Limit access to specific services through Tailscale

I’m running other services through docker on my home server that I wanted to share without also sharing access to HomeAssistant. I haven’t found any guides for this but once I found out that ACLs can be used for this, it was pretty straightforward just by reading the docs: Network access controls (ACLs) · Tailscale Docs

Here is an example with the following restrictions:

  • admins can access anything
  • if you share a device that has the “dns” tag, people will be able to use that device as their DNS server (without having access to the pi-hole UI as that port is not shared)
  • if you share a device that has the “jellyfin” tag and have their email address added to the “jellyfin” group, they will be able to access your Jellyfin server
  • non-admin users can also access the Jellyfin server

ACLs cen be set up through your admin dashboard: Tailscale

	// Declare static groups of users. Use autogroups for all users or users with a specific role.
	"groups": {
		"group:jellyfin": ["[email protected]"],

	// Define the tags which can be applied to devices and by which users.
	"tagOwners": {
		"tag:dns":      ["autogroup:admin"],
		"tag:jellyfin": ["autogroup:admin"],

	// Define access control lists for users, groups, autogroups, tags,
	// Tailscale IP addresses, and subnet ranges.
	"acls": [
		// Allow all connections for admins.
		{"action": "accept", "src": ["autogroup:admin"], "dst": ["*:*"]},
		// DNS:
		{"action": "accept", "src": ["*"], "dst": ["tag:dns:53"]},
		// Jellyfin:
			"action": "accept",
			"src":    ["autogroup:member","group:jellyfin"],
			"proto":  "udp",
			"dst":    ["tag:jellyfin:1900", "tag:jellyfin:7359"],
			"action": "accept",
			"src":    ["autogroup:member","group:jellyfin"],
			"proto":  "tcp",
			"dst":    ["tag:jellyfin:8096"],