SSH Permission Denied Tailscale

ACL (Access Control Lists)
1

I got a server (RaspberryPi) set up with Docker and a Tailscale container, like this

services:
  tailscaled:
    image: tailscale/tailscale
    container_name: tailscaled
    volumes:
      - /var/lib:/var/lib
      - /dev/net/tun:/dev/net/tun
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    restart: unless-stopped
    environment:
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_EXTRA_ARGS=--ssh

I’m able to ping the machine but I’m not able to SSH to it.

When I do so, I get the following error
Permission denied (tailscale)

I assume this is because I have set wrongly the ACLs
This is what I have in my ACLs:

{
	"tagOwners": {
		"tag:example": ["autogroup:admin"],
		"tag:server":  ["autogroup:admin"],
		"tag:admin":   ["autogroup:admin"],
	},

	"acls": [
		{"action": "accept", "src": ["*"], "dst": ["*:*"]},
	],
	"ssh": [
		{
			"action": "accept",
			"src":    ["autogroup:members"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot", "root"],
		},
	],
}

As you can see everything is the default. I only want to SSH no matter if it’s through Tailnet SSH or through regular SSH, how can I achieve this?

2

After much tinkering I ended up with the following ACLs

I have assigned a tag to my Windows client (tag:admin) and a tag to my raspberry pi acting as the server (tag:server)

{
	"tagOwners": {
		"tag:example": ["autogroup:admin"],
		"tag:server":  ["autogroup:admin"],
		"tag:admin":   ["autogroup:admin"],
	},

	"acls": [
		{"action": "accept", "src": ["*"], "dst": ["*:*"]},
	],
	"ssh": [
		{
			"action": "accept",
			"src":    ["tag:admin"],
			"dst":    ["tag:server"],
			"users":  ["my-raspberry-local-user", "root"],
		},
	],
}

I got a different error when I tried the command ssh my-raspberry-local-user@100.123.456.789 (assume that’s the IP of my server)

PS C:\Users\Jaime> ssh my-raspberry-local-user@100.123.456.789
failed to look up my-raspberry-local-user
my-raspberry-local-user@100.123.456.789: Permission denied (tailscale).

But surprisingly, when I used root as the SSH user it logged in into some sort of Alpine linux, which I first assumed it was the inside of the tailscale docker container, and then after creating a directory there and accessing the container directly from the raspberry pi, I confirmed it actually was the docker container and not the raspberry host.

Is this because of the Tailscale being dockerized or is it because of Tailscale SSH?

3

Fixed by not using Tailscale SSH.
Final docker compose

services:
  tailscaled:
    image: tailscale/tailscale
    container_name: tailscaled
    volumes:
      - /var/lib:/var/lib
      - /dev/net/tun:/dev/net/tun
    network_mode: host
    cap_add:
      - NET_ADMIN
      - NET_RAW
    restart: unless-stopped
    environment:
      - TS_AUTHKEY=${TS_AUTHKEY}
      - TS_EXTRA_ARGS=--ssh=false --hostname=my-raspberry-server

ACLs

{
	"tagOwners": {
		"tag:example": ["autogroup:admin"],
		"tag:server":  ["autogroup:admin"],
		"tag:admin":   ["autogroup:admin"],
	},

	"acls": [
		{"action": "accept", "src": ["*"], "dst": ["*:*"]},
	],
}

Also if you’re using Windows do not use WSL because apparently you can ping but you can’t ssh through Ubuntu WSL in windows, you have to use cmd or powershell, otherwise it won’t work (this is probably my n1 issue with this)