Skip to main content

tailscale acls

Tailscale ACL Configuration

Date: 2026-01-07
Purpose: Access control rules for network infrastructure

ACL Structure

Hosts

{
  "hosts": {
    "bluefly-m4": "100.108.180.36",
    "gitlab-m3max": "100.108.129.7",
    "glinet-router": "100.116.110.123",
    "synology-ds224plus": "100.108.x.x"
  }
}

Groups

{
  "groups": {
    "group:admin": ["bluefly-m4", "gitlab-m3max"],
    "group:routers": ["glinet-router"],
    "group:nas": ["synology-ds224plus"]
  }
}

Tags

{
  "tagOwners": {
    "tag:admin": ["group:admin"],
    "tag:router": ["glinet-router"],
    "tag:nas": ["synology-ds224plus"],
    "tag:storage": ["synology-ds224plus"],
    "tag:agents": ["tag:vastai", "tag:ephemeral"],
    "tag:vastai": ["vastai-gpu-worker-*"]
  }
}

ACL Rules

Admin Router (Full Access)

{
  "action": "accept",
  "src": ["tag:admin"],
  "dst": ["tag:router:22", "tag:router:80", "tag:router:443"]
}

Purpose: Admin devices can SSH and access router admin UI

Admin NAS (Full Access)

{
  "action": "accept",
  "src": ["tag:admin"],
  "dst": ["tag:nas:22", "tag:nas:445", "tag:nas:5000", "tag:nas:5001"]
}

Purpose: Admin devices can SSH, SMB, and access DSM

Agents NAS (SMB Only)

{
  "action": "accept",
  "src": ["tag:agents"],
  "dst": ["tag:nas:445"]
}

Purpose: Agent devices can access SMB storage only

Admin Agents (Management)

{
  "action": "accept",
  "src": ["tag:admin"],
  "dst": ["tag:agents:22", "tag:agents:3000-3015"]
}

Purpose: Admin devices can SSH and access agent services

Agents Internet (HTTPS Only)

{
  "action": "accept",
  "src": ["tag:agents"],
  "dst": ["*:443"]
}

Purpose: Agent devices can access HTTPS (package repos, APIs)

Agents Tailscale (Control Plane)

{
  "action": "accept",
  "src": ["tag:agents"],
  "dst": ["*:41641"]
}

Purpose: Agent devices can access Tailscale control plane

Block Agents Admin

{
  "action": "deny",
  "src": ["tag:agents"],
  "dst": ["tag:admin:*"]
}

Purpose: Prevent agents from accessing admin devices

Block Agents Router Admin

{
  "action": "deny",
  "src": ["tag:agents"],
  "dst": ["tag:router:22", "tag:router:80", "tag:router:443"]
}

Purpose: Prevent agents from accessing router admin

Block Agents NAS Admin

{
  "action": "deny",
  "src": ["tag:agents"],
  "dst": ["tag:nas:22", "tag:nas:5000", "tag:nas:5001"]
}

Purpose: Prevent agents from accessing NAS admin (DSM, SSH)

Allow Exit Node

{
  "action": "accept",
  "src": ["tag:admin", "tag:agents"],
  "dst": ["tag:router:*"]
}

Purpose: Allow devices to use router as exit node

Complete ACL Configuration

{
  "acls": [
    {
      "action": "accept",
      "src": ["tag:admin"],
      "dst": ["tag:router:22", "tag:router:80", "tag:router:443"]
    },
    {
      "action": "accept",
      "src": ["tag:admin"],
      "dst": ["tag:nas:22", "tag:nas:445", "tag:nas:5000", "tag:nas:5001"]
    },
    {
      "action": "accept",
      "src": ["tag:agents"],
      "dst": ["tag:nas:445"]
    },
    {
      "action": "accept",
      "src": ["tag:admin"],
      "dst": ["tag:agents:22", "tag:agents:3000-3015"]
    },
    {
      "action": "accept",
      "src": ["tag:agents"],
      "dst": ["*:443"]
    },
    {
      "action": "accept",
      "src": ["tag:agents"],
      "dst": ["*:41641"]
    },
    {
      "action": "accept",
      "src": ["tag:admin", "tag:agents"],
      "dst": ["tag:router:*"]
    },
    {
      "action": "deny",
      "src": ["tag:agents"],
      "dst": ["tag:admin:*"]
    },
    {
      "action": "deny",
      "src": ["tag:agents"],
      "dst": ["tag:router:22", "tag:router:80", "tag:router:443"]
    },
    {
      "action": "deny",
      "src": ["tag:agents"],
      "dst": ["tag:nas:22", "tag:nas:5000", "tag:nas:5001"]
    }
  ],
  "groups": {
    "group:admin": ["bluefly-m4", "gitlab-m3max"],
    "group:routers": ["glinet-router"],
    "group:nas": ["synology-ds224plus"]
  },
  "hosts": {
    "bluefly-m4": "100.108.180.36",
    "gitlab-m3max": "100.108.129.7",
    "glinet-router": "100.116.110.123",
    "synology-ds224plus": "100.108.x.x"
  },
  "tagOwners": {
    "tag:admin": ["group:admin"],
    "tag:router": ["glinet-router"],
    "tag:nas": ["synology-ds224plus"],
    "tag:storage": ["synology-ds224plus"],
    "tag:agents": ["tag:vastai", "tag:ephemeral"],
    "tag:vastai": ["vastai-gpu-worker-*"]
  }
}

Implementation Steps

1. Update Tailscale ACLs

  1. Go to: https://login.tailscale.com/admin/acls
  2. Copy ACL configuration above
  3. Paste into ACL editor
  4. Save

2. Apply Tags to Devices

Admin Devices:

  • bluefly-m4 Add tag: tag:admin
  • gitlab-m3max Add tag: tag:admin

Router:

  • glinet-router Add tag: tag:router

NAS:

  • synology-ds224plus Add tags: tag:nas, tag:storage

Agent Devices:

  • Vast.ai instances Add tag: tag:vastai
  • Ephemeral agents Add tag: tag:ephemeral

3. Verify ACLs

# From admin device
tailscale ping synology-ds224plus.tailcf98b3.ts.net
curl https://synology-ds224plus.tailcf98b3.ts.net:5001

# From agent device (should fail)
curl https://synology-ds224plus.tailcf98b3.ts.net:5001
# Expected: Connection refused or timeout

Related Documentation