Could a corporate organization ban incoming connections on devices?

1

Hey folks,

  1. If you imagine a fleet of tech-savvy users having corporate devices, you may imagine some of those users having a desire to use tailscale on their devices to connect to their own personal tailscale networks. (corporate devices connecting to personal networks).
  2. On the other hand, corporate network admins may not be so excited about allowing incoming connections from personal networks (desire to disallow incoming connections from personal networks).
  3. You may imagine a future where there’s an enterprise / corporate network with appropriate ACLs set up for all devices (possibly allow existing or future incoming connections from corporate / managed network, but not from personal networks).

Block incoming connections · Tailscale seems somewhat related but there’s no ability to enforce that as corp fleet owner.

I wonder if there would be ways to configure machines, e.g. to have some kind of /etc/tailscale.conf configuration file that would allow incoming connections from particular networks only, and no other. (This file could be managed by corporate devices fleet owners)

I’m happy to open a relevant FR if that makes sense, but trying to inform myself first.

Thanks!

2

If you mean a user with a corporate device, with Tailscale installed to access a corporate tailnet, who also wants to access some of their own personal devices: node sharing is commonly used for this. Sharing your nodes with other users · Tailscale

If you mean a user with a corporate device where the corporation does not use Tailscale, who then installs the Tailscale client to access their personal tailnet: I imagine a company which wishes to prevent installation of third-party software would use an endpoint security product to do so. Having features in Tailscale isn’t likely to be satisfactory.

3

I think this is a good feature request, but I have no idea how this would be implemented or even if it’s possible. If I understand correctly it includes:

  • Allow users to connect from corporate controlled device to corporate controlled device.
  • Allow users to connect from corporate controlled devices to personal devices.
  • Disallow personal devices from connecting to corp controlled devices.
  • Allow corporations to monitor corporate devices and enforce these rules.