Remote Management Policy

GammaGift · December 9, 2022, 5:02pm

Hi folks,

Can I ask for your ACL help? I am using tailscale more and more. I manage ‘client’ devices out in the field, and they are all running from a variety of networks. I have a set of ‘admin’ nodes, which I work from myself, using them to connect to the client machines.

Can you help me with an ACL which allows only ‘admin’ to connect to ‘client’, and which denies ‘client’ to ‘client’ connections, as well as stopping a ‘client’ from initiating a connection to an ‘admin’ machine?

Many thanks in advance.

bluefish · December 13, 2022, 2:58am

Here is my attempt. I wasn’t able to test it with my own tailnet setup, but maybe it can give give you some idea how you could implement your requirements.

I didn’t use any tags and I’m assuming it’s ok for clients to have their own machines be able to communicate with each other.

I’m also assuming that every client has a login for your tailnet (e.g. using a Github organization or similar as the identity provider), as opposed to clients having their own tailnet and only sharing their nodes with your tailnet.

Here goes:

{
    "acls": [
        {
            // Allow Admin to access everything in the tailnet.
            "action": "accept",
            "src":    ["admin@example.com"],
            "dst":    ["*:*"],
        },
        {
            // Allow members of the tailnet to access their own nodes.
            "action": "accept",
            "src":    ["autogroup:members"],
            "dst":    ["autogroup:self:*"],
        },
    ],

    // ===========================================================================
    //         TESTS to make sure everything is working as desired.
    // ===========================================================================

    "tests": [
        {
            // Test that Admin can access every node.
            "src": "admin@example.com",
            "accept": [
                "group:admin@example.com:80",
                "group:clientA@example.com:80",
                "group:clientB@example.com:80",
            ],
        },
        {
            // Test that user clientA@example.com can only access their own nodes (i.e. nodes they are logged in to).
            // but cannot access any other nodes.
            "src":  "clientA@example.com",
            "accept": [ "group:clientA@example.com:80" ],
            "deny": [ "group:admin@example.com:80", "group:clientB@example.com:80" ],
        },
        {
            // Test that user clientB@example.com can only access their own nodes (i.e. nodes they are logged in to),
            // but cannot access any other nodes.
            "src":  "clientB@example.com",
            "accept": [ "group:clientB@example.com:80" ],
            "deny": [ "group:admin@example.com:80", "group:clientA@example.com:80" ],
        },
    ],
}

Topic		Replies	Views
Help Creating ACLs/Policy File ACL (Access Control Lists)	0	649	September 26, 2022
Preventing access to other Tailscale Networks?	0	528	June 17, 2022
Help with ACLs and Subnet Routers ACL (Access Control Lists)	1	978	December 16, 2022
How to isolate a device to only allow remote management? ACL (Access Control Lists)	0	746	July 28, 2022
Questions about ACLs ACL (Access Control Lists)	1	1265	October 15, 2020

Remote Management Policy

Related Topics