Difference between revisions of "Tailscale"
(→Groups) |
|||
| Line 45: | Line 45: | ||
== Groups == | == Groups == | ||
=== Normal Groups === | === Normal Groups === | ||
| + | These are groups that are manually created and specified in the Admin console and/or in the ACL JSON file. | ||
| + | |||
| + | To create a group in the ACL file: | ||
| + | <nowiki> | ||
| + | "groups": { | ||
| + | "group:GROUP_NAME": ["USER1", "USER2", "USER3"], | ||
| + | },</nowiki> | ||
| + | |||
| + | i.e. | ||
| + | <nowiki> | ||
| + | "groups": { | ||
| + | "group:developers": ["Bob@example.com", "Janet@example.com", "Steven@example.com"], | ||
| + | },</nowiki> | ||
| + | |||
=== Autogroups === | === Autogroups === | ||
Revision as of 10:38, 4 April 2026
Installing Tailscale
Linux
Distros With a Package Manager
To download the package via the terminal, run the following:
curl -fsSL https://tailscale.com/install.sh | sh
Once it's downloaded, initialize Tailscale client via:
sudo tailscale up
This should provide some output to the terminal, including a URL you can use to authenticate via a handful of sign-in options from Google, Microsoft, Github, etc.
Once authenticated, the host should appear in your Machines page on the Admin console within your TailNet (Tailscale Network).
Distros/Clients Without a Package Manager
MOST PEOPLE SHOULD BE USING THE ABOVE METHOD AND NOT THIS ONE
But if your distro/client does not have a package manager or are more obscure distributions, you can download the version for your system from here.
Extract the downloaded archive:
tar xvf tailscale_*.tgz
Start the downloaded daemon (tailscaled) via:
sudo tailscaled --state=tailscaled.state
And then to start the client and connect the machine to your tailnet:
sudo tailscale up
This should provide some output to the terminal, including a URL you can use to authenticate via a handful of sign-in options from Google, Microsoft, Github, etc.
Once authenticated, the host should appear in your Machines page on the Admin console within your TailNet (Tailscale Network)
Access Controls
Access Controls (ACLs) are managed via the GUI builder or the editable JSON file accessible, both from within the admin console. Tailscale's documentation for this is great, so be sure to see their examples page for reference.
Tailscale SSH is also not configured by default and needs to be enabled on a host by host basis and then permitted in the ACL file from the admin console.
Users
User Roles
More information regarding user roles can be found here.
Groups
Normal Groups
These are groups that are manually created and specified in the Admin console and/or in the ACL JSON file.
To create a group in the ACL file:
"groups": {
"group:GROUP_NAME": ["USER1", "USER2", "USER3"],
},
i.e.
"groups": {
"group:developers": ["Bob@example.com", "Janet@example.com", "Steven@example.com"],
},
Autogroups
Tags
Examples
By default, Tailscale operates under a least privilege architecture, but has an allow all permissions structure in place to facilitate connecting between the nodes.
Default
This initial, permit-all, ACL looks like this:
{
"grants": [
{
"src": ["*"],
"dst": ["*"],
"ip": ["*"]
}
]
}
Owners' Devices Only
To allow individuals to access the devices that are owned by themselves in the TailNet:
{
"grants": [
{
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"ip": ["*"]
}
]
}
Tailscale SSH
To enable SSH on a particular host, that you're currently logged into:
sudo tailscale set --ssh
This should almost immediately reflect on the Admin console as well with an SSH label.
ACL Configuration
By default, all the hosts on your tailnet can access all the other hosts, they're "granted" this permission via the ACL in the Admin console. To allow for hosts to connect to other hosts, even by SSH, they neeed to be "granted" permission to connect whatsoever.
i.e. If HostA and HostB are not granted permission to connect, they cannot SSH from either to the other.
To restrict which users/hosts can access other hosts (via SSH specifically), the ACL needs to be updated.
Restricting SSH Via Users
To restrict SSH access to the machines using users, it would look something like this:
"ssh": [
{
"action": "accept", // No re-authentication required when connecting after a time
"src": ["janedoe@example.com"],
"dst": ["production-db"],
"users": ["administrator"]
},
],
This restricts access to the 'production-db' machine to only 'janedoe@example.com', and they would NOT need to re-authenticate when connecting.
Restricting SSH Via Groups
This would restrict SSH access to the 'servers' group to only the 'admin' group, using any username (that exists on the destination machines), with the 'check' mode enabled:
"ssh": [
{
"action": "check", // Check mode requires re-authentication when connecting after a time
"src": ["group:admin"],
"dst": ["group:servers"],
"users": ["*"], // Refers to LOCAL usernames on the DESTINATION machine
},
],
Restricting SSH Via Tags
To restrict access to machines with a particular tag to devices with another tag, it would look like this:
"ssh": [
{
"action": "accept",
"src": ["tag:developers"],
"dst": ["tag:dev-servers"],
"users": ["*"]
},
],
Disable Logging
PLEASE READ THIS CAREFULLY BEFORE PROCEEDING TO FOLLOW THE COMMANDS, PERFORMING THESE ACTIONS MAY IMPACT YOUR ABILITY TO RECEIVE SUPPORT (IF NEEDED) FROM TAILSCALE
Tailscale is configured by default to send logs and diagnostic data regarding connectivity to Tailscale servers (not your servers, their servers) to assist in troubleshooting issues. You may disable this functionality at the cost of potentially being unable to receive support from Tailscale.
To do so, add:
TS_NO_LOGS_NO_SUPPORT=true
To the file located here:
/etc/default/tailscaled
Or using the command:
sudo tailscale set --no-logs-no-support