Understanding Headscale - The Self-Hosted Control Plane
I only recently discovered Tailscale, and honestly it's one of those tools where you set it up once and forget it exists - your devices just talk to each other, no port forwarding, no complex firewall rules, no thinking. It's magic.
But there's a catch I kept coming back to: Tailscale runs the part that actually matters.
What Even is Tailscale?
At its core, Tailscale is a VPN built on WireGuard. If you haven't used WireGuard, it's a modern VPN protocol that's faster and simpler than the older stuff like OpenVPN or IPSec. Tailscale takes WireGuard and wraps it in a layer that makes the setup dead simple.
The part people don't think about is that WireGuard itself is just the tunnel. Something still needs to manage which devices are allowed in, handle key exchange, and keep track of who's talking to who. That's the coordination server - and with Tailscale, that's their infrastructure, not yours.
For most people that's completely fine. But if you're running anything sensitive, or you just like owning your stack, it starts to feel uncomfortable.
The Coordination Server - What Does It Actually Do?
Think of it as a directory for your private network. When your laptop wants to talk to your home server, it doesn't magically know where to find it. The coordination server handles:
- Device registration - when a new device joins, it gets enrolled here
- Key exchange - devices swap WireGuard public keys through it so they can build encrypted tunnels directly
- Access rules - who can talk to what
- DERP relays - when two devices can't connect directly (NAT, firewalls), traffic gets relayed through Tailscale's servers
Importantly, after the key exchange happens, the actual VPN traffic goes directly between your devices. The coordination server never sees your traffic. But it does see your device list, your network topology, and your access policy. That's the sensitive bit.
Enter Headscale
Headscale is an open-source reimplementation of the Tailscale coordination server. Same Tailscale clients on your devices, same WireGuard underneath - you just swap out the control plane for one you run yourself.
You point your Tailscale clients at your Headscale server instead of Tailscale's servers:
tailscale up --login-server=https://your-headscale-domain.com
That's it. From the client's perspective nothing changed. From your perspective, you now own the whole thing.
Why Would You Want This?
Privacy. Your device list, your network map, your access rules - none of it leaves your infrastructure. With managed Tailscale you're trusting a third party with your network topology.
Cost. Tailscale's free tier has a device limit. Headscale has no limits - you're only constrained by whatever you're running it on.
Control. You decide when to update, what version to run, and what the access policy looks like. No dependency on someone else's uptime.
Who Should Actually Use It?
Honest answer: not everyone.
Managed Tailscale is genuinely excellent. The setup is 5 minutes, the mobile apps are polished, and you get features like MagicDNS and the admin console without any effort. If that works for you, use it.
Headscale is for people who want to go deeper - comfortable running and maintaining a server, happy to trade some convenience for full ownership, and curious about how the coordination layer actually works under the hood.
I built this project to deploy Headscale on AWS ECS Fargate. That said, I'm also exploring a more cost-effective option using EC2 and an Elastic IP - the ECS setup makes for a solid portfolio piece, but for personal long-term use the simpler approach wins.