Hi folks,
Can I ask for your ACL help? I am using tailscale more and more. I manage ‘client’ devices out in the field, and they are all running from a variety of networks. I have a set of ‘admin’ nodes, which I work from myself, using them to connect to the client machines.
Can you help me with an ACL which allows only ‘admin’ to connect to ‘client’, and which denies ‘client’ to ‘client’ connections, as well as stopping a ‘client’ from initiating a connection to an ‘admin’ machine?
Many thanks in advance.
Here is my attempt. I wasn’t able to test it with my own tailnet setup, but maybe it can give give you some idea how you could implement your requirements.
I didn’t use any tags and I’m assuming it’s ok for clients to have their own machines be able to communicate with each other.
I’m also assuming that every client has a login for your tailnet (e.g. using a Github organization or similar as the identity provider), as opposed to clients having their own tailnet and only sharing their nodes with your tailnet.
Here goes:
{
"acls": [
{
// Allow Admin to access everything in the tailnet.
"action": "accept",
"src": ["admin@example.com"],
"dst": ["*:*"],
},
{
// Allow members of the tailnet to access their own nodes.
"action": "accept",
"src": ["autogroup:members"],
"dst": ["autogroup:self:*"],
},
],
// ===========================================================================
// TESTS to make sure everything is working as desired.
// ===========================================================================
"tests": [
{
// Test that Admin can access every node.
"src": "admin@example.com",
"accept": [
"group:admin@example.com:80",
"group:clientA@example.com:80",
"group:clientB@example.com:80",
],
},
{
// Test that user clientA@example.com can only access their own nodes (i.e. nodes they are logged in to).
// but cannot access any other nodes.
"src": "clientA@example.com",
"accept": [ "group:clientA@example.com:80" ],
"deny": [ "group:admin@example.com:80", "group:clientB@example.com:80" ],
},
{
// Test that user clientB@example.com can only access their own nodes (i.e. nodes they are logged in to),
// but cannot access any other nodes.
"src": "clientB@example.com",
"accept": [ "group:clientB@example.com:80" ],
"deny": [ "group:admin@example.com:80", "group:clientA@example.com:80" ],
},
],
}
1 Like