The official Tailscale subreddit. Not routinely monitored by Tailscale employees. Please contact support via https://tailscale.com/contact/support if you need further help.
ACLs to restrict user (or group) to exit node only and nothing else
After reading the docs it's still not clear to me how to accomplish the following:
I have two users with a single machine each join my tscale network. i set them up to use as exit nodes, and this works fine.
I'd like to restrict those two users (and their machines) from being able to connect to any other machine on the network. they should only be able to act as exit nodes.
how do I modify the default ACLs to accomplish this? It would be good to create a group to do so, so that I don't need to modify the ACL further. I'd only add the user to the group exit_nodes_only.
Remove the default rule that allows everyone to access everything. And start building your own. Something like this might work, but you should read up on the syntax
{ // Declare static groups of users. Use autogroups for all users or users with a specific role. "groups": { "group:exit_nodes_only": [ "[email protected]", "[email protected]", ], }, "acls": [ //the admins of this tailnet can get everywhere {"action": "accept", "src": ["autogroup:admin"], "dst": ["*:*"]}, //Admins and exit nodes only users can use exit nodes { "action": "accept", "src": ["autogroup:admin", "group:exit_nodes_only"], "dst": ["autogroup:internet:*"], }, //people we share exit nodes with can use our exit nodes { "action": "accept", "src": ["autogroup:shared"], "dst": ["autogroup:internet:*"], }, ], }It is worth mentioning that, when a peer exits through a node, with autogroup:internet, that peer will be able to get to internet through that exit node, but otherwise cannot connect to that exit node.
Cool!