— bash — netgod.dev — 80×24
guest@netgod.dev:~/blog$ cat self-hosted-headscale-tailscale-alternative.md
~/netgod.dev
← cd ../blog
POST(VPN)netgod.dev manualPOST(VPN)
NAME

$ Self-Hosted Tailscale Alternative with Headscale

DESCRIPTION

Tailscale's UX is a love letter to networking. Headscale gives you the same UX without trusting anyone else's coordination server.

DATE
2025-04-10
DURATION
1 min read
TAGS
vpnself-hostingwireguard
./assets/self-hosted-headscale-tailscale-alternative.pngcover
CONTENT

Tailscale is WireGuard wrapped in identity, NAT traversal, and a slick UI. The catch is that the coordination server sees all your peer keys and metadata. For a homelab that's fine; for a company it's not.

Headscale is an open-source reimplementation of that coordination server. Same Tailscale clients, your own backend.

Setup

# config.yaml
server_url: https://headscale.example.com
listen_addr: 0.0.0.0:8080
ip_prefixes:
  - 100.64.0.0/10

Behind a Caddy reverse proxy, this is a 30-minute deploy.

What you give up

  • The fancy admin web UI (community projects exist; they're fine)
  • Some of the latest Tailscale features lag a few months

What you keep

MagicDNS, ACLs, exit nodes, SSH, subnet routers — the entire UX. It's the most satisfying self-hosted swap I've made all year.

netgod.dev manual2025-04-10END