Open-source network control plane, honestly reviewed. What you actually get when you stop trusting Tailscale’s servers.

TL;DR

What it is: An open-source, self-hosted reimplementation of the Tailscale coordination server — the missing piece that lets you run a private WireGuard mesh network without touching Tailscale’s cloud [1][5].
Who it’s for: Homelab operators, self-hosting enthusiasts, and small organizations who want the convenience of Tailscale’s overlay networking but won’t accept a control plane they don’t own [2][5].
Cost savings: Tailscale’s free tier caps at 3 users and 100 devices; paid plans start around $6/user/month. Headscale is free software — your only cost is a cheap VPS or the server you already own [5].
Key strength: It works with official Tailscale clients. You don’t learn a new client stack — you keep using the same apps but point them at your own server [1][2].
Key weakness: Not a full Tailscale replacement. Dynamic ACLs, Funnel, Serve, network flow logs, and tailnet lock are absent. If your setup depends on any of these, stop reading and stay on Tailscale [5].

What is Headscale

Tailscale solves a real problem: connecting devices across networks, firewalls, and NAT without opening ports. It does this using WireGuard as the transport layer and a coordination server — the control plane — that handles key exchange, IP assignment, route advertisement, and network policy. Everything in Tailscale is open source except two things: the GUI clients for Windows and macOS/iOS, and that control server [README].

Headscale reimplements only the control server. The WireGuard protocol, the NAT traversal logic, and the official Tailscale clients all remain unchanged. When you install Headscale, you’re replacing one piece: the part that usually phones home to controlplane.tailscale.com [1][5].

The project comes from Juan Font and Kristoffer Dalby — the latter is now a Tailscale employee, officially allowed to spend work hours contributing to Headscale. Tailscale the company has publicly acknowledged this arrangement [README]. That’s an unusual situation worth understanding: one of the two main maintainers of the “Tailscale alternative” is on Tailscale’s payroll. In practice it seems to have been a net positive for the project’s quality and integration fidelity, but it means Headscale’s scope is explicitly shaped to not threaten the commercial product.

That scope constraint is stated plainly in the README: “Headscale aims to implement a self-hosted, open source alternative to the Tailscale control server. Headscale’s goal is to provide self-hosters and hobbyists with an open-source server they can use for their projects and labs. It implements a narrow scope, a single Tailscale network (tailnet), suitable for a personal use, or a small open-source organisation.” [README]

That word “narrow” is doing real work. Come in with the right expectations and Headscale is excellent. Come in expecting a full Tailscale drop-in and you’ll be disappointed by the list of missing features.

The project has 36,556 GitHub stars under a BSD-3-Clause license, presented at FOSDEM in both 2023 and 2026, and has an active Discord community [README].

Why people choose it

The core appeal is sovereignty over your networking stack. Every article on Headscale circles back to the same concern: Tailscale is excellent software operated by a company whose policies, pricing, and continued existence you’re betting on [2][5].

A VirtualizationHowTo writeup [2] from 2023 frames it as enterprise and homelab users wanting to “maintain complete control over their VPN mesh networking implementation” without “external dependencies.” That’s the cleaner pitch for the technical audience. For self-hosters, the XDA piece [5] is more direct: the author wanted to cut reliance on cloud infrastructure where “things inside my network still run even when the internet is down.”

The Medium tutorial series [1] positions it differently — as the practical path for people who already accept Tailscale’s networking model but want to run the coordination layer themselves. The author treats Headscale as infrastructure hygiene, not ideology.

What unites all of these: nobody switches to Headscale because it’s easier than Tailscale. They switch because they’ve decided the control plane dependency is a risk worth eliminating, and Headscale is the cleanest way to do that while keeping the Tailscale client experience [1][2][5].

