tailscale/cmd/relaynode/acl.json

{
  // Declare static groups of users beyond those in the identity service
  "Groups": {
    "group:eng": ["u1@example.com", "u2@example.com"]
  },

  // Declare convenient hostname aliases to use in place of IP addresses
  "Hosts": {
    "h222": "100.2.2.2"
  },

  // Access control list
  "ACLs": [
    {
        "Action": "accept",
        // Match any of several users
        "Users": ["a@example.com", "b@example.com"],
        // Match any port on h222, and port 22 of 10.1.2.3
        "Ports": ["h222:*", "10.1.2.3:22"]
    },
    {
        "Action": "accept",
        // Match any user at all
        "Users": ["*"],
        // Match port 80 on one machine, ports 53 and 5353 on a second one,
        // and ports 8000 through 8080 (a port range) on a third one.
        "Ports": ["h222:80", "10.8.8.8:53,5353", "10.2.3.4:8000-8080"]
    },
    {
        "Action": "accept",
        // Match all users in the "Admin" role (network administrators)
        "Users": ["role:Admin", "group:eng"],
        // Allow access to port 22 on all servers
        "Ports": ["*:22"]
    },
    {
        "Action": "accept",
        "Users": ["role:User"],
        // Match only windows and linux workstations (not implemented yet)
        "OS": ["windows", "linux"],
        // Only desktop machines are allowed to access this server
        "Ports": ["10.1.1.1:443"]
    },
    {
        "Action": "accept",
        "Users": ["*"],
        // Match machines which have never been authorized, or which expired.
        // (not implemented yet)
        "MachineAuth": ["unauthorized", "expired"],
        // Logged-in users on unauthorized machines can access the email server.
        // Open the TLS ports for SMTP, IMAP, and HTTP.
        "Ports": ["10.1.2.3:465", "10.1.2.3:993", "10.1.2.3:443"]
    },

    // Match absolutely everything. Comment out this section if you want
    // the above ACLs to apply.
    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },

    // Leave this line here so that every rule can end in a comma.
    // It has no effect since it has no matching rules.
    {"Action": "accept"}
  ]
}