What Is Headscale? Self-hosted Tailscale Control Server Explained

Remote-maintaining distributed infrastructure on your own terms? WZ-IT builds remote-management platforms with a self-hosted WireGuard mesh as the network backend. See our remote-management platforms

Headscale is an open-source, self-hosted implementation of the Tailscale control server - the coordination server that steers a WireGuard-based mesh network, without making you depend on the Tailscale cloud. Tailscale has two parts: a control plane that distributes keys, routes and access rules, and a data plane of direct WireGuard tunnels. That control plane is proprietary and cloud-only in Tailscale. Headscale reimplements exactly this server as open source so you can run it on your own infrastructure - while reusing the official, unmodified Tailscale clients. As of mid-2026 Headscale is at version v0.29.1 (18 June 2026, github.com/juanfont/headscale) under the BSD-3-Clause license.

Table of Contents

• How Headscale works
• Current version and license
• Headscale vs. Tailscale
• Headscale vs. NetBird
• Self-hosted instead of cloud: what you gain
• Headscale vs. Tailscale vs. NetBird vs. plain WireGuard
• When Headscale, when NetBird, when plain WireGuard
• Use cases and our take at WZ-IT
• Further guides

---

How Headscale works

Headscale takes the role of the control plane in a Tailscale network, the so-called tailnet. Like Tailscale itself, it cleanly separates control from data traffic:

• Coordination (control plane): The Headscale instance holds the network state. It registers devices (via pre-auth key or single sign-on), manages their public WireGuard keys, assigns IP addresses from the tailnet range and distributes the network map (which peer may reach which) to all nodes.
• Data plane (WireGuard): The actual traffic does not flow through Headscale but as a direct, encrypted WireGuard tunnel between peers. Clients use NAT traversal to find a direct peer-to-peer route wherever possible. More on the data plane in our WireGuard expertise.
• DERP relays: When no direct connection is possible (strict NAT, firewalls), the tunnel runs over a DERP relay. Headscale ships an embedded DERP server and can additionally fall back to Tailscale's public DERP relays. Because WireGuard is end-to-end encrypted, the relay only ever sees ciphertext.
• ACLs and MagicDNS: Access is governed by an ACL policy (which users and groups may reach which destinations and ports). MagicDNS resolves nodes by name instead of IP. Devices can register via OpenID Connect (OIDC) single sign-on; on top of that, exit nodes, subnet routers and Tailscale SSH are supported.

Current version and license

Headscale is released under the permissive BSD-3-Clause license, making it fully free and open source. The current stable version is v0.29.1, dated 18 June 2026 (releases). The project is maintained by Juan Font Alonso and Kristoffer Dalby; one maintainer is employed by Tailscale and is allowed to contribute during work hours, with the other maintainers reviewing his contributions. The project is explicitly not affiliated with Tailscale Inc.

Important for expectations: Headscale deliberately keeps a narrow feature scope - a single tailnet, intended for self-hosters, hobbyists and small (open-source) organisations. It is not a drop-in replacement for every enterprise feature of the Tailscale cloud.

Headscale vs. Tailscale

Both worlds share the same data plane (WireGuard) and the same official Tailscale clients. The difference lies solely in the control plane:

• Tailscale: The coordination server is proprietary and offered only as a managed cloud service. Convenient, but the control plane sits with the vendor.
• Headscale: An open-source reimplementation of exactly that server that you host yourself. You simply point the Tailscale client at your Headscale instance (login-server flag) instead of the Tailscale cloud.

In practice you get Tailscale's mature client experience - including MagicDNS, exit nodes and Tailscale SSH - while keeping key distribution, routes, access rules and audit data inside your own infrastructure. Our Headscale expertise goes deeper into deployment and operations.

Headscale vs. NetBird

Headscale and NetBird solve a similar problem (self-hosted WireGuard mesh with central control) but approach it differently:

• Headscale is a pure control server. It only replaces the Tailscale coordination server and leans entirely on the Tailscale ecosystem and its official clients. It has no official web UI - administration runs via CLI and configuration file. Dashboards exist only as community projects (for example headscale-ui, Headplane, headscale-admin) that are not maintained by the authors.
• NetBird is a full platform. It brings its own clients, a web dashboard, built-in identity / OIDC IdP integration, access policies, posture checks and a Kubernetes operator. More on that in our NetBird expertise.

Rule of thumb: Headscale is the lean, Tailscale-compatible control plane for CLI-minded operators; NetBird is the batteries-included platform when you want UI, IdP and policy management from a single source.

Self-hosted instead of cloud: what you gain

The core benefit of Headscale is sovereignty. You run the coordination server yourself - typically on a small VM - and keep full control over:

• Keys and membership: Only your instance decides which devices belong to the tailnet.
• Data location: The control plane and its metadata stay in your infrastructure, for example inside the EU - relevant for regulation such as the NIS2 directive. This article is general information, not legal advice.
• No external dependency: Your network works independently of a cloud vendor's availability or pricing.

The trade-off is operational responsibility: updates, database backups, reachability of the control server and, if needed, your own DERP server are on you.

Headscale vs. Tailscale vs. NetBird vs. plain WireGuard

When Headscale, when NetBird, when plain WireGuard

• Headscale, when you value the mature Tailscale client experience but want to self-host the control plane and are comfortable with CLI and config-file operations. Ideal for homelabs, small organisations and sovereignty-driven setups with a manageable number of nodes.
• NetBird, when you need a complete self-hosted platform with a web dashboard, built-in IdP, fine-grained policies, posture checks and Kubernetes integration - without having to manage Tailscale client compatibility yourself.
• Plain WireGuard, when your topology is small and static - a handful of fixed point-to-point or site-to-site links without dynamic membership management. Our guide WireGuard for site connectivity shows what that looks like in practice.

Use cases and our take at WZ-IT

Headscale is a strong choice when Tailscale's mechanics convince you but depending on the Tailscale cloud is off the table. In typical scenarios it connects distributed servers, edge devices and admin access into one private mesh through which technicians reach SSH, RDP or web interfaces - without open inbound ports at the site.

At WZ-IT we build sovereign remote-management and remote-maintenance platforms on a self-hosted WireGuard mesh as the network backend, combined with an auditable access layer (browser gateway, RBAC, audit trail). Whether Headscale, NetBird or plain WireGuard is the right control plane depends on node count, ease of use and compliance requirements - we choose per project. Our ABCO Water Systems case study shows