Tagged devices are able to see my untagged devices

I’ve added a few servers for testing to tag:backend using an auth key and --unattended tag for Windows machines. On the Windows servers, when I run a tailscale status I can see all of my untagged personal devices linked to my account.

I only want the machines in tag:backend to be able to see the tagged devices, without any of my devices, this server will be in a shared environment.

Is there a way to restrict this?

Using the ACLs, you can set

{
  "action": "accept",
  "src": ["tag:backend"],
  "dst": ["tag:backend:*"],
}

This will allow the tag:backend machines to talk to each other.

You can then also add something like:

{
  "action": "accept",
  "src": ["autogroup:members"],
  "dst": ["*:*"],
}

Which will allow people (but not machines owned by a tag) to access all resources.

For more information on the possible combinations, you can check out this article: Network access controls (ACLs) · Tailscale

I updated to the new syntax you provided changing my users and ports to src and dst. This makes a lot more sense.

I am still having the same results though. For example, I have this setup:

{
  // Declare static groups of users beyond those in the identity service.
  "groups": {
    "group:backend": [ "me@duh.com" ],
  },
  "tagOwners": {
    "tag:backend": ["me@duh.com"],
  },
  "acls": [    
    // backend can talk to backend
    {
      "action": "accept",
      "src": ["tag:backend"],
      "dst": ["tag:backend:*"],
    },
    // backend group can communicate with backend
    {
      "action": "accept",
      "src": ["group:backend"],
      "dst": ["tag:backend:*"],
    },
  ]
  
}

This works and I can see the devices under tagged devices. On the server within the tag:backend, if I do a tailscale status I can see:

PS C:\Users\Administrator> tailscale status
100.10.xx.21   ldap                   ldap.duh.com windows -
100.10.xx.45   sat6              j@           macOS   -

Sat6 is the machine I am on right now. Without being able to use a deny, how do I limit access back to my machine?

You’ll still see the machines listed in the status, but they’re not necessarily connected: that’s the dash in tha last column. For a connected machine you’ll see

active; direct {IP Address}, tx {number} rx {number}

You should find if you attempt to contact the machine from the tagged host (a ping to the tailscale address for example) it won’t work. They know the machines are in your network but cannot contact them.