Shared Server cannot be reached

Hi,

I am trying to reach a server someone has shared with me.

The other tailnet has the “classic”:

  "acls": [
    {
      "action": "accept",
      "src": ["*"],
      "dst": ["*:*"]
    }

So that should be fine.
I use ACLs because I have a public facing machine:

	"acls": [
		{
			"action": "accept",
			"src":    ["tag:private"],
			"dst":    ["tag:private:*", "tag:public:*", "100.99.userip.99:*"],
		},
]

alternatively I used the shared machines user’s email address instead of the IP.

Additionally I wrote this test and it all seems fine:


	"tests": [
		{
  // test shared
			"src":    "tag:private",
			"accept": ["100.97.53.81:80"],
		},
	],

Except when I try to actually ping the server from a tag:private machine I get Destination net unreachable.

Can you point me in the right direction? I am lost on how to further debug this. :confused:

Okay,
I also tried

		{
			"action": "accept",
			"src":    ["*"],
			"dst":    ["*:*"],
		},

on my side and I still cannot ping the IP address (taken from the admin panel) of the shared machine.

I guess it is not my ACLs fault?

is tailscale ping addr-of-shared-server working?

on the shared site try to add

 "acls": [
    {
      "action": "accept",
      "src": ["autogroup:shared"],
      "dst": ["*:*"]
    }

Thank you a lot for a reply!

It was a good idea, but did not change anything:

We tried:
My server:

		{
			"action": "accept",
			"src":    ["*"],
			"dst":    ["*:*"],
		},

Shared Server:

{
"action": "accept",
"src":    ["*"],
"dst":    ["*:*"],
},
{
"action": "accept",
"src": ["autogroup:shared"],
"dst": ["*:*"]
}

Still nothing.

tailscale ping ip_of_shared_server errors with no matching peer :confused:

Hm ok interesting. Do you see the shared machine on your Tailscale Admin dashboard?
I think you need to „approve“ the shared server first before you can access ist.

I did, I think that looks fine:

Yep, looks good for me. Well, I think you need to open a support ticket than I guess

I just want to add this if someone comes across this thread:

I contacted support (which was a great experience):

My nodes all have ACL tags, which I usually use to define roles. But a limitation of the sharing beta is that shared nodes are only available to “me”, my email address, the owner of the tailscale. But nodes with ACL tags “loose” my identity and are “owned” by my tailscale, so they cannot connect.

So I will have to work around this limitations with having shares and ACL tags.

1 Like

Just to check if I understood this right:
So in order for it to work you’d have to remove all tags from the shared node (and probably adjust ACL’s), correct?

No, not from the shared node.

For any of my nodes to connect to the shared node I need to remove all tags from it. After I removed the tags I need to reauthenticate and then it is linked to my email address again.
This node can then access the shared node.

1 Like

Thanks for posting this. I was trying to figure this out too. It would be good if the documentation was updated to indicate that for the beta sharing, one must not apply tags to machines which intend to access the shared network.

The whole re-authenticate to reset tags is a bit strange as well, but I can’t complain for what it provides!

You’re welcome, that’s what I thought as well :slight_smile: