For explicitness, you must include the full email address of each user (or alice@github for GitHub user @alice ). However, Tailscale currently only lets you share your nodes with users inside the same domain as you. If you write an ACL that permits users outside your domain, it will be silently ignored. Eventually, we will allow inviting users outside your domain.
So I read that but it wasn’t entirely clear to me. Technically we’re on the same domain, Gmail, but I suppose it means “same custom domain”? Or “same account”?
Also these limitations are hard to reason about and scattered around the docs. For example, I got pretty far into understanding ACL Tags before reading that you couldn’t use them on Windows hosts.
So I can share my Windows VM with my friend, but essentially that means letting them access that host and through it anything in my private Tailscale network, since they’ll have access to my Tailscale account on that VM. Seems like a pretty simple use case that doesn’t work with Tailscale, unless I’m missing something?
I think I read somewhere that they treat domains like gmail.com differently than custom domains but can’t quite find where that was, which just emphasizes your point about the docs being a bit scattered so far. I’m giving them a bit of leeway on the docs since they’re obviously still in a pretty early stage.
Really hoping they add tags to non-Linux hosts pretty soon though since I need that to move my current business implementation out of a pilot phase since it’s really hard to scale the ACLs to even dozens of hosts without that feature in the Windows client for us.
Signups using shared email hosts such as @gmail.com or GitHub personal accounts are limited to the solo plan, and can currently only have one user.
We recommend you check out our sharing feature instead that lets you securely share machines with other Tailscale networks.
The same error message appears when you have no devices of your own. This happens when you put tags on all your devices, which basically removes you as an owner from all those devices.
What is not immediately clear from the error message, is that the “test” field seems to run a connectivity test from a device owned by yourself. Which of course will not work if you do not own any devices anymore.
So I don’t think this is correlated to the @gmail.com restrictions per se. Took me some time to figure out.
The solution was to always keep one of the devices under your own control, which is nothing but normal. However, I think this could be mentioned/alerted somewhere more explicitly.