Hacker News new | past | comments | ask | show | jobs | submit login

On your first point, I've been using tailscale for a bit and its ACL feature addresses most of my concerns there. My laptop can ssh into any of my servers but not the other way around, and my servers cant talk to each other unless I set them to.



Could you share your ACL setup? I haven't had time to look at it much but this sounds like exactly what I want to do.


The ACLs might look a bit scary at first, but they are actually quite intuitive once you coded up a rule or two.

It basically works by tagging machines (especially those deployed with an API key) and grouping users. Then you set up rules which allow groups and tags can communicate with each other on specific ports. Since the default rule is DENY, you only need to specify rules for communication you actually want to allow.

For instance you would create a tag for `servers` and a group for `sre`. Then you setup an ACL rule like this to allow SRE to ssh into servers:

    "action": "accept",
    "src":    ["group:sre"],
    "dst": ["tag:server:22"]
Because there is no rule with `group:sre` in `src` and `dst`, SREs cannot connect to each others machines.

The tailscale docs are really good. And the videos they have are a great starting point if you dont come from a networking background.

[0]: https://tailscale.com/kb/1018/acls


looking for this setup - please share if you could


There is no setup. Just use Tailscale




Consider applying for YC's Summer 2025 batch! Applications are open till May 13

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: