User can't use exit node, but it works in admin account

Hello.
I have several nodes and everything working fine, but today I’ve added another user, edited ACL and granted only one host to this user.
Host is under linux and i want user to use it as exit node.
It works under admin main account, but when i login as user and point to use exit node it doesn’t work at all. Tcpdump at nodes interface shows no traffic.
But when i switch users account to main admin account it works again.
Hosts can ping each other with their tailscale IPs and that’s all.

 { "Action": "accept", "Users": ["admin@domain.com"], "Ports": ["*:*" ] },
 { "Action": "accept", "Users": ["user1@domain.com"], "Ports": ["host1:*", "host2:*"] },

where user1@domain.com - user,
host1 - linux machine i want to use as exit node,
host2 - users machine.

To let people use an exit node, you currently have to grant access to all subnets, not just to the host providing the exit node. For example:

“Ports”: [":"]

Hmm, we should probably change this since it defeats other uses of ACLs.

1 Like

And what if I want to deny access to this user to all nodes accept one - exit node?

Unfortunately the only way to do that is to write a long Ports entry that essentially includes every public subnet but excludes your private subnets, which is pretty gross. We’ll have to fix this in our software, or else exit nodes and ACLs are not really compatible.

I filed a bug here: ACLs have no way to represent "allow user to use this exit node" without completely opening all traffic · Issue #1742 · tailscale/tailscale · GitHub

1 Like

Thanks! Great to hear that!

Closing the loop here for new searches…

The github ticket is resolved, with the following details:

“We now support autogroup:internet as a magic host that means public IP space. e.g., an ACL that permits foo@bar.com to access any port 443 or port 22 out on the internet:”

{
  "ACLs": [
    {
      "Action": "accept",
      "Users": ["foo@bar.com"],
      "Ports": ["autogroup:internet:443,22"],
    },
  ],
}
1 Like