Features

Based on the README, documentation, and third-party coverage:

What Headscale does:

Replaces the Tailscale coordination server entirely — handles WireGuard key exchange, IP assignment, and route management for your tailnet [1][README]
Works with official Tailscale clients on all platforms (Android, iOS, Linux, Windows, macOS) [1][README]
Runs as a single binary with a SQLite or PostgreSQL backend [README]
Includes an embedded DERP server to manage NAT traversal when direct connections fail [5]
Full CLI management via the headscale command
GUI available through the third-party Headplane project, which makes the interface look similar to the Tailscale web console [5]
NixOS module included for NixOS users [README]
Pre-auth keys, user namespaces, and route advertisement [4]
REST API for management operations

What Headscale does NOT do (compared to Tailscale):

No dynamic ACLs [5]
No Tailscale Funnel or Tailscale Serve [5]
No network flow logs [5]
No tailnet lock [5]
No high-availability DERP server cluster — the embedded DERP is a single point of failure [5]
Single tailnet only — no multi-tenancy, no multi-org segmentation [5][README]

The Funnel/Serve gap is the one most likely to catch people off-guard. Tailscale Funnel lets you expose a local service to the public internet through Tailscale’s infrastructure without opening ports. Serve lets you share services within your tailnet without the client running a full server process. Both are absent in Headscale [5]. If you’re using either feature today, Headscale is not a migration path — it’s a different tool.

Pricing: SaaS vs self-hosted math

Tailscale (the natural comparison):

Free tier: up to 3 users, 100 devices, basic ACLs
Starter: approximately $6/user/month for additional users and features
Business: approximately $18/user/month for SSO, network flow logs, and enterprise controls
All tiers: control plane hosted by Tailscale

ZeroTier (listed competitor in the profile):

Free: up to 25 devices, basic networks
Paid plans: metered by device count, not user count
Control plane: ZeroTier-hosted by default; self-hosted option exists (ZeroTier One is open-source)

Headscale self-hosted:

Software: $0 (BSD-3-Clause) [README]
VPS to run the control server: $4–8/month on Hetzner, Contabo, or any provider
Your time: real setup cost, discussed below

The math for a small team of 5 people connecting 15 devices: On Tailscale’s paid tiers, 5 users at $6/month is $30/month, $360/year. Headscale on a $5 Hetzner VPS is $60/year. The savings aren’t dramatic at small scale the way they are for task-based tools like Zapier, because Tailscale’s per-user pricing isn’t punitive. The case for Headscale at small scale is control and permanence, not pure cost savings.

The math changes when you’re connecting many devices to a homelab or small org network. Tailscale’s free tier is genuinely generous (100 devices, 3 users) — a solo homelab operator might never need to pay. The real saving is: if Tailscale ever changes those terms, raises prices, or shuts down, your network keeps running [2][5].

Deployment reality check

The XDA Developers review [5] is the most honest account of what actually happens when you deploy Headscale:

What you need:

A publicly reachable server with a real IPv4 and IPv6 address — this is non-negotiable. If your VPS or home server is behind CGNAT, Headscale won’t work as intended [5]. Many consumer ISPs and mobile providers use CGNAT, which means the XDA author’s preferred setup (running on his own hardware) was blocked: “I don’t want a static IP at home and while I could run Headscale on a cheap VPS, that puts my tailnet infrastructure on hardware I don’t control, which is the whole point of using Headscale in the first place.” That’s a genuine irony worth sitting with.
A domain name pointing at your server
Basic Linux administration skills: systemd, config files, firewall rules

What the setup looks like: The Lawrence Systems tutorial [4] timestamps the process: config file editing (~5 minutes), creating namespaces and keys (~10 minutes), connecting clients and allowing routes (~15 minutes). For an experienced self-hoster, a working Headscale instance with a couple of connected clients takes under an hour. The official documentation is considered solid for the stable release.

What can go sideways:

CGNAT kills the whole project if you wanted to self-host at home [5]
The embedded DERP server is a single point of failure — if it goes down, devices that can’t establish direct peer connections lose connectivity [5]
No official support for reverse proxies or Docker, per the README. The docs explicitly say: “Please note that we do not support nor encourage the use of reverse proxies and container to run Headscale.” [README] This is unusual and frustrating if your homelab runs everything in Docker.
The CLI is the primary interface. The author of [5] walked back earlier complaints once they discovered Headplane (a third-party GUI), but you’re depending on a separate project to get a web UI.

