Headscale

Headscale is an open source, self-hosted implementation of the Tailscale control server that lets you build your own private mesh VPN network using WireGuard.

What You Can Do After Deployment

1. Visit your domain — Access the Headscale server and verify it is running
2. Create users — Use the CLI to create users (namespaces) for your VPN network
3. Register nodes — Connect Tailscale clients to your self-hosted control server
4. Manage ACLs — Define access control lists to manage which nodes can communicate
5. Generate pre-auth keys — Create authentication keys for easy node registration

Key Features

• Self-hosted Tailscale-compatible control server
• WireGuard-based encrypted mesh networking
• Multi-user support with namespace isolation
• Access control lists (ACLs) for fine-grained permissions
• Pre-authentication keys for automated node enrollment
• DNS management and MagicDNS support
• DERP relay server support for NAT traversal
• gRPC API for programmatic management
• Embedded storage for simple single-container deployment
• Compatible with official Tailscale clients on all platforms

License

BSD-3-Clause — GitHub