Back to Blog
team@tinypod.app

Self-Hosting Headscale: Open-Source Tailscale Control Server

Headscale is a self-hosted Tailscale control server. Build your own mesh VPN without relying on Tailscale's coordination service.

headscaletailscalevpnmesh-network

What Is Headscale?


Headscale is an open-source implementation of the Tailscale control server. It lets you use Tailscale clients with your own coordination server.


Tailscale Background


Tailscale creates mesh VPN networks using WireGuard. Devices connect directly to each other. The control server coordinates key exchange and network configuration — Headscale replaces this server.


Features


Mesh Networking

  • Direct device-to-device connections
  • NAT traversal (works behind firewalls)
  • WireGuard encryption
  • Automatic key rotation

    • Access Control

  • ACLs (who can access what)
  • Namespaces (separate networks)
  • Pre-auth keys for new devices
  • Device management

    • DNS

  • MagicDNS (name resolution for devices)
  • Custom DNS settings
  • Split DNS

    • Headscale vs Tailscale


  • Headscale: Self-hosted, no account with Tailscale
  • Tailscale: Managed, easier setup, more features (Funnel, etc.)
  • Both use the same WireGuard-based clients

    • Use Cases


  • Connect all your servers into a private network
  • Access homelab from anywhere
  • Secure remote access without port forwarding
  • Site-to-site VPN

    • Deployment


    1. Deploy Headscale on TinyPod

    2. Create a namespace

    3. Generate auth keys

    4. Install Tailscale on devices with --login-server pointing to Headscale


    Resources: 1 CPU, 128 MB RAM.


    Headscale is perfect if you want Tailscale's mesh networking without depending on Tailscale's servers.