Realistic time estimate for a technically capable self-hoster: 30–90 minutes to a working instance with the first client connected. For someone newer to Linux server management: half a day, including troubleshooting the networking.

Pros and Cons

Pros

Works with official Tailscale clients. You don’t need to replace client software on every device. The same app your team already uses, pointed at your server [1][2].
BSD-3-Clause license. Genuinely permissive — no commercial-use restrictions, no “fair code” complications [README].
36,556 GitHub stars. Not a side project. The community is active and the project has long-term institutional support given the Tailscale maintainer involvement [README].
Removes the cloud dependency. The specific risk of Tailscale changing terms, raising prices, or going under is eliminated. Your network coordination lives on your infrastructure [2][5].
Presented at FOSDEM twice. The 2026 FOSDEM talk was titled “Headscale & Tailscale: The complementary open source clone” — a signal that both communities view the relationship as healthy [README].
NixOS module included. Niche, but NixOS users know this matters for reproducible infrastructure.
Headplane GUI option. The CLI is manageable, and Headplane provides a familiar web interface for those who need it [5].

Cons

CGNAT kills it. If you or your users are on ISPs or networks using CGNAT (common in many countries), Headscale can’t function as a control plane without a separate VPS — which undermines the “own your infrastructure” premise [5].
Missing features that some Tailscale users rely on. Funnel, Serve, dynamic ACLs, network flow logs, tailnet lock — these are absent and not on the roadmap [5]. Check your current Tailscale usage before committing.
No Docker support (officially). The README explicitly discourages running Headscale in Docker or behind a reverse proxy. For homelabs where everything runs in containers, this is a non-trivial friction point [README].
Single DERP point of failure. The embedded DERP server handles NAT traversal fallback. Unlike Tailscale’s globally distributed DERP network, yours is one server — if it goes down, affected peers lose connectivity [5].
Single tailnet, by design. If your network segmentation relies on multiple tailnets, Headscale can’t support it. This is a deliberate scope decision, not an oversight [README][5].
Not officially supported by Tailscale. Using Headscale means you’re outside Tailscale’s support scope. The clients work, but you’re on your own when they don’t.

Who should use this / who shouldn’t

Use Headscale if:

You’re already using Tailscale and the thought of your entire private network depending on a commercial control plane bothers you.
You have a homelab or small org and want permanent, vendor-independent mesh networking.
You have a public IP (or are willing to run on a cheap VPS) and basic Linux admin skills.
You don’t rely on Tailscale Funnel, Serve, or dynamic ACLs.
You want the Tailscale client experience without any cloud dependency.

Don’t use Headscale if:

You’re behind CGNAT and don’t want to run the control server on a VPS. The architecture doesn’t work around it [5].
You use Tailscale Funnel to expose services to the public internet. There is no replacement in Headscale [5].
You need high availability. One Headscale instance with one embedded DERP is a single point of failure [5].
You’re non-technical and not comfortable with Linux servers, config files, and CLI tools. Headscale has no managed option — there’s no “Headscale Cloud” [README].
Your team is larger than a small working group. The single-tailnet scope becomes a constraint at org scale [README].

Stay on Tailscale if:

The free tier (3 users, 100 devices) covers you and you have no philosophical objection to cloud control planes.
You rely on Funnel, Serve, or tailnet lock.
You want zero infrastructure responsibility.

Alternatives worth considering

Tailscale — the original. Easiest setup, most features, global DERP network, commercial control plane. Free tier is genuinely useful for individuals [5].
ZeroTier — older mesh VPN technology, also open-source (BSL license). The ZeroTier One controller is self-hostable. Less polished client experience than Tailscale but more mature multi-tenancy story [profile].
NetBird — fully open-source (Apache 2.0), fully self-hostable control plane including the management server, signal server, and TURN/STUN infrastructure. Designed from the start for self-hosting, unlike Headscale which retrofits it. Mentioned in the XDA piece as one of the tools that “officially support a fully self-hosted version” [5].
Pangolin — also cited by the XDA author as offering a fully self-hosted option [5]. Newer, less community track record.
WireGuard (raw) — if you’re comfortable managing keys and routing manually, raw WireGuard is the zero-dependency choice. No control plane software required, maximum simplicity, maximum manual work.
OpenVPN / WireGuard with a management UI (PiVPN, WG-Easy) — traditional hub-and-spoke VPN. Less elegant than mesh networking but fully understood, widely documented, and has no control plane to run.

