Locking Down My Homelab with Tailscale ACLs
Mahela IndeewaraHow I Secured Device-to-Device Access Without Sacrificing Convenience
The Problem: Too Much Trust in My Tailnet
When I first set up Tailscale for my homelab just so I can access my desktop at home, I loved how effortlessly it connected all my devices. But I soon realized something unsettling: every device could communicate with every other device by default.
This became a concern because my homelab includes:
Media servers (Plex, Jellyfin, many other services)
IoT devices
Monitoring systems (Raspberry Pi running uptime checks)
I needed to implement least-privilege access—where devices only have the permissions they absolutely need.
Tailscale ACLs to the Rescue
Luckily, Tailscale's Access Control Lists (ACLs) are designed to support this approach. Initially, setting up all the rules seemed daunting, but I managed to configure them over an evening.
Here's how I locked things down.
Step 1: Defined My Devices
First, I mapped out my devices in the ACL file for clarity:
{
"hosts": {
"admin-laptop": "100.64.0.1", // My primary workstation
"admin-phone": "100.64.0.2", // For remote management
"nas": "100.64.0.3", // File storage (SMB/NFS)
"plex-server": "100.64.0.4", // Media streaming
"smart-tv": "100.64.0.5", // Should NOT access NAS!
"monitoring-pi": "100.64.0.6" // Pings internal LAN
}
}
Why this matters:
Using descriptive names (
nasinstead of100.64.0.3) makes rules easier to maintainHelps avoid mistakes when adding new devices later
Step 2: Crafted My Access Rules
1. Full Access for Admin Devices
I wanted these 2 devices to have no restrictions for now:
{
"action": "accept",
"src": ["admin-laptop", "admin-phone"],
"dst": ["*:*"] // All ports, all devices
}
2. Media Access for Streaming Devices
My smart TV should only reach Plex—not my NAS!
{
"action": "accept",
"src": ["smart-tv"],
"dst": ["plex-server:32400"] // Plex port only
},
{
"action": "deny",
"src": ["smart-tv"],
"dst": ["nas:*"] // Explicitly block NAS access
}
3. LAN Access for Monitoring
My Raspberry Pi needs to ping internal LAN devices (192.168.1.0/24) but nothing else:
{
"action": "accept",
"src": ["monitoring-pi"],
"dst": ["192.168.1.0/24:*"],
"proto": "icmp" // Ping only
}
The Complete ACL Configuration
{
"hosts": {
"admin-laptop": "100.64.0.1",
"admin-phone": "100.64.0.2",
"nas": "100.64.0.3",
"plex-server": "100.64.0.4",
"smart-tv": "100.64.0.5",
"monitoring-pi": "100.64.0.6"
},
"acls": [
// Admins get full access
{
"action": "accept",
"src": ["admin-laptop", "admin-phone"],
"dst": ["*:*"]
},
// Smart TV can only access Plex
{
"action": "accept",
"src": ["smart-tv"],
"dst": ["plex-server:32400"]
},
// Explicitly block Smart TV from NAS
{
"action": "deny",
"src": ["smart-tv"],
"dst": ["nas:*"]
},
// Monitoring Pi can ping LAN
{
"action": "accept",
"src": ["monitoring-pi"],
"dst": ["192.168.1.0/24:*"],
"proto": "icmp"
}
]
}
Testing & Validation
After applying these rules:
| Device | Expected Access | Test Result |
| Admin Laptop | Full access to all devices | ✅ Works |
| Admin Phone | Full access to all devices | ✅ Works |
| Smart TV | Only Plex (port 32400) | ✅ Works |
| Smart TV | Blocked from NAS | ✅ Blocked |
| Monitoring Pi | Can ping LAN (192.168.1.x) | ✅ Works |
| Monitoring Pi | Cannot SSH to other devices | ✅ Blocked |
Key Takeaways
Start with a default-deny approach – Only allow what's necessary.
Use descriptive hostnames – Makes ACLs easier to read and maintain.
Test incrementally – Verify each rule works before adding complexity.
Monitor logs – Use
tailscale debug aclto troubleshoot unexpected blocks.
Tailscale ACLs transformed my homelab from "everything can talk" to "least privilege by default"—without sacrificing convenience.
Next Steps
Subscribe to my newsletter
Read articles from Mahela Indeewara directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by