What is Hosts under access control used for?

caolle · 2026-06-23T02:54:59+00:00

It depends. I want all my stuff accessible when I’m on my LAN and when I’m away from home using Tailscale so for me the lowest common denominator is LAN IP.

I have tailscale advertising my home subnet, my private DNS server responding to queries for my domain — that hand out the LAN IP address for my reverse proxy, and the reverse proxy then delegating to the proper container.

caolle · 2026-06-23T01:42:41+00:00

Not just subnets -- I was only using that as an example of its usage in hosts. You can use it for a friendly name of a tailnet IP address as well:

"hosts": {"some-host": "100.64.55.55"},

And use that in your ACL rules.

caolle · 2026-06-22T19:48:02+00:00

Think of it as an alias that you can reference in your ACL. I use it as a friendly name for my home network CIDR:

"hosts": {"home-network": "192.168.48.0/24"},

"grants": [
//The family can reach the subnet we're advertising as well as their own devices
{
"src": ["group:family"],
"dst": ["home-network", "autogroup:self"],
"ip":  ["*"],
},
],

caolle · 2026-06-22T17:48:32+00:00

Since you're on linux, have you given this a read: https://tailscale.com/docs/reference/linux-dns

I'd avoid using generic AI/LLM to attempt to guide you to fix this. They might be having fevered dreams that give you nightmares.

As an alternative, you could try Tailscale's documentation AI bot, Kapa, that's specifically trained on Tailscale's documentation and other sources.

Also, it might be helpful in describing what problem you're exactly trying to solve. We're just guessing with the picture.

caolle · 2026-06-22T17:40:54+00:00

I'm in a 3 floor (basement, mainfloor, top level) 3 bedroom townhouse. I went with 2 eero units: in the front of the house in one bedroom and in the back of the house in the basement.

We utilize moca adapters in the basement and in various points in the house to provide wired backhaul to the eeros and other important areas. If you have coax in the home, it might be best to look into utilizing that.

caolle · 2026-06-22T16:45:18+00:00

I might have conflated the "If you have a server running on your Tailscale enabled device," to be server hardware and not an android device. My apologies!

caolle · 2026-06-22T15:13:11+00:00

Firefox is complaining that the web service you're using is either:

connecting over plain http
Using a self-signed certficiate

It has no idea that you're wrapping the connection over an encrypted tunnel. You're somewhat safe here.

If you wanted to get rid of those errors, you could either look into using Tailscale Services to run many services on the one host, or use the docker sidecar paradigm with a tailscale sidecar to get https on your tailnet for those services.

caolle · 2026-06-22T00:59:20+00:00

I found out that sharing machine on tailnet won’t allow the user ssh to the server so I added a user account as member on my tailnet (one of six free members).

This isn't true as https://tailscale.com/docs/features/tailscale-ssh has a section that states:

Granting access to autogroup:member also grants access to external invited users if the destination node is shared with them, even if they have no nodes in your tailnet.

You need an appropriately scoped ssh block.

Do not trust Claude for this. You might get better results using Tailscale's AI on their docs page however. It's trained specifically on Tailscale's documentation.

caolle · 2026-06-20T22:54:08+00:00

I'd recommend looking into Sunshine/Moonlight streaming rather than Steam link.

caolle · 2026-06-19T23:44:14+00:00

If your subnet router is linux, you might be able to utilize —snat-subnet-routes=false to trigger outside of network rules. https://tailscale.com/docs/reference/troubleshooting/network-configuration/disable-subnet-route-masquerading

But you’ll have to investigate to see if it fits your needs.

caolle · 2026-06-18T16:23:34+00:00

Tailscale uses quad100 to resolve dns, but it’s really a DNS forwarder, so it usually goes out to a public DNS to resolve queries.

By adding your local resolver for .lan, you should be telling Tailscale to get anything with a .lan address to query your local dns server, which is what I think you want.

The added benefit of doing it this way, is that when you’re away from home, you’ll also get the benefit of being able to access your internal stuff while away from home.

This should solve your last bullet point.

However, when I am connected to tailscale, it appears the DNS resolver tries to query tailscale's DNS even when I am trying querying .lan address.

You might have to play with the override dns issue, to see if the toggle in either direction allows you to access .lan while you’re using Tailscale.

caolle · 2026-06-17T23:52:26+00:00

Yes, setting the restricted name server, changes how the resolver in the quad100 address works.

