Skip to content

Tailscale Access Controls

Abstract

With Tailscale Access Control Lists (ACL) you can define which devices and users are allowed to connect in your network. By default, all devices on your Tailnet are allowed to communicate with each other. From a security perspective, this is not desired.

How to use Tailscale Access Controls

In the Tailscale dashboard, you can navigate to the tab 'Access Controls'. We will remove the default policy, as this allows all Tailscale devices to openly communicate with each other.

The ACL policy consists of 3 parts:

  1. Defining your hosts You will need to manually add all the devices that are on your Tailnet. Note down their Tailscale IP and their name. See the full example below.

  2. Defining which of those hosts are allowed to communicate. We will use the action 'accept' to allow communication. For the destination device, you are also able to define the ports. If you wish to allow all ports, you can use a "*".

  3. Tests These are optional, but useful. When making changes to your ACL policy, a test can check if certain connections are still allowed or blocked as needed. 

{
    "hosts": {
        "ardougne":       "100.102.226.112",
        "cedrics-laptop": "100.123.5.71",
        "falador":        "100.75.47.56",
        "pc-ce":          "100.77.18.120",
        "rimmington":     "100.109.66.90",
        "varrock":        "100.66.43.94",
        "othersidetech":  "100.111.99.109",
    },
    "acls": [
        {
            // Proxmox Backup servers
            "action": "accept",
            "src":    ["rimmington", "ardougne", "pc-ce", "cedrics-laptop"],
            "dst":    ["rimmington:*", "ardougne:*", "pc-ce:*", "cedrics-laptop:*"],
        },
        {
            // Jumphost varrock
            "action": "accept",
            "src":    ["varrock", "pc-ce", "cedrics-laptop"],
            "dst":    ["varrock:*", "pc-ce:*", "cedrics-laptop:*"],
        },
        {
            // Proxmox Falador host
            "action": "accept",
            "src":    ["falador", "pc-ce", "cedrics-laptop"],
            "dst":    ["falador:*", "pc-ce:*", "cedrics-laptop:*"],
        },
        {
            // Azure MkDocs OtherSideTech
            "action": "accept",
            "src":    ["othersidetech", "pc-ce", "cedrics-laptop", "varrock"],
            "dst":    ["othersidetech:*", "pc-ce:*", "cedrics-laptop:*", "varrock:*"],
        },
    ],
    "tests": [
        {
            "src":    "rimmington",
            "accept": ["ardougne:80"],
            "deny":   ["falador:80"],
        },
    ],
}