open port listening for Tailscale traffic.

Tailscale's own "How does Tailscale Work?" docs say: "For now, suffice it to say that Tailscale uses several very advanced techniques, based on the Internet STUN and ICE standards, to make these connections work even though you wouldn’t think it should be possible. This avoids the need for firewall configurations or any public-facing open ports, and thus greatly reduces the potential for human error."

What threat vector related to an open port is Steve talking about. From my limited understand I'm assuming that each node makes an outbound connection to the control server, and that server negotiates the mesh connection. It's certainly possible that I've missed something very basic, and I welcome all of you that are certainly smarter than me to tell me what I'm missing.

Thank you in advance,

Forrest

 

[PHolder]

https://tailscale.com/kb/1082/firewall-ports Sounds like you need to be aware if both parties are behind firewalls or not. If only one is, it sounds like it can turn the connection around.