NAME
Headscale VPN Network
Self-hosted Tailscale control server for complete network sovereignty
SPECIFICATIONS
Status: Complete Started: 2025-11 Completed: 2025-12
Tech Stack:
Go Docker WireGuard Nginx
Tags: [Networking] [Security] [Self-hosted]
STATUS TIMELINE
Proposed
→ Active
→ Testing
→ Complete
LINKS
DOCUMENTATION
Headscale VPN Network
Replace the Tailscale coordination server with a self-hosted alternative.
Problem Statement
Tailscale is excellent technology, but:
- Control plane is a black box
- Network topology visible to third party
- Business decisions could affect service
- No learning opportunity
Solution
Headscale is a full open-source implementation of the Tailscale control server written in Go.
Architecture
┌─────────────────┐
│ Headscale │
│ Control Plane │
│ (Home Lab) │
└────────┬────────┘
│
Gig Fiber Sync
│
┌────────────────┼────────────────┐
│ │ │
┌──────┴──────┐ ┌──────┴──────┐ ┌──────┴──────┐
│ Home Lab │ │ Remote │ │ Mobile │
│ 10 devices │ │ 3 devices │ │ 2 devices │
└─────────────┘ └─────────────┘ └─────────────┘Components
Control Server
- Runs locally on home infrastructure
- Gig sync fiber means no need for external hosting
- Handles node registration
- Distributes network keys
- Manages ACLs
DERP Relay
- Self-hosted relay for NAT traversal
- All traffic stays on my infrastructure
- Low latency thanks to symmetric gig connection
Clients
- Standard Tailscale clients
- Point to custom control server
- No modifications needed
Results
- 15 devices connected
- 3 physical locations
- Zero third-party involvement
- Zero monthly cost (already paying for the fiber)
Lessons Learned
- WireGuard is incredibly simple once you understand the key exchange
- DERP relays are optional but important for reliability
- ACLs are critical for multi-user setups
- Backups of the SQLite database are essential