ACL - allow everything except for "untrusted" tags

ericswpark · December 25, 2022, 5:07pm

On my Tailnet, I have my personal devices and one or two servers tagged “untrusted”. These servers are in locations that I do not control, so I do not wish for someone to gain access to my Tailnet through these servers. Currently, my ACL rules is the default (allow access from all to all). I’d like to add a couple more rules:

deny access from untrusted to devices that are not tagged untrusted
deny access from devices that are not tagged untrusted to untrusted
allow port 22 access from devices that are not tagged untrusted to untrusted

However I’m not sure how to set up the ACL rules so that they “exclude” tags (not tagged untrusted as shown above). What rules should I use to achieve the setup described above?

TL;DR - How do I set up ACL rules so that all devices/users can talk to each other, but “untrusted” tags are shored off and cannot talk to the main pool?

ericswpark · December 25, 2022, 5:35pm

Figured it out: autogroup:members does not contain tagged devices, so I can use that to define all untagged devices and manually add tags. Although this is a rather janky workaround I only have one tag so it’s fine.

Tom7320 · December 30, 2022, 11:24am

Same problem/question here.

I want to have access to a couple of web servers using Tailscale SSH. But the web server must not have access to my Tailnet. Therefore, I added a tag untrusted:

"tagOwners": {
	"tag:untrusted": ["autogroup:members"],
},

And changed the default ACL:

"acls": [
	// {"action": "accept", "users": ["*"], "ports": ["*:*"]},
	{"action": "accept", "src": ["autogroup:members"], "dst": ["*:*"]},
],

Added tag:untrusted to SSH:

"ssh": [
	{
		"action": "accept",
		"src":    ["autogroup:members"],
		"dst":    ["autogroup:self", "tag:untrusted"],
		"users":  ["autogroup:nonroot", "root"],
	},
],

Is this correct? Is this all I have to do to reach my servers but deny access from my servers to the rest of my Tailnet?

Thx a lot!

Thorsten

jonas108 · January 3, 2023, 10:46pm

Yup, that should work.

You can also create tests to see if the servers can access your tailnet.

“tests”: [

  {
  	"src":   "tag:external-server",
  	"deny":  ["tag:intern-server:44"],
  },

],

Tom7320 · January 4, 2023, 8:37am

Thx! I think this is an important security feature since all “external” servers should be restricted in my oppinion…

Topic		Replies	Views
ACL File for hiding devices from eachother on tailnet ACL (Access Control Lists)	5	1176	June 6, 2023
Untagged devices in ACL ACL (Access Control Lists)	1	713	March 3, 2022
Tag:device can connect to an app on a server but cannot connect to the internet ACL (Access Control Lists)	0	513	February 12, 2023
Tagged devices are able to see my untagged devices ACL (Access Control Lists)	3	1389	March 23, 2022
Beta features! ACL tags, subnet ACLs, and pre-auth keys Tailscale About articles (troubleshooting, info)	0	1073	October 9, 2020

ACL - allow everything except for "untrusted" tags

Related topics