← All open source projects

Headscale

juanfont/headscale

Headscale is an open implementation of the Tailscale control server that can run on your own server.

GitHub · 40,452 stars
Forks 2,224
Author juanfont
Language Go
License BSD-3-Clause
Synced 2026-06-27

What it is

Headscale is an open implementation of the Tailscale control server. Tailscale builds private networks over WireGuard, while the control server manages users, devices, keys, and the network map.

It helps people and teams that like Tailscale clients but want more control over the control-plane side: labs, personal servers, small teams, and infrastructure experiments.

How the approach works

Tailscale clients connect to a control server, receive network information, and discover each other. Headscale implements that role and stores users, nodes, routes, and access policy state.

The boundary matters: Headscale is not the official Tailscale service and does not duplicate every commercial feature. It must be operated and secured by the owner.

Simplified network shape

This sketch shows the role of Headscale: it does not carry all traffic, but helps devices discover each other and establish secure paths.

Language: Plain text 
laptop -> headscale control server <- home server
          | users, nodes, keys, routes |

laptop <====== WireGuard path ======> home server

What is inside

The repository contains the Go server, running documentation, configuration examples, tests, development instructions, and client support notes.

Headscale is an infrastructure project around network access, so domain setup, TLS, users, backups, and logs matter.

Practical context

Before adopting Headscale, it is worth asking whether operating your own control server is actually needed. It can be excellent for a personal lab; companies need to think about support and reliability.

A good setup starts with a small network and clear access rules.

How it differs from a regular VPN

Headscale does not encrypt all traffic through its own server like a classic central VPN. Its role is closer to coordination: it helps nodes discover each other, exchange control data, and form a private mesh network using Tailscale clients.

This is useful when a team wants the convenience of Tailscale clients while keeping the control layer under its own administration. It often fits small infrastructure teams, labs, home servers, and private environments.

The price of control is operational responsibility. Updates, keys, access rules, database backups, and user policy all need attention. Headscale removes dependence on an external coordination service, but it does not remove network administration.

The repository should be treated as an infrastructure component. It works best when node relationships, access ownership, and recovery procedures are already clear.

Strengths and limits

The strength is control plus compatibility with Tailscale clients. The limit is responsibility: operating the control server becomes your job.