TL;DR

Tailor is a tailnet visualizer that enables finer grain control of your Tailscale network and also gives you really fun visuals!

The Details

Tailscale is an amazing piece of kit. It is essential infrastructure in my life, given that about 1 in 3 apps on my phone talk to docker containers on my homelab. As you might imagine, my tailnet is pretty “flat,” with very few ACLs in place, but with a new supply chain attack every week, I feel like I need to tighten my security posture. I’m not here to attempt to fear monger anyone into not using homelab, or not using Tailscale (if anything I’m going to use more Tailscale,) we all have our own threat models and tolerances for security. This is about my ‘everything can see everything’ tailnet needing a glow-up.

Luckily Tailscale’s extensive access control tooling makes locking down my tailnet from “anything can see and talk to anything” to something more like “things can only talk to what they need to” should be easy. But I’m a visual learner, and it is hard to visualize how ACL tweaks can affect my tailnet. That’s why I’ve written Tailor.

Tailor is a Tailnet and ACL visualization tool: a single Go binary (or docker container) with a Svelte embedded web interface. It runs off of either your Tailscale socket on the host machine, or you can feed it a Tailscale key of its very own. The initial screen shows you a “live feed” of your tailnet, but the real power and fun comes when you give it a Tailscale API token. It then will pull the ACL configuration of your tailnet and apply it to the visualization.

(Don’t worry though, the API token is never stored on disk and only lives in memory. Kill the process/restart the container and it’s gone.)

Within Tailor you can also modify your ACLs, visualize the change, and if you approve it, save it to your tailnet directly. Right now it is a raw HuJSON editor, but in future versions I’ll experiment with better ways to edit your ACLs in this visual medium instead of just copying the already great editing tools on the Tailscale portal. I tried a few approaches, but none satisfied me, mainly because I do not currently have in-depth ACLs set up myself. As I lock down my own network, I’ll build better ways to add new and interesting tooling to this application to assist with configuration.

Tailor is also a foundation, a new way of viewing your tailnet. Right now there is no persistent state; it only stores the API key in memory. We could do nifty things with more tools such as set up a SQLite database in Tailor to track histories of devices being added, removed, coming online or offline. Tailscale’s Audit logging covers some of this, but not all of it. Having a rich locally maintained data store of all the happenings of your tailnet could lead to some fun insights and features (time lapse of your tailnet anyone?) So if you are already an ACL wizard, feel free to slide into my DMs or open an issue if you have clever ideas on how to iterate on this.

I’m excited to see what folks can do with this. Giving a visual layer to such a powerful tool enables much finer-grain management of your tailnet. So give it a try. If you like it, give it a star. And maybe, just maybe, no one will notice that this is also a brazen attempt to get Tailscale to seriously consider me for the role I already applied for. 😅