Headscale: Run Your Own Tailscale Control Server (Zero Cloud Dependency)

Mesh VPNs changed everything. Instead of routing all traffic through a central server (and paying for that privilege), your devices connect directly to each other. Tailscale made this magic accessible to everyone with a slick UI and zero-config setup.

But there's a catch. Your connection metadata still flows through Tailscale's coordination servers. For most users, that's fine. For privacy-conscious homelabbers and organizations handling sensitive data? Not so much.

Enter Headscale: the open-source implementation of Tailscale's control server that you can run on your own hardware.

What Headscale Actually Does

Every Tailscale network needs a coordination server. This server doesn't see your traffic (that flows directly between devices via WireGuard), but it does handle device registration, key exchange, and network topology.

Headscale replaces that coordination layer. Your devices still use official Tailscale clients. Your traffic still flows peer-to-peer. But now you control the brains of the operation.

The project implements a single tailnet (Tailscale's term for a private network), making it perfect for personal use or small teams. If you need enterprise features like multiple tailnets, you'll still want official Tailscale.

Why Self-Hosters Are Switching

Three reasons keep coming up in homelab communities:

Data sovereignty matters. Even if Tailscale can't see your traffic, they know which devices connect, when, and from where. For some users, that metadata is sensitive enough to warrant self-hosting.

Offline resilience. If Tailscale's servers go down, your existing connections stay up but you can't add new devices or update configurations. With Headscale on your own infrastructure, you control availability.

Learning and control. Running your own coordination server teaches you how mesh networking actually works. When something breaks, you can actually debug it.

What You Get (And What You Don't)

Headscale covers most of what you'd expect from Tailscale:

• Device registration and authentication
• Magic DNS for human-readable hostnames
• ACL support for access control
• OIDC integration for SSO login
• Subnet routing and exit nodes
• Pre-authentication keys for headless devices

What's missing? Some newer features like Tailscale Funnel (exposing services publicly) and Serve (HTTPS reverse proxy) aren't implemented yet. Network flow logs and dynamic ACL updates are also absent. And there's no web UI from the core team, though community projects like Headscale-UI fill that gap.

For most homelab scenarios, these limitations don't matter. You're probably not using Funnel anyway, and the CLI works fine for occasional administration.

The Deployment Reality

Getting Headscale running takes more effort than clicking "sign up" on Tailscale's website. You'll need:

• A server with a public IP (or at least one your devices can reach)
• A domain name for HTTPS (Let's Encrypt works great)
• Docker or a Linux box for installation
• About 30 minutes for initial setup

The configuration lives in a single YAML file. Most of it is straightforward: server address, database location, OIDC settings if you want SSO. The ACL policy file follows Tailscale's format, so existing documentation applies.

Once it's running, connecting clients is nearly identical to regular Tailscale. You point the client at your Headscale server instead of Tailscale's, authenticate, and you're in.

When Headscale Makes Sense

Good fit:

• Homelabs where privacy is paramount
• Air-gapped or isolated environments
• Learning projects and experimentation
• Small teams that want zero external dependencies

Maybe reconsider:

• If you need Tailscale's managed exit nodes
• If you want official support and SLAs
• If you're not comfortable maintaining infrastructure
• If you need features Headscale doesn't implement yet

The Simpler Alternative: WireGuard Direct

Not everyone needs Tailscale's coordination layer. If your setup is straightforward, a basic WireGuard VPN might be enough.

For that scenario, WG-Easy on Elestio provides one-click deployment of WireGuard with a clean web interface. No mesh networking, no automatic key exchange, but also no complexity. Sometimes simpler wins.

WG-Easy makes sense when you have a fixed set of devices connecting to a central server. Headscale shines when you need devices talking directly to each other across different networks without manual configuration.

Getting Started

The official Headscale documentation covers installation thoroughly. The quick version:

1. Deploy a server (any cloud provider works, or use Elestio's BYOVM option for managed infrastructure)
2. Install Headscale via Docker or package manager
3. Configure your domain and generate TLS certificates
4. Create your first user and pre-auth keys
5. Connect clients using modified Tailscale apps

For a production setup, add monitoring, backups, and possibly a reverse proxy like Caddy or Nginx. The overhead is minimal. Headscale runs happily on the smallest VPS tier.

The Self-Hosted VPN Landscape in 2026

Mesh VPNs are winning. The old model of routing everything through a central server creates bottlenecks, adds latency, and concentrates failure risk. Direct device-to-device connections just work better.

Tailscale proved the concept could be user-friendly. Headscale proved it could be self-hosted. Nebula offers a similar approach with different trade-offs. The ecosystem keeps improving.

For homelabbers already comfortable with Docker and basic networking, running your own coordination server is a weekend project. For the rest of us, services like Elestio make deploying and maintaining open-source infrastructure dramatically simpler.

The best part? You can always migrate. Start with hosted Tailscale, experiment with Headscale on the side, and switch fully when you're ready. Your devices won't know the difference.

Thanks for reading. See you in the next one.