TL;DR — Quick Summary
Deploy Headscale — the self-hosted Tailscale control server. Full mesh VPN with WireGuard, ACLs, MagicDNS, and exit nodes without depending on Tailscale's cloud coordination server.
What Is Headscale?
Headscale = self-hosted Tailscale coordination server. Same WireGuard mesh VPN, same clients, your server.
services:
headscale:
image: headscale/headscale:latest
container_name: headscale
restart: always
ports:
- "8080:8080"
- "9090:9090"
volumes:
- headscale-data:/var/lib/headscale
- ./config.yaml:/etc/headscale/config.yaml
command: serve
volumes:
headscale-data:Key Commands
# Create user
headscale users create myuser
# Generate pre-auth key
headscale preauthkeys create --user myuser --reusable --expiration 24h
# List nodes
headscale nodes list
# Register a node
# On client: tailscale up --login-server https://hs.yourdomain.com
# On server: headscale nodes register --user myuser --key nodekey:xxxHeadscale vs Tailscale vs NetBird
| Feature | Headscale | Tailscale | NetBird |
|---|---|---|---|
| Control server | Self-hosted | Cloud | Self-hosted |
| Clients | Official Tailscale | Official | Own clients |
| Protocol | WireGuard | WireGuard | WireGuard |
| MagicDNS | ✅ | ✅ | ✅ |
| ACLs | ✅ | ✅ | ✅ |
| Exit nodes | ✅ | ✅ | ✅ |
| SSO | OIDC | Google/MS/GitHub | OIDC |
| Web UI | Headscale-UI (3rd party) | ✅ Native | ✅ Native |
| Cost | Free | Free (100 devices) | Free (5 users) |