I have a work device that is highly restricted. I also have a personal device that is completely the opposite.
I’m just in the testing phase of figuring out how I can ensure tight restrictions between the less secure device and the more secure device.
In my test, I signed in both nodes with the same Tailscale user account. I’m able to RDP, VNC, PING from the less secure to the more secure device by default.
I signed out the less secure device and created a new Tailnet user on my tailnet network, signed in and boom, I’m unable to RDP, VNC, PING etc. Perfect.
So other than using a separate user account, I wasn’t sure if I could use some clever rules that’d allow me to sign into both devices with the same account, but make rules that only allow port 80 from the less secure device to reach the secure device.
Basically I’m worried that should my less secure device be compromised with a virus, I don’t want it to easily spread over any old service/port to reach the secure device. I’m just trying to test a web application and it’d be handy to be able to reach it from my personal device to check its status.
It’d just be nice to see what’s possible with the creative rule-writing minds in here. Thank you for any advice!