deddit.petersanchez.com

Tailscale serve and sharing devices
from Whooping_Seal@sh.itjust.works to selfhosted@lemmy.world on 15 Mar 19:30
https://sh.itjust.works/post/56860823

I am wondering what people’s solutions are for this conundrum. The simplest solution would be to just add this person as a user to my tailnet and have them access my sites that way, perhaps I could also limit access to certain cites by ACL e.g. the Cockpit web-management interface. I would, however, much prefer being able to just share-out my server node, and pick which services are served on their tailnet. Is this a plausible route to go?

#selfhosted

threaded - newest

DougPiranha42@lemmy.world on 15 Mar 20:16 next collapse

I don’t know the answer, just commenting because I’m curious. Can you just create a second tailnet and add your server but not your own devices to it?

irmadlad@lemmy.world on 15 Mar 22:05 next collapse

Yes, you can create a second Tailnet in Tailscale and add your server without including your personal devices. You’ll have to create a separate account with a separate email address. Then you can join this second Tailnet with your server while leaving your other devices out. The separation allows you to manage connectivity and network policies independently.

Whooping_Seal@sh.itjust.works on 15 Mar 23:58 next collapse

Yes, there is two ways you can go about this. The way that you are thinking of (and the way that I would ideally like to go about this) is as listed on this help article. This is perfect for sharing a home server to some friends, and letting them access a given service without seeing any of your personal devices.

The other option is to have just one tailnet, but having multiple users as detailed here. Notably this can be a security regression (if you don’t limit access on a per-user basis with ACLs), but is ideal for sharing access to your entire network with your spouse / older children within the context of self-hosting.

For example, I have a friend who has shared a minecraft server with me and that is an ideal example of sharing one node to a seperate tailnet. I am an admin of the server, and can manage the docker container for it + the backup sidecar and the SMB share, but that is where my access to his network structure ends.

This contrasts the situation with my partner for example, where we share a tailnet (with seperate user logins) to make things like gamestreaming just that much easier to setup. Hypothetically I can use ACLs to limit access to stuff like the Cockpit web-management portal, or block the SSH port, but I don’t feel like I need to in my specific case.

Addendum: I also think sharing the device out strips it of its subnet routes + services, which is part of the problem I am running into where I do want it to strip subnet routing (my elderly parents DO NOT need access to my printer), but I ideally want to be able to still use tailscale serve + services + https certificates to be able to share my self-hosted RSS feed reader for them (ad-free, no AI slop, much better for my one parental figure with early-onset dementia).

Addendum 2: I highly recommend exploring tagging + ACLs if you are looking into personal usage / seperation of networks. It is just a much easier approach of seperating devices that are owned and operated by the same person. I would only explore multi-tailnet option when it is different users and you want to share a very limited scope of your network.

DougPiranha42@lemmy.world on 16 Mar 06:13 collapse

Cool, thanks! What do you use for RSS?

Whooping_Seal@sh.itjust.works on 16 Mar 20:32 collapse

As of now I am currently using FreshRSS, although before I properly deploy this to other users in my family / friends I might give Tiny Tiny RSS (tt-rss) a shot as well. I don’t think the differences will matter for end-users as the majority of mine will likely all be using it through the API via a mobile app (e.g NetNewsWire (ios & mac), FluentReader (desktop), CapyReader (android) etc. etc.)., however the main difference that will dictate which one I stick with is the filtering capabilities and the ease of setup of article-collection with readibility / mercury to remove extrenuous content / ads.

I am also quite interested in miniflux, although it is quite intentionally bare bones. It lacks a plugin api (a potential security improvement), and instead natively supports many of the things people would use plugins for (native youtube-nocookie embedding / invidious embedding, integrations with readlater services like instapaper and wallabag, etc., integrated article fetching and parsing with readibility [and can change user agent / cookies to bypass bot protections]). It also seems to have a bit better security stance (supporting modern web browser features like passkeys, content sanitization, sanitizing url parameters in share links automatically etc.).

Miniflux definitely feels like the best ratio of ootb functionality + security, but the UI of FreshRSS feels more natural if you envisage less techy users to use it (and in my case I see one person using the website over an app).

rtxn@lemmy.world on 15 Mar 23:58 collapse

It’s problematic, but possible: jamesguthrie.ch/…/multi-tailnet-unlocking-access-…

rtxn@lemmy.world on 15 Mar 20:26 next collapse

If the other person has a Tailscale account, it sounds like the most expedient method is to simply invite them to the tailnet as a non-admin user with strict access control.

You could share a node with an outside user, but I don’t know how much the quarantine would affect its functionality. You could also use Funnel to expose the node to the internet (essentially like a reverse proxy), but there are obvious vital security considerations with that approach.

Whooping_Seal@sh.itjust.works on 16 Mar 00:04 collapse

That is what it seems like based on what I have read :/

I guess the best option in my case then is likely to add them as a non-admin user to my tailnet. The only concern I have is with the potential of one user deactivating the VPN connection unkowingly, which is probably where Funnel comes in as a better option, but I would prefer to avoid serving stuff on the web when possible. (It is specifically a FreshRSS instance for now)

dan@upvote.au on 15 Mar 21:49 next collapse

You can share the node with them, and use an ACL to control which ports they have access to.

Decronym@lemmy.decronym.xyz on 16 Mar 00:10 collapse

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters	More Letters
SMB	Server Message Block protocol for file and printer sharing; Windows-native
SSH	Secure Shell for remote terminal access
VPN	Virtual Private Network

3 acronyms in this thread; the most compressed thread commented on today has 16 acronyms.

[Thread #169 for this comm, first seen 16th Mar 2026, 00:10] [FAQ] [Full list] [Contact] [Source code]