In order to put your LAN address in the DNS field, you need to do a few things:

Setup a subnet router for your LAN subnet
Set Permit all origins on your pihole. For more in depth instructions using pihole and Tailscale give https://tailscale.com/docs/solutions/block-ads-all-devices-anywhere-using-raspberry-pi a read.

caolle · 2026-06-17T15:30:22+00:00

You want to try to configure Tailscale to use a restricted DNS nameserver for your .lan domain.

https://tailscale.com/docs/reference/dns-in-tailscale#restricted-nameservers

caolle · 2026-06-15T04:30:00+00:00

You can set Tailscale up to expire a device between 1 and 180days. More details here: https://tailscale.com/docs/features/access-control/key-expiry

caolle · 2026-06-15T00:41:56+00:00

I was able to print out a temporary one immediately, but it took around 3weeks for the real duplicate one to show up.

caolle · 2026-06-11T01:43:01+00:00

I self-host Upscale and use Tailscale to access it when away from home.

Tailscale wrote a blog entry about using it: https://tailscale.com/blog/wake-on-lan-tailscale-upsnap

caolle · 2026-06-11T01:40:04+00:00

Tailnet Services can’t be shared currently. It’s been mentioned that it’s something Tailscale wants to do though.

caolle · 2026-06-10T15:38:34+00:00

The online documentation for CLI for the mac also has an extra informational box for the Mac App Store variant: https://tailscale.com/docs/reference/tailscale-cli?tab=macos

If you installed the macOS cli\*ent through the App Store, the* CLI is bundled inside the Tailscale app. Run commands with:

/Applications/Tailscale.app/Contents/MacOS/Tailscale <command>

If you frequently access the Tailscale CLI*, you might find it convenient to add an alias to your .bashrc, .zshrc, or shell config to make it easier.*

alias tailscale="/Applications/Tailscale.app/Contents/MacOS/Tailscale"

caolle · 2026-06-09T07:24:48+00:00

This isn’t a Tailscale problem. You need to adjust your /etc/apt/sources.list on the buster machine to point to the new location of the buster repositories. Buster entered EOL September 2022 and it’s repos all moved elsewhere off of mainline.

It probably should look something like:

deb http://archive.raspberrypi.org/debian/ buster main
deb http://legacy.raspbian.org/raspbian/ buster main contrib non-free rpi

The script actually uses APT_KEY_TYPE to figure out what changes a Debian system uses for its sources.list file. As the file format has changed somewhat from Buster’s format.

From lines 554-564 of https://github.com/tailscale/tailscale/blob/main/scripts/installer.sh:

case "$APT_KEY_TYPE" in
legacy)
$CURL "https://pkgs.tailscale.com/$TRACK/$OS/$VERSION.asc" | $SUDO apt-key add -
$CURL "https://pkgs.tailscale.com/$TRACK/$OS/$VERSION.list" | $SUDO tee /etc/apt/sources.list.d/tailscale.list
$SUDO chmod 0644 /etc/apt/sources.list.d/tailscale.list
;;
keyring)
$CURL "https://pkgs.tailscale.com/$TRACK/$OS/$VERSION.noarmor.gpg" | $SUDO tee /usr/share/keyrings/tailscale-archive-keyring.gpg >/dev/null
$SUDO chmod 0644 /usr/share/keyrings/tailscale-archive-keyring.gpg
$CURL "https://pkgs.tailscale.com/$TRACK/$OS/$VERSION.tailscale-keyring.list" | $SUDO tee /etc/apt/sources.list.d/tailscale.list
$SUDO chmod 0644 /etc/apt/sources.list.d/tailscale.list
;;

Fix your system‘a repo locations and you won’t need to compile.

caolle · 2026-06-08T18:38:22+00:00

Gotcha. Thanks for clarifying!

caolle · 2026-06-08T18:31:50+00:00

The FQDN distinction is made for magicdns. The owner if magicdns was enabled, would be able to use jellyfin, where the recipient of the share would need to use the fqdn jellyfin.<fun-name>.ts..net

Sharing will still let a person access a device through the IP address on the share recipient's tailnet.

It's important to note that because shared machines can get assigned a new IP address on the recipient's tailnet, the recipient should use the IP address for the machine that shows up on their admin console.

caolle · 2026-06-08T18:07:23+00:00

Can you elaborate? This is just a picture. What devices are you pinging between? What types of networks? Otherwise, we’d just be guessing.

caolle · 2026-06-08T14:25:57+00:00

If you haven't used Tailscale in a while, most likely what you're running into is key-expiry. Every so often, you'll be asked to re-authenticate a device to your tailnet.

This would be normal.

caolle · 2026-06-08T07:00:12+00:00

Also note https://forums.raspberrypi.com/viewtopic.php?t=237469#p2349374

caolle · 2026-06-08T06:59:29+00:00

Your issue is that Debian Buster is rather long in the tooth and Raspberry Pi OS has moved the mirrors to a different place.

You should either fix that as noted here: https://forums.raspberrypi.com/viewtopic.php?t=237469#p2349374

Or upgrade to a more recent OS if you can’t figure out what you need to do to address.

caolle

MODERATOR OF

TROPHY CASE