Subnet route advertisement scope


I am looking into Tailscale to use for remote access to devices. Each device has a LAN subnet (always 192.168.1.x) that I would like to forward on a conditional basis. e.g. “review and approve” the subnet when the remote access is needed for device XYZ, and then disable when done.

This works great if I am the only user, but I am trying to understand how this approach to subnets would scale for a corporate Tailscale account with multiple users. There are times when two or more users would simultaneously want access to the subnets of different devices…but if the identical subnet is approved and advertised across the Tailscale network, I presume there would be overlap and routing issues.


Is subnet approval done on a per-user basis? So user A can approve a different list of subnets than user B?

Is some alternative approach recommended for this situation?


Subnet access can be managed via ACLs.

Network access controls (ACLs) · Tailscale

so you could so something like…

"hosts": {
  "example-network-1": "",
  "example-network-2": "",

  "acls": [
      "action": "accept",
      "src": [""],
      "dst": ["example-network-1:*"],
      "action": "accept",
      "src": [""],
      "dst": ["example-network-2:*"],

Thanks @GavinGreenwalt .

I want to confirm:

  • In your example the host networks are unique subnets.
  • In my case, the subnets will all be identical…but attached to different physical devices.

Is there a syntax for naming or tagging the subnets of particular devices, so that an ACL can allow users access to different device+subnet combos?

1 Like

Ooops! Misread.

There is a feature for this. But it’s a Business level not Teams plan level feature so I’m too cheap to have tested it haha.

4via6 subnet routers · Tailscale

Thanks. I cannot try it since it is a Business level feature but the 4via6 router seems like what we’d need.

Can anyone comment on the “alpha” status of it?