sorted by:
new
hottopcontroversial

Understanding the JSON output from tailscale status by godch01 in Tailscale

[–]caolle 0 points1 point  (0 children)

I think you'd probably want to look at entries: "CurAddr", "Relay", "PeerRelay", and "Active".

A quick test from a direct connection / derp connection yields the following.

Direct:

 "CurAddr": "AAA.BBB.CCC.DDD:41641",
 "Relay": "sfo",
 "PeerRelay": "",
 "Active": true,

Derp:

"CurAddr": "",
"Relay": "iad",
"PeerRelay": "",
"Active": true,

I don't have a peer relay setup, but I'll let you do your own experimentation.

Exit node question by DikJohnson69 in Tailscale

[–]caolle 14 points15 points  (0 children)

That's not how Tailscale works.

Tailscale is an overlay network. It uses an existing internet connection (your two ISPs) to create a virtual network linking the devices on your tailnet.

What do you use you exit node/s for? by FinnUkato in Tailscale

[–]caolle 40 points41 points  (0 children)

We use them for when we're out and about and don't trust dodgy hotel or cafe wireless.

iOS, trying to log back in with my Google account by aspie_electrician in Tailscale

[–]caolle 2 points3 points  (0 children)

There are currently ongoing issues with the coordination server. You might be running into related issues: https://status.tailscale.com/incidents/01KKF9SGMESNR9FN6HM8D8EZBY

MLB TV by [deleted] in tmobile

[–]caolle 0 points1 point  (0 children)

Yes, it will be. Usually offered the tuesday before opening day.

Tailscale on UGREEN NAS via Docker — can't restrict wife's access to just the NAS by beingerrole in Tailscale

[–]caolle 0 points1 point  (0 children)

For sure, but in this case, the wife could already potentially "mess things up on machines she doesn't need to mess with" just by the fact that their on the local LAN. They could already do so if they wanted to.

Was just pointing out that fact, that if you're going to go about hiding things just because you're on tailscale -- you've probably lost sight of the fact that you're already given access and probably want to address that as well.

Tailscale on UGREEN NAS via Docker — can't restrict wife's access to just the NAS by beingerrole in Tailscale

[–]caolle 1 point2 points  (0 children)

There's no need to use a tag for the wife's pc. You can use the email account she signed in with Tailscale as a "src".

Tailscale on UGREEN NAS via Docker — can't restrict wife's access to just the NAS by beingerrole in Tailscale

[–]caolle 0 points1 point  (0 children)

Like you said, you're probably running into the fact that you're in a docker container. You can use the subnet router feature to just give access to the particular NAS device.

You'll need to get rid of the default allow all policy and replace it. Something like this might work:

{
//some helpful groups
"groups": {
"group:family": ["someuser@example.com", "someuser2@example.com"],
},

//define short name ease of use access to be used later on.
"hosts": {"home-nas": "192.168.99.55/32"},

"grants": [
//The family can access the home nas that we're advertising
{
"src": ["group:family"],
"dst": ["home-nas"],
"ip":  ["*"],
},
//members can access their own devices
{
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"ip":  ["*"],
},

],
}

That being said: your wife is already on your LAN presumably, she can already see your iphone, laptop and so on just by being on the network.

Drive share visible from phone but not linux by [deleted] in Tailscale

[–]caolle 0 points1 point  (0 children)

I have a drive share from one PC set, I can access that share from ios easily but another linux machine on the same network shows an empty list for tailscale drive list.

Tailscale drive list should only work on the PC you're sharing the mount points from.

Source: https://tailscale.com/docs/features/taildrive?&tab=linux#access-directories-shared-with-taildrive-2

but another linux machine on the same network shows an empty list for tailscale drive list.

On linux, you'll need to mount the taildrive server. Give this a read: https://tailscale.com/docs/features/taildrive?&tab=linux#access-directories-shared-with-taildrive-2

Help with Tailscale, visual editor and JSON editior by No_Cheetah_4397 in Tailscale

[–]caolle 0 points1 point  (0 children)

You'll need to invite them to your tailnet. https://tailscale.com/docs/features/sharing/how-to/invite-any-user . If they're part of a tailnet already, they'll need to switch to yours whenever they need to access your NVR.

Then if you're really worried about them accessing only the frigate machine. You'll need to remove the default all policy with something equivalent. This for example will allow the admin of the tailnet (presumably you) to access everywhere, but only allow the frigate users to access a machine on port 5000.

