Skip to main content Limiting exit node use to specific clients : r/Tailscale
r/Tailscale icon
Go to Tailscale

Limiting exit node use to specific clients

Question

I am trying to limit the exit node usage to only a couple of of clients (phone, travel laptop) via ACL but am not finding an ACL example that would do this. I have the tags set up I think but cannot seem to find an ACL that will only allow the exit node to be used by the specified tagged clients. I do not want all of my random VPSs for example using my home connection router for the internet facing traffic.

I hope that makes sense.

PSA, Redditors: You don't need a business to have a website. All you need is yourself. And with Squarespace, you can easily create a website that reflects your personal brand, individuality, and identity–all by using its intuitive design, AI, and expressibility tools.
Sign Up
squarespace.com
Thumbnail image: PSA, Redditors: You don't need a business to have a website. All you need is yourself. And with Squarespace, you can easily create a website that reflects your personal brand, individuality, and identity–all by using its intuitive design, AI, and expressibility tools.
Sort by:
Best
Open comment sort options
 
// Access control lists.  
"acls": \[  
	// Match absolutely everything.  
	// Comment this section out if you want to define specific restrictions.  
	//{"action": "accept", "src": \["\*"\], "dst": \["\*:\*"\]},  
	  
	// Group allowed to use exit node  
	{  
		"action": "accept",  
		"src":    \["tag:extinternet"\],  
		"dst":    \["autogroup:internet:\*"\],  
	},  
	// All users can use exit nodes  
	// If you are using the default ACL, this rule is not needed because the  
	// default ACL allows all users access to the internet through an exit node  
	//{  
	//	"action": "accept",  
	//	"src":    \["autogroup:members"\],  
	//	"dst":    \["autogroup:internet:\*"\],  
	//},  
\],

The above is an example. Comment out the allow all rule, then add the group for the exit note for the dst of autogroup:internet:*. src should be the tag you want to allow for access via the exit node (my example uses tag:extinternet).

This is what I use for this exact purpose and it appears to be working.

Edited

Oh, note that you may need to create a second tag to allow things to talk to each other again and put in an acl for that (this is my default, and I realized this may cause that). This would be an allow example for tag to tag:

{"action": "accept", "src": ["tag:intranet"], "dst": ["tag:intranet:*"]},

likely there is an autogroup for this as well, now that I think about it...

Edit:

There is:

https://tailscale.com/kb/1018/acls/#autogroups

Have not tested this, but this should also work:

{"action": "accept", "src": ["autogroup:members"], "dst": ["autogroup:members:*"]},

Quick question. Considering OP said they have VPS and such, if they have already configured normal ACLs for not allowing those VPS to access his home network, this wouldn't be required, yes?

More replies More replies

Wait, I thought each device had to explicitly choose to use the exit node? I have one exit node and I only flip my phone or macbook to use it when i'm watching netflix, then i flip it off.

Yes, each client does have to explicity choose to use an exit node.

But the OP talks about controlling/limiting which clients are allowed to access exit nodes.

More replies