FR: Allow tagged nodes to access shared nodes.

[aaroncoffey]

What are you trying to do?

I have a couple "admin" devices that have a broader range of access through my TS network. I tried to access a shared node from my "admin" node but was stopped on the TS layer before packets even hit the main network interface (but I could see the unrequited SYNs on the tailscale interface on osx).

After reading many docs I realized two things.

1. When a device is tagged, it loses its human identity. (https://tailscale.com/kb/1068/acl-tags/)
2. Devices are shared to other humans.

After re-reading the same docs again, I see that this is explicitly mentioned. https://tailscale.com/kb/1084/sharing/#step-3-share-the-invite-link
Devices cannot be shared with a tag or with another tagged device. Devices must be shared with other users.

How should we solve this?

Allow tagged nodes, owned by the sharing recipient, access to the shared nodes.

What is the impact of not solving this?

I haven't fully researched this, but in the SSH ACLs, it seems I cannot allow a host directly, only tags, (maybe groups/users?).
This appears to mean that I can't allow only my "admin" devices access to both the shared node, and TS SSH access to other nodes in my network. This makes me sad.

Anything else?

Thanks!

[DentonGentry]

I think we just released the opposite situation, ssh to tagged nodes which are shared with you: https://tailscale.com/changelog/#2022-08-09-service

[jesse-savary]

Spent way too long on this before closely examining the docs and stumbling upon that same line. My use case for this is sharing a very specific hardware configuration into my company's cloud so that our CI system can make use of it.

[dcopso]

@DentonGentry Do you have any recommendations on workarounds purely within the Tailscale system that would allow tagged nodes to access resources shared with the account? It seems that some combination of subnet routers, or running proxies on non-tagged nodes with a very limited ACL might work, or funnel ACLs might work.

Use case: Running a network of webcams owned by multiple people, each configured as a tagged node within separate Tailscale accounts, and I'd like those accounts to share their camera's APIs with a tagged node in my account.

Thanks.

[Bostrolicious]

To add another use case: my friend is sharing his NAS with me via Tailscale so that I can have an offsite backup. This works great, except I can't backup my own NAS, since it's tagged (as is suggested for servers) and therefore can't access the shared node. I've reauthenticated as a regular Tailscale user on the NAS and everything works fine, but I would love to see this feature request implemented so that I can go back to tagging servers as intended.

[bobble6956]

+1 to this, my usecase is having centralized monitoring system, some or my friends or partner just need to expose their devices' metrics via shared devices.

[MKervo]

+1 I have the exact same issue. A contractor hosts an application for us, they shared the server A with us, but we want to initiate connections from a server B to server A. They are both tagged servers. This problem prevents two business using Tailscale from properly sharing interfaces together.
Any update on this ? Thanks

[laibe]

this in addition to #10842 would be great for various B2B use-cases. Is this feature on the pipeline?