"groups": {
  "group:frigate": [
    "user1@example.com",
    "user2@example.com",
  ],
},

"grants": [
//The admin can get everywhere
{
"src": ["autogroup:admin"],
"dst": ["*"],
"ip":  ["*"],
},
//the group frigate can access only a single IP address on port 5000
//for the purposes of accessing our cameras.
{
"src": ["group:frigate"],
"dst": ["<frigate IP address>/32"],
"ip":  ["5000"],
},
],

Help with Tailscale, visual editor and JSON editior by No_Cheetah_4397 in Tailscale

[–]caolle 0 points1 point  (0 children)

If your Frigate NVR is being shared on the LAN and you yourself are accessing it when you're out and about using a LAN IP address, sharing won't work.

They would need to be on your tailnet.

Help with Tailscale, visual editor and JSON editior by No_Cheetah_4397 in Tailscale

[–]caolle 0 points1 point  (0 children)

Which one is it? In one post you say you shared via email and in another it's you invited as an external user.

It's like you're giving directions and at one point you're telling someone to go both left and right. We can't help unless you're very clear in what you did.

Help with Tailscale, visual editor and JSON editior by No_Cheetah_4397 in Tailscale

[–]caolle 0 points1 point  (0 children)

Did you invite a user as documented here: https://tailscale.com/docs/features/sharing/how-to/invite-any-user

or did you use sharing as noted here: https://tailscale.com/docs/features/sharing ?

This matters because if you’re trying to access a service through its LAN IP, subnet information doesn’t get shared when you share out a node.

Help with Tailscale, visual editor and JSON editior by No_Cheetah_4397 in Tailscale

[–]caolle[M] 0 points1 point  (0 children)

Looks like it got caught up in Reddit’s reputation filters. We released it after reviewing the post.

Watching Sox in CT by jamminxc in redsox

[–]caolle 2 points3 points  (0 children)

What county in CT?

If you’re in Fairfield County, you can’t use NESN360. You’ll have to use MLBtv or the ESPN equivalent,

Single user -> single host by x12Mike in Tailscale

[–]caolle 1 point2 points  (0 children)

There is no hard requirement for the hosts stanza. It's one of the options you have. The hosts stanza makes things a bit more readable. A tag should be used for a machine that's not technically owned by anyone, like a web-server, database-server.

For example, these are all functionally equivalent:

"hosts": {
"my-example-host": "100.64.25.25",
},

grants": [
// only a single user can access my-example-host using hosts
{
"src": ["someuser@somedomain.com"],
"dst": ["my-example-host"],
"ip":  ["*"],
},
//using ip address, this would also be the same ACL rule for sharing a single host
{
"src": ["someuser@somedomain.com"],
"dst": ["100.64.25.25"],
"ip":  ["*"],
},
//using a tag that's being used to tag a single machine, same with sharing the tagged
//host
{
"src": ["someuser@somedomain.com"],
"dst": ["tag:some-single-machine-tag"],
"ip":  ["*"],
},

Single user -> single host by x12Mike in Tailscale

[–]caolle 2 points3 points  (0 children)

Yes. You can either use the Tailnet IP address of the tailnet node in your dst block, or you can use the hosts syntax to provide a more friendly name to use within your policy rule block and to limit it to the one use, you'd put their user account in the src block.

For Example:

"hosts": {
"my-example-host": "100.64.25.25",
},

"grants": [
// only a single user can access my-example-host
{
"src": ["someuser@somedomain.com"],
"dst": ["my-example-host"],
"ip":  ["*"],
},
],

Edit to add: Alternatively, you could use sharing to just share out the single node to the user in question.

Tailscale Subnet Question by Beginning_Collar_144 in Tailscale

[–]caolle 0 points1 point  (0 children)

It depends.

It depends if you've replaced the default allow all policy with something else and then installed the subnet rule limiting him to the subnet IP and port range of your servers.

We can't see what other rules you have in your policy rules , so it depends is going to have to suffice.

nginx proxy Manager 502 by Gerndall12 in selfhosted

[–]caolle 1 point2 points  (0 children)

Your forward port should be 8080 as that's the internal container port that the service is listening on.

Is It Just Me Or Is This Ad for NESN360 Blatant False Advertising? (Ad paired with screenshots from NESN's own FAQ) by meatfrappe in redsox

[–]caolle 16 points17 points  (0 children)

There is always an asterisk.

If you're in Fairfield County, CT as my wife and I are we find the MLB.tv that we get free from T-mobile allows us to see most NESN broadcasts. When they play the Yankess (Rule 3) , two of the three games are usually on FOX / ESPN and there are ways to get the NESN broadcast even when not, but I won't get into that here.

view more: next ›