this post was submitted on 15 Mar 2026
31 points (94.3% liked)

Selfhosted

56958 readers
1581 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
31
Tailscale serve and sharing devices (sh.itjust.works)
submitted 1 day ago by Whooping_Seal@sh.itjust.works to c/selfhosted@lemmy.world
10 comments fedilink hide all child comments
 

I am wondering what people's solutions are for this conundrum. The simplest solution would be to just add this person as a user to my tailnet and have them access my sites that way, perhaps I could also limit access to certain cites by ACL e.g. the Cockpit web-management interface. I would, however, much prefer being able to just share-out my server node, and pick which services are served on their tailnet. Is this a plausible route to go?

top 10 comments
sorted by: hot top controversial new old
[–] dan@upvote.au 5 points 1 day ago

You can share the node with them, and use an ACL to control which ports they have access to.

[–] rtxn@lemmy.world 3 points 1 day ago* (last edited 1 day ago) (1 children)

If the other person has a Tailscale account, it sounds like the most expedient method is to simply invite them to the tailnet as a non-admin user with strict access control.

You could share a node with an outside user, but I don't know how much the quarantine would affect its functionality. You could also use Funnel to expose the node to the internet (essentially like a reverse proxy), but there are obvious vital security considerations with that approach.

[–] Whooping_Seal@sh.itjust.works 1 points 1 day ago

That is what it seems like based on what I have read :/

I guess the best option in my case then is likely to add them as a non-admin user to my tailnet. The only concern I have is with the potential of one user deactivating the VPN connection unkowingly, which is probably where Funnel comes in as a better option, but I would prefer to avoid serving stuff on the web when possible. (It is specifically a FreshRSS instance for now)

[–] DougPiranha42@lemmy.world 2 points 1 day ago (3 children)

I don’t know the answer, just commenting because I’m curious. Can you just create a second tailnet and add your server but not your own devices to it?

[–] Whooping_Seal@sh.itjust.works 1 points 1 day ago* (last edited 1 day ago) (1 children)

Yes, there is two ways you can go about this. The way that you are thinking of (and the way that I would ideally like to go about this) is as listed on this help article. This is perfect for sharing a home server to some friends, and letting them access a given service without seeing any of your personal devices.

The other option is to have just one tailnet, but having multiple users as detailed here. Notably this can be a security regression (if you don't limit access on a per-user basis with ACLs), but is ideal for sharing access to your entire network with your spouse / older children within the context of self-hosting.

For example, I have a friend who has shared a minecraft server with me and that is an ideal example of sharing one node to a seperate tailnet. I am an admin of the server, and can manage the docker container for it + the backup sidecar and the SMB share, but that is where my access to his network structure ends.

This contrasts the situation with my partner for example, where we share a tailnet (with seperate user logins) to make things like gamestreaming just that much easier to setup. Hypothetically I can use ACLs to limit access to stuff like the Cockpit web-management portal, or block the SSH port, but I don't feel like I need to in my specific case.

Addendum: I also think sharing the device out strips it of its subnet routes + services, which is part of the problem I am running into where I do want it to strip subnet routing (my elderly parents DO NOT need access to my printer), but I ideally want to be able to still use tailscale serve + services + https certificates to be able to share my self-hosted RSS feed reader for them (ad-free, no AI slop, much better for my one parental figure with early-onset dementia).

Addendum 2: I highly recommend exploring tagging + ACLs if you are looking into personal usage / seperation of networks. It is just a much easier approach of seperating devices that are owned and operated by the same person. I would only explore multi-tailnet option when it is different users and you want to share a very limited scope of your network.

[–] DougPiranha42@lemmy.world 1 points 1 day ago (1 children)

Cool, thanks! What do you use for RSS?

[–] Whooping_Seal@sh.itjust.works 1 points 17 hours ago

As of now I am currently using FreshRSS, although before I properly deploy this to other users in my family / friends I might give Tiny Tiny RSS (tt-rss) a shot as well. I don't think the differences will matter for end-users as the majority of mine will likely all be using it through the API via a mobile app (e.g NetNewsWire (ios & mac), FluentReader (desktop), CapyReader (android) etc. etc.)., however the main difference that will dictate which one I stick with is the filtering capabilities and the ease of setup of article-collection with readibility / mercury to remove extrenuous content / ads.

I am also quite interested in miniflux, although it is quite intentionally bare bones. It lacks a plugin api (a potential security improvement), and instead natively supports many of the things people would use plugins for (native youtube-nocookie embedding / invidious embedding, integrations with readlater services like instapaper and wallabag, etc., integrated article fetching and parsing with readibility [and can change user agent / cookies to bypass bot protections]). It also seems to have a bit better security stance (supporting modern web browser features like passkeys, content sanitization, sanitizing url parameters in share links automatically etc.).

Miniflux definitely feels like the best ratio of ootb functionality + security, but the UI of FreshRSS feels more natural if you envisage less techy users to use it (and in my case I see one person using the website over an app).

[–] irmadlad@lemmy.world 1 points 1 day ago

Yes, you can create a second Tailnet in Tailscale and add your server without including your personal devices. You'll have to create a separate account with a separate email address. Then you can join this second Tailnet with your server while leaving your other devices out. The separation allows you to manage connectivity and network policies independently.

[–] Decronym@lemmy.decronym.xyz 1 points 1 day ago* (last edited 17 hours ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
SMB Server Message Block protocol for file and printer sharing; Windows-native
SSH Secure Shell for remote terminal access
VPN Virtual Private Network

3 acronyms in this thread; the most compressed thread commented on today has 16 acronyms.

[Thread #169 for this comm, first seen 16th Mar 2026, 00:10] [FAQ] [Full list] [Contact] [Source code]