I am wondering what people’s solutions are for this conundrum. The simplest solution would be to just add this person as a user to my tailnet and have them access my sites that way, perhaps I could also limit access to certain cites by ACL e.g. the Cockpit web-management interface. I would, however, much prefer being able to just share-out my server node, and pick which services are served on their tailnet. Is this a plausible route to go?
You can share the node with them, and use an ACL to control which ports they have access to.
If the other person has a Tailscale account, it sounds like the most expedient method is to simply invite them to the tailnet as a non-admin user with strict access control.
You could share a node with an outside user, but I don’t know how much the quarantine would affect its functionality. You could also use Funnel to expose the node to the internet (essentially like a reverse proxy), but there are obvious vital security considerations with that approach.
That is what it seems like based on what I have read :/
I guess the best option in my case then is likely to add them as a non-admin user to my tailnet. The only concern I have is with the potential of one user deactivating the VPN connection unkowingly, which is probably where Funnel comes in as a better option, but I would prefer to avoid serving stuff on the web when possible. (It is specifically a FreshRSS instance for now)
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters SMB Server Message Block protocol for file and printer sharing; Windows-native SSH Secure Shell for remote terminal access VPN Virtual Private Network
3 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.
[Thread #169 for this comm, first seen 16th Mar 2026, 00:10] [FAQ] [Full list] [Contact] [Source code]
I don’t know the answer, just commenting because I’m curious. Can you just create a second tailnet and add your server but not your own devices to it?
It’s problematic, but possible: https://jamesguthrie.ch/blog/multi-tailnet-unlocking-access-to-multiple-tailscale-networks/
Yes, there is two ways you can go about this. The way that you are thinking of (and the way that I would ideally like to go about this) is as listed on this help article. This is perfect for sharing a home server to some friends, and letting them access a given service without seeing any of your personal devices.
The other option is to have just one tailnet, but having multiple users as detailed here. Notably this can be a security regression (if you don’t limit access on a per-user basis with ACLs), but is ideal for sharing access to your entire network with your spouse / older children within the context of self-hosting.
For example, I have a friend who has shared a minecraft server with me and that is an ideal example of sharing one node to a seperate tailnet. I am an admin of the server, and can manage the docker container for it + the backup sidecar and the SMB share, but that is where my access to his network structure ends.
This contrasts the situation with my partner for example, where we share a tailnet (with seperate user logins) to make things like gamestreaming just that much easier to setup. Hypothetically I can use ACLs to limit access to stuff like the Cockpit web-management portal, or block the SSH port, but I don’t feel like I need to in my specific case.
Addendum: I also think sharing the device out strips it of its subnet routes + services, which is part of the problem I am running into where I do want it to strip subnet routing (my elderly parents DO NOT need access to my printer), but I ideally want to be able to still use tailscale serve + services + https certificates to be able to share my self-hosted RSS feed reader for them (ad-free, no AI slop, much better for my one parental figure with early-onset dementia).
Addendum 2: I highly recommend exploring tagging + ACLs if you are looking into personal usage / seperation of networks. It is just a much easier approach of seperating devices that are owned and operated by the same person. I would only explore multi-tailnet option when it is different users and you want to share a very limited scope of your network.
Cool, thanks! What do you use for RSS?
Yes, you can create a second Tailnet in Tailscale and add your server without including your personal devices. You’ll have to create a separate account with a separate email address. Then you can join this second Tailnet with your server while leaving your other devices out. The separation allows you to manage connectivity and network policies independently.
