I’m running multiple instances of infra across multiple cloud accounts: (Dev, qa, prod, etc.) I was previously using wireguard as a VPN entrypoint to my private network. This was nice as the wireguard client allows the selective enabling/disabling of various tunnels.
The key thing to know here is that all my subnets are the same across accounts. This is fine if only one relay is enabled per client. Traffic flows to the private network through the single active relay and my users can easily access their machines with private IP’s.
With Tailscale, if I create multiple relay nodes, one for each environment, and then try to access them, I’m running into a problem where my subnet CIDR ranges are competing for the same address space. Essentially colliding and preventing reliable access to a specific environment.
Looks like selecting relays in the client is not an option. So I tried to limit things using ACL lists. This seems like it should work but does not do what I want.
I’m using groups and host rules to attempt to prevent some users from accessing some relay nodes. It appears that the subnet rules override the group rules and if I allow a group to have access to a specific subnet CIDR range, this will allow them to see all the relays supporting this range. (leading to the collision issue)
Has anyone else run into this specific issue? I’m starting to think that Tailscale may not have the features I need here. Namely, the ability for a client to manually select and enable / disable relay nodes without interacting with the ACL list. I can’t change my subnet CIDR ranges to avoid this as they’re all tied into my existing infra.
Any ideas on how to resolve this while still using Tailscale?