User defined ACL's for access to an entire subnet rather than a specific host?

SupportBot · November 13, 2020, 9:06pm

Tailscale user:
Hi, I use wireguard extensively and love that you have made it easy for people to get in and create their own wireguard networks without needing to be super technical.

My question is… can a user define ACLs that would allow access to an entire subnet rather than a specific host? In my current wireguard configurations I can run wg on linux, NAT that interface and allow hosts to a /24. This helps with devices that cannot run Wireguard directly but still allow users to access those services over the wireguard tunnel.

I’m looking to solve some hurdles for a client that would like to use your service but they have storage appliances that cannot accommodate a Tailscale install.

SupportBot · November 13, 2020, 9:07pm

Support:
Yes! Our ACLs do support allowing access to specific subnets. We have a few larger customers who rely on this feature, and we even use it ourselves internally. In the “ACLs” section of your ACL file, you can define a rule like so:

{

“Action”: “accept”,

“Users”: [“group:admins”],

“Ports”: [“10.0.48.0/24:22”],
}

This should give access to the 10.0.48.0/24 subnet on port 22. It’s worth noting we don’t currently allow defining subnets as a re-usable value in the “Hosts” section, but we plan to add support for that in the future.

Topic		Replies	Views
Lock down machine to machine trafic ACL (Access Control Lists)	11	3166	November 27, 2020
Help with ACLs and Subnet Routers ACL (Access Control Lists)	1	1320	December 16, 2022
Can ping subnet machines but not access their services (e.g. port 80) from tailnet ACL (Access Control Lists)	3	1084	February 24, 2023
Help Creating ACLs/Policy File ACL (Access Control Lists)	0	786	September 26, 2022
Questions about ACLs ACL (Access Control Lists)	1	1383	October 15, 2020

User defined ACL's for access to an entire subnet rather than a specific host?

Related topics