For homelab operators the realistic shortlist is Headscale vs NetBird vs raw WireGuard. Pick Headscale if you want the Tailscale client experience and can live with its constraints. Pick NetBird if you want a fully self-hosted stack designed for that use case from day one. Pick raw WireGuard if you want zero third-party software.

Bottom line

Headscale delivers exactly what it says: a self-hosted Tailscale control plane that lets you use official Tailscale clients without calling home to Tailscale’s servers. For homelab operators and sovereignty-minded self-hosters who already understand and like Tailscale’s networking model, it’s a clean solution with strong community support and a maintainer relationship with Tailscale itself. The 36,000+ GitHub stars and back-to-back FOSDEM appearances aren’t hype — this is a real, maintained project.

The constraints are real too. CGNAT stops it cold. The missing features (Funnel, Serve, dynamic ACLs, tailnet lock) mean it’s a subset of Tailscale, not a replacement. The no-Docker, no-reverse-proxy stance creates friction in containerized homelabs. And one honest self-hoster [5] put the central irony clearly: if the point is to avoid putting your infrastructure on hardware you don’t control, running Headscale on a VPS trades one cloud dependency for another. Whether that trade is worth it depends on your threat model.

If you’ve audited your Tailscale usage, confirmed you don’t rely on the missing features, have a public IP, and the idea of owning your network’s control plane matters to you — Headscale is the right tool. If any of that sounds uncertain, spending an afternoon on the documentation before committing is the right move.

Sources

Umair, Medium — “Building a Self-Hosted Tailscale Network with Headscale Part 1 of 3” (March 5, 2026). https://medium.com/@u.mair/building-a-self-hosted-tailscale-network-with-headscale-06e15298870c
VirtualizationHowTo — “Headscale: Awesome Self-Hosted Tailscale Control Server” (May 2023). https://www.virtualizationhowto.com/2023/05/headscale-awesome-self-hosted-tailscale-control-server/
SourceForge — “NetBird Reviews in 2026” (alternatives listing including ZeroTier, Twingate, and WireGuard-based options). https://sourceforge.net/software/product/NetBird/
Lawrence Systems Forums — “Tutorial: Using Tailscale VPN with the Self Hosted Headscale Controller” (July 2022). https://forums.lawrencesystems.com/t/tutorial-using-tailscale-vpn-with-the-self-hosted-headscale-controller-youtube-release/14809
Joe Rice-Jones, XDA Developers — “I switched to Headscale instead of Tailscale, but most people probably shouldn’t” (October 26, 2025). https://www.xda-developers.com/headscale-instead-of-tailscale-brings-headaches/

Primary sources:

GitHub repository and README: https://github.com/juanfont/headscale (36,556 stars, BSD-3-Clause license)
Official documentation: https://headscale.net/stable/
FOSDEM 2026 talk: https://fosdem.org/2026/schedule/event/KYQ3LL-headscale-the-complementary-open-source-clone/
FOSDEM 2023 talk: https://fosdem.org/2023/schedule/event/goheadscale/

Replaces

Zerotier

3 tools

Compare Headscale

Headscale vs

Netbird

Both Headscale and Netbird are strong open-source options in the networking space. Headscale has 36k GitHub stars and Netbird has 24k. Compare their features, deployment, and community to choose the right fit for your needs.

Related Networking & VPN Tools

View all 99 →

Caddy

71K

A fast, extensible web server with automatic HTTPS — zero-config TLS certificates for every site, built-in reverse proxy, and a simple Caddyfile config format.

networking Apache-2.0

Traefik

62K

Cloud-native application proxy and ingress controller that auto-discovers services and handles TLS certificates, load balancing, and routing with zero manual configuration.

networking MIT