Add user not in my organization

Hello,

Is there any way to add a contractor that does not have our organization email to my organization? Example…contactor updates our server from their location. Currently i can use OpenVPN and give them access to that part of the network and it doesn’t matter what their email is. But using tailscale they have to have an email account for our organization.

You don’t need to provide contractors access to your tailnet, instead you can share individual nodes of your tailnet with their tailnet: Sharing your nodes with other users · Tailscale

This restricts their access to only that node.

@bluefish

Yeah i aee that now. I appreciate the link. The thing is that this company does not have a tailnet, as it talks about. Maybe i am mistaken but both him and me must have a tailnet to share an endpoint.

What if they dont have one? Is there no way to grant access?

The only way to allow them access to one of your service behind the tailscale VPN that I can think of is via tailscale funnel.
With that you can expose one of your tailscale nodes to the internet.
But that means everyone has access to it, so you’d need to employ some extra security measure to secure access.

See details about funnel here: Tailscale Funnel · Tailscale

Basically it consists of two base commands: tailscale serve and tailscale funnel.
With the first you set up what you want to serve. At the moment I believe that can be raw text, HTTP, HTTPS or TCP (all of which currently can only point to a service running on the local host 127.0.0.1).

This automatically creates valid certificates (from “Let’s Encrypt”) and serves your server within the tailnet.
Then you can use tailscale funnel to extend that into the internet, making it available under the fully qualified domain name of your particular tailnet node, e.g. https://HOSTNAME.TAILNET-NAME.ts.net.

More details under the tailscale serve --help and tailscale funnel --help commands (or the link above).


If you don’t want to expose a service to the internet and keep it all within the tailnet, then I’m afraid the only way you can share access would be to have the contractor either have their own tailnet, into which you share your node, OR you give a user account under your domain, so that they can login with that and you limit what they can access via tailscale’s ACLs.

But either way they’d need to install the tailscale client.


If you want to get creative, then you could create a VPS for the sole purpose of connecting the contractor to your tailnet.
Install tailscale on the VPS, but give a tag to that node. Having a tag strips it from all access and you have to explicitly define what it can access in your tailnet.
Then provide some other means for the contractor to access that VPN (i.e. not via tailscale), be that VNC, RDP, or what have you.

So then your contractor would login to that VPS via some method (VNC, RDP, some other remote tool, etc.). The VPS is also connected to your tailnet, but only has limited access to the machines/services you explicitly defined.

Technically, instead of a VPS you could probably also do this on a VM. The VPS or VM would basically act as a limited gateway into your tailnet.

@bluefish

This is a fantastic writeup. This really explains it to me.

Reading this and the doc seems to me that there is so many hoops to jump through to get to the end result of sharing a service with a contractor. That seens like a lot of management for one service. Since this is a small business and the expenditures seems to be growing here. I will probably keep our current solution for the contractor and most likely move our personnel over to tailscale.

Exposing the endpoint is not something i can get that kind of buy in for right now.

Adding another user account isn’t that bad except that is another user to manage and with our solution right now each user has costs associated.

Hopefully tailscale can cone up with a way to allow the outside contractor using their email. I really like the solution but still has a drawback for us right now.

I am much appreciative of your help. Thanks!

Yeah, it would be nice if maybe funnel would optionally provide a way to enable basic authentication.
That way only people you provide with the user/pass could access the website from the internet.

At the moment you can do that by yourself via a simple reverse proxy, but it sure would be nice if that could be implemented in funnel itself. Not sure if the Tailscale team would consider that bloat, but maybe it might be worth asking for it as a feature request, if you’re interested: Issues · tailscale/tailscale · GitHub

Cheers! :beers:

@egrogg I’m coming late to this party but the thought occured to me to provide the contractor with a temporary email address on your company domain. When the contract is complete and they should no longer have access simply revoke their email address.