ACLs recommendations exit nodes?

Wondering whether there’s any recommended ACLs for cases where you want to use a device (or VPS) purely as an exit node (to use its internet connection) and nothing much else? Any rules it would be good to use to “lock down” or otherwise isolate exit nodes from the rest of your Tailnet in these situations?

If you apply a tag to the exit node ACL tags are generally available · Tailscale you can set ACLs to not allow the exit node to access anything else on your tailnet.

You’d allow your users to access autogroup:internet, which expands to all public IP address ranges, to allow them to use the exit node for Internet connectivity.

1 Like

Thanks very much, so very basically you’d want to do the below?

  1. Create a tag for exit nodes
  2. Explicitly not create an “accept” ACL for the exit node tag
  3. Create an “accept” ACL for users to access autogroup:internet
1 Like

Have started adding these ACLs and everything’s working fine so far except that when I try to send a file via Taildrop, it seems to think I have no devices in my Tailnet. Any reason why this would suddenly be happening after tweaking ACLs?

edit: have figured it out, it’s because I tagged all my devices when that’s really not what I need to do

Yes, for now you can only send to devices owned by the same User.
Tagged nodes are not owned by any User.

Yeah I assumed that adding a tag would be in addition to User ownership but that’s not the case.