Has anyone used Headscale?
I'm wondering if anyone has used headscale? https://github.com/juanfont/headscale
I just started using tailscale but I don't like the fact that the keys lie on something I don't control, so I was looking for a way to host my own tailscale like site and came across this. this looks like what I was looking for so I was wondering if anyone has tried it and find it a viable and stable for the use case for a small home network or two
Best
Open comment sort options
Best
Top
New
Controversial
Old
Q&A
Comments Section
I've been using headscale for a bit now, would definitely recommend. The docs in the GitHub are pretty easy to follow, and it's more or less feature complete for most of the stuff I want, although it doesn't do everything Tailscale does.
My setup is Headscale +Caddy L4 TCP passthrough Authentik
Can you tell some more about your setup? Hoe did you secure your Headscale page for example and what does the caddy passtrough exactly?
Sure! My headscale instance is secured via OIDC, provided by Authentik. This is why Authentik needs to be on the VPS rather than on a local machine; it has to be spun up and accessible before headscale.
Here's a link to the config and compose files I'm using to run headscale.
Then, on the same VPS, I have a Caddy L4 container. I point Cloudflare DNS for a domain I own to the VPS, and the
hostmap.jsonI create and convert to a Caddy L4 compatible format becomes the guide for the Caddy instance to proxy traffic without SSL termination through to machines on my headscale network - this is basically just two Lenovo mini PCs and a Raspberry Pi I have at home. Each of these local machines also runs a Caddy instance that receives and terminates SSL connections - these are configured usingcaddy-docker-proxy, so any Docker containers I spin up locally are automatically available so long as the subdomains they're on are listed in thehostmapon the VPS.This is convenient for me relative to other options for achieving the same goal because I have limited control over and ability to configure my router, so things like DDNS would be a lot more messy than this solution, to my understanding.
Let me know if I'm unclear or if you have any other questions!
Do you use caddy as reverse proxy? And is it tailscale funnel or just regular tailscale?
I use headscale. Quite simple to setup. You don't even need oidc in the first place if you don't plan on having to deal with identities.
I love it, and I love tailscale.
Comment deleted by user
To be fair tailscale is architected in a way that they do control your network, but in a way that does not grant any access to your data.
Actually reading the tailscale blog is a fantastic lesson in both enterprise development and networking.
Comment deleted by user
Comment deleted by user
I love wireguard
It's so easy and versatile. I was a strong proponent of OpenVPN for like a decade because it too is extremely flexible but whenWireGuard
Tailscale themselves are addressing this concern with
tailscale lock, which only allows a node to be added to a tailnet that is signed by an existing node.I.e. the Tailscale control server can't just silently add their own node to your tailnet to spy on you, for example.
Another option (though not as popular) is Netbird
Netbird looks super nice; I just get a headache trying to figure out how many moving parts their are to set one up.
Do they have mobile clients yet? Last I looked they didn't and that's a deal breaker unfortunately.
Just android, and that's in beta.
Been using Headscale for a few weeks. Its super lightweight, its default SystemD unit is absurdly protective (it makes sure that headscale can only access and do what it truely needs and runs as an underprevileged user on purpose) and it should be possible to use it in something like a free fly.io instance. Haven't made that work just yet - but that is very much a me-problem. Connections have been rock solid and stable, config is super small and simple. :)
Discussion in here.
I've used a bunch of these and I think they all have their place. I ended up switching over to Netmaker because it's also Wireguard-based and its web-ui makes it easy to add and remove clients and have some fine-grained control over each one's access.
You can pretty much do the same stuff with headscale, but it's the type of thing I'd do infrequently enough that I'd have to spend all of my time in the man page each time I had to make a change.
I did not have time yet to try it, but nebula looks amazing
Comment deleted by user
If just using for yourself I would suggest stick to Wireguard.
I setup headscale because I was looking for something I could self-host but also have a really high quality user app experience. Unfortunately, using the Tailscale clients with headscale require some workarounds to get them to connect to a headscale server, for example on windows requires use of regedit.
So I was hoping for something stupid easy for family but it didn't really provide it.
Also, adding a client is kinda annoying and requires typing or transferring long strings of characters.
In the end I think it would be easier to have someone install Wireguard and then import the config file.
I recently moved from tailscale to headscale and am very happy with it, I prefer to have users logged in to there devices instead of me using my SSO login on all there devices, so now I can see what device is connected.
Also just today I setup Authentik ad my OIDC provider, so now the behavior is similar to logging in to an SSO provider on Tailscale. It also makes user management much easier.
Try selfhosting mistborn
There's Tailnet lock. It's a little bit annoying when adding devices, but it's okay
Is there a benefit over just having your openwrt router be your vpn termination point?
For most of the people out there (including myself) wireguard-easy it's just easier and works great.
Easier than tailscale? I don't see how you've come to that conclusion
Wireguard-easy & wireguard-UI both require port forwarding.
Check out lawrence system video on YouTube.