User defined ACL's for access to an entire subnet rather than a specific host?

Tailscale user:
Hi, I use wireguard extensively and love that you have made it easy for people to get in and create their own wireguard networks without needing to be super technical.

My question is… can a user define ACLs that would allow access to an entire subnet rather than a specific host? In my current wireguard configurations I can run wg on linux, NAT that interface and allow hosts to a /24. This helps with devices that cannot run Wireguard directly but still allow users to access those services over the wireguard tunnel.

I’m looking to solve some hurdles for a client that would like to use your service but they have storage appliances that cannot accommodate a Tailscale install.

Yes! Our ACLs do support allowing access to specific subnets. We have a few larger customers who rely on this feature, and we even use it ourselves internally. In the “ACLs” section of your ACL file, you can define a rule like so:


“Action”: “accept”,

“Users”: [“group:admins”],

“Ports”: [“”],

This should give access to the subnet on port 22. It’s worth noting we don’t currently allow defining subnets as a re-usable value in the “Hosts” section, but we plan to add support for that in the future.