ACL not working as advertised

ACL (Access Control Lists)
1

Well I’ve been trying this for a few hours now, and haven’t got it to work, so I thought I’d see if smarter people than me can tell me where I’ve got this wrong.

Here is the default “every one access everything” ACL, which is working.

{
	// Declare static groups of users beyond those in the identity service.
	"groups": {
		"group:admins": ["me@domain.org", "him@domain.org"],
	},

	// Tags let you set policy on groups of things.
	"tagOwners": {
		"tag:server": ["group:admins"],
		"tag:user":   ["group:admins"],
	},

	// Declare convenient hostname aliases to use in place of IP addresses.
	"hosts": {
		"webserver": "100.12.15.123",
	},

	// Access control lists.
	"acls": [
		// 1. Match absolutely everything.
		{"action": "accept", "src": ["*"], "dst": ["*:*"]},
		// 2. admins group can access webserver on all ports
		// { "action": "accept", "src": ["group:admins"], "dst": ["webserver:*"] },
	],
}

With rule 1 in place, then everything is accessible, as you might expect. If I comment out rule 1, and uncomment rule 2. then I can access exactly nothing.
If I look in the editor “Preview Rules” section it tells me that I, as a member of the admin group, can access webserver. But when I try, I can’t access anything. In fact I can’t ‘tailscale ping’ it either, by its hostname or by its IP. And tailscale status returns nothing, just my own local node.

Furthermore, I’ve replaced dst with 100.12.15.123:* , with tags:server:*, and with : and none of these let me access the server, ping it, or see it on tailscale status. When I roll back to rule 1, everything is fine.

So have I misunderstood something here? As someone who’s wrestled with firewalls for 20 years or so, I’ve usually managed to figure things out, but this one has me scratching my head.

2

I have a very similar issue too - I’ve stripped to the very basics and still can’t get it working right :frowning:

{
	"acls": [
		{
			"action": "accept",
			"src":    ["user@gmail.com"],
			"dst":    ["*:*"],
		},
	],
}

it’s making my head hurt lol! If I swap the user@gmail.com for * then all works fine. It’s kind of like it’s not recognising my email address somehow (I’m the owner of the tailnet and it’s the same address as showing in the admin console etc.)

Anybody got any thoughts?

3

I’ve had a bit more success when I deleted all the groups I’d set up and used the autogroup entries.
I also added the ‘users can access their own machines’ acl given in the samples, but that doesn’t seem to be needed.
So … autogroups?

4

Aha! Everything I did actually works … provided I don’t use my Windows PC to test on … :frowning:

I’ve tested between two Linux boxes and the ACLs work fine - it’s just when I try and ping from a Windows box to somewhere else that it doesn’t seem to recognise that I’m the owner ! I’ve even logged out and re-registered again but still no joy.

I will raise a bug on Github with details. This probably doesn’t help your issue though @pluto - sorry!

5

I just started with a fresh Tailscale account this week and got the same error you have.
I am using Tailscale on MacOS 13.4.

This config works and allows everyone access to everything:

{
	"action": "accept",
	"src":    ["*"],
	"dst":    ["*:*"],
},

If I add my email to the ACL then all access is blocked. I restarted my local Tailscale client. Nothing seems to help.

{
	"action": "accept",
	"src":    ["marcel.....@.....com"],
	"dst":    ["*:*"],
},