opensourceprojects.dev

A broadsheet for software that doesn't ask for your email

Headscale: a self-hosted open source alternative to the Tailscale control server
GitHub RepoImpressions3

Project Description

View on GitHub

Headscale: Your Own Private Tailscale Control Server

If you've ever used Tailscale, you know the magic: zero config wireguard mesh VPN that just works. But what if you want total control over the coordination server — the part that manages nodes, keys, and ACLs? That's where Headscale comes in.

Headscale is an open source implementation of the Tailscale control server. It's not a replacement for the Tailscale client (you still use the official tailscale CLI), but it lets you run your own coordination backend. Think of it like running your own Signal server while using the Signal app — same client, different server.

What It Does

Headscale provides all the core control plane features you'd expect:

  • Node registration and key management
  • ACL (Access Control List) enforcement
  • Subnet routing and exit nodes
  • Multi-user support (namespaces)
  • DNS configuration
  • MagicDNS (local hostname resolution)

When you point the Tailscale client at your Headscale instance, all coordination goes through your server instead of Tailscale's cloud. Your nodes still talk directly to each other (peer to peer), but they check in with you for authentication and routing decisions.

Why It's Cool

The obvious reason: full ownership. Your data, your keys, your rules. No dependency on a third party cloud. But there's more to it.

Single binary deployment. One Go binary, one SQLite or Postgres database, and you're done. No Kubernetes cluster required.

Works with existing Tailscale clients. You don't need to build custom VPN software. Just configure your tailscale up command to use your headscale URL.

Fine-grained ACLs. Write rules in a YAML file. Example: "allow dev team to reach staging servers but not production". No extra tools needed.

Community driven. It's not a corporate product. Issues get fixed fast. New features come from real use cases.

No vendor lock-in. If you ever want to go back to Tailscale's cloud, it's just a config change. The clients treat both identically.

How to Try It

The quickest way to see it working:

# Download the headscale binary from releases
wget https://github.com/juanfont/headscale/releases/latest/download/headscale_linux_amd64

# Make it executable and create config
chmod +x headscale_linux_amd64
sudo mv headscale_linux_amd64 /usr/local/bin/headscale
headscale config create

# Start the server (runs on port 8080 by default)
headscale serve

Then on any machine with tailscale installed:

# Register with your own server
tailscale up --login-server=http://your-headscale-server:8080

Headscale will give you a URL to authenticate. Open it, and you're in.

For a more detailed guide, check the official Getting Started docs.

Final Thoughts

Headscale is for people who want the convenience of Tailscale without trusting someone else's cloud. It's also great for internal infrastructure — run it behind your VPN, give it a private IP, and your team's devices will find each other without ever touching the internet.

Is it production ready? Yes. Is it as polished as Tailscale's cloud dashboard? Not yet. But for a side project that started as a weekend hack, it's remarkably solid.

If you're already using Tailscale and wish you could self-host, or you're building something that needs trusted mesh networking without third party dependencies, Headscale is worth a serious look.

Follow us at @githubprojects for more open source discoveries.

Repository: https://github.com/juanfont/headscale

Contributors

@githubprojects
2
Total PostsPosts
1
ContributorsUsers
June 30
CreatedDate
Back to Projects
Project ID: 9f4e24df-21a9-4a4f-bdc2-fba2cafc64c6Last updated: June 30, 2026 at 02:44 AM