How do I install Headscale — Open Source Self-Hosted Tailscale Control Server?

Visit the asset page on TokRepo and click "Copy for agent" to get the installation instructions. Most assets can be installed with a single command.

Headscale — Open Source Self-Hosted Tailscale Control Server

What Headscale Does

Coordination Server: Manages connections between Tailscale clients
Key Distribution: Handles WireGuard key exchange between nodes
ACL Management: Fine-grained access control with Tailscale-compatible ACLs
Pre-Auth Keys: Generate auth keys for headless device registration
DNS Integration: Built-in MagicDNS support for easy device addressing
Subnet Routing: Advertise and use local network subnets
Exit Nodes: Route all traffic through a designated node
OIDC Auth: Integrate with Keycloak, Authentik, Auth0 for user authentication
Multi-User: Separate namespaces for different users/teams

Architecture

┌──────────────┐     ┌──────────────┐     ┌──────────────┐
│ Tailscale    │     │  Headscale   │     │ Tailscale    │
│ Client       │────▶│  Server      │◀────│ Client       │
│ (Phone)      │     │  (Go)        │     │ (Laptop)     │
└──────┬───────┘     └──────────────┘     └──────┬───────┘
       │                                          │
       │         Direct WireGuard P2P            │
       └──────────────────────────────────────────┘
            Encrypted mesh network

Headscale handles coordination only. Actual network traffic flows directly between clients via encrypted WireGuard tunnels.

Self-Hosting

Docker Compose

services:
  headscale:
    image: headscale/headscale:latest
    command: serve
    ports:
      - "8080:8080"
      - "9090:9090"
    volumes:
      - ./config:/etc/headscale
      - headscale-data:/var/lib/headscale
    restart: unless-stopped

volumes:
  headscale-data:

Basic Config

# config/config.yaml
server_url: https://headscale.yourdomain.com
listen_addr: 0.0.0.0:8080
metrics_listen_addr: 127.0.0.1:9090
grpc_listen_addr: 0.0.0.0:50443

private_key_path: /var/lib/headscale/private.key

noise:
  private_key_path: /var/lib/headscale/noise_private.key

prefixes:
  v6: fd7a:115c:a1e0::/48
  v4: 100.64.0.0/10
  allocation: sequential

derp:
  server:
    enabled: false
  urls:
    - https://controlplane.tailscale.com/derpmap/default

database:
  type: sqlite
  sqlite:
    path: /var/lib/headscale/db.sqlite

log:
  level: info

dns_config:
  override_local_dns: true
  nameservers:
    - 1.1.1.1
    - 8.8.8.8
  magic_dns: true
  base_domain: headscale.local

Usage Guide

1. Create a User (Namespace)

docker exec headscale headscale users create myuser

2. Generate Pre-Auth Key

docker exec headscale headscale preauthkeys create 
  --user myuser --reusable --expiration 24h
# Output: your-preauth-key

3. Connect Tailscale Client

# On any Linux/Mac/iOS/Android/Windows device
# Install Tailscale first, then:
tailscale up --login-server=https://headscale.yourdomain.com 
  --authkey=your-preauth-key

4. Verify Connection

# On the Headscale server
docker exec headscale headscale nodes list

# On the client
tailscale status

Key Features

MagicDNS

Automatic DNS resolution for all nodes in your network:

my-laptop.myuser.headscale.local
my-phone.myuser.headscale.local
home-server.myuser.headscale.local

SSH or ping devices by name instead of IP address.

ACL (Access Control Lists)

{
  "groups": {
    "group:admins": ["alice@example.com", "bob@example.com"],
    "group:devs": ["charlie@example.com"]
  },
  "tagOwners": {
    "tag:prod": ["group:admins"],
    "tag:dev": ["group:devs"]
  },
  "acls": [
    {
      "action": "accept",
      "src": ["group:admins"],
      "dst": ["*:*"]
    },
    {
      "action": "accept",
      "src": ["group:devs"],
      "dst": ["tag:dev:*"]
    }
  ]
}

Subnet Routing

Advertise your local network through a Headscale node:

# On the router node
tailscale up --advertise-routes=192.168.1.0/24 
  --login-server=https://headscale.yourdomain.com

# Approve route in Headscale
docker exec headscale headscale routes enable -r 1

Now all Headscale clients can access your home network (192.168.1.0/24).

Exit Nodes

Use any node as an exit node to route all internet traffic through it:

# Configure a node as exit node
tailscale up --advertise-exit-node 
  --login-server=https://headscale.yourdomain.com

# Use it on another device
tailscale up --exit-node=home-server

Headscale vs Alternatives

Feature	Headscale	Tailscale	NetBird	ZeroTier
Open Source	Yes (BSD-3)	Client only	Yes (BSD-3)	Yes (BSL)
Self-hosted	Yes	No (SaaS)	Yes	Yes
Protocol	WireGuard	WireGuard	WireGuard	Custom
Mobile apps	Yes (via TS)	Yes	Yes	Yes
Setup complexity	Medium	Very easy	Easy	Easy
Free users	Unlimited	100 (free tier)	Unlimited	50 (free)
ACL	Yes	Yes	Yes	Yes
Use official apps	Yes (Tailscale)	Yes	Custom apps	Custom apps

FAQ

Q: Can I use the official Tailscale client? A: Yes! Headscale's biggest strength is full compatibility with the official Tailscale client. Just pass --login-server pointing to your Headscale server when running tailscale up.

Q: Headscale or NetBird — which should I pick? A: Headscale is compatible with the official Tailscale client (better iOS/Android experience) but its web UI lags behind NetBird's. NetBird has a full web UI but requires its own client. For Tailscale ecosystem maturity, pick Headscale; for management experience, pick NetBird.

Q: Is it suitable for enterprise use? A: Yes. Headscale supports OIDC authentication (integrating with Keycloak, Authentik, and others), has full ACL configuration, and supports user and group management. It runs well for small-to-medium enterprises (100–1000 users).

Sources & Credits

GitHub: juanfont/headscale — 37.3K+ ⭐ | BSD-3
Docs: headscale.net