I have my main node A, I also have B, C, D…L, M, N…
I want A to talk to B, A to talk to C, but B cannot talk to C. Same for the others, None of them can talk to anyone except A.
How do I set this up?
They are all logged in on the same gmail account. I read about the Tagged ACLs but couldn’t see how to make this work, and I’m not sure I understood the example given.
There are two ways to handle this:
If you use Tailscale with ACL tags, you can tag node A (call it tag:server for example) and then define ACL rules that allow only connections from email@example.com to tag:server (or vice versa if you want A to initiate connections to B…Z rather than B…Z initiating connections to A). More on ACL tags: https://tailscale.com/kb/1068/acl-tags
If you’d rather avoid ACLs, you can use the so-called “shields up” mode to prevent incoming connections to the machines that shouldn’t be accepting them. This only works for preventing connections into B…Z entirely. If you want to allow only A to connect to them, you’ll need to use ACL tags for that.
Hope that helps!
I need A to initiate connections to B, C, etc. Not the other way around.
tag node A and then define ACL rules that allow only connections from firstname.lastname@example.org
I’m sorry, I don’t understand how to make this work. All of them are logged in under the same email@example.com. The minute I allow/deny anything by that gmail account, I’m doing it to all of them. No?
The trick with ACL tags is that as soon as you add a tag, that node loses the rights associated with the original user, and has only the permissions associated with the tag(s). This is what gives you all the flexibility.
are tags really needed for this? Can’t you just create an acl listing A as the user with full rights and no one else?
ACL tags allow you to set different permissions for different nodes, even if all those nodes are owned by the same user account. If you have multiple user accounts, then you’re right, no tags are needed.