Can I restrict device to only use exit node but not have access to other network devices?


I want my mobile phone to use exit node to route all traffic over it, but if I loose my phone (or if it gets to bad hands somehow) I want they don’t have access to any of my other devices.

What I did
I added a tag (“tag:device”) to my phone and didn’t give it any access in ACL. That didn’t work. I thought device-to-exit_node traffic is tailscale internal and is not subject to ACL. Looks like I’m wrong.

Then I added ACL rule to allow traffic from my phone to my exit node (it has tag “tag:exit”).
{“action”: “accept”, “src”: [“tag:device”], “dst”: [“tag:exit:*”]}
That didn’t work either. And I don’t have any ideas more.

Is it even possible? Or am I doing something wrong?


Tailscale version: 1.22.0 (iOS), 1.22.1 (linux)
Your operating system & version: ubuntu 20.04

I think I got it. In my ACL I forbidden all traffic except to my exit nodes, but going to the internet is not going to exit node.
So I need to allow traffic to anywhere except to my private network. Which is impossible except I enumerate all possible subnets except tailscale internal.

There needs to be an ACL allowing users access to autogroup:internet, which expands to the list of all public IP addresses.

Without that, when you set a device to use the exit node, it forces all of its Internet traffic to go to the exit node but ends up dropping everything because the ACL blocks it.

There are a number of autogroup:* names described in Network access controls (ACLs) · Tailscale

Thanks a lot. This is what I was looking for. I should read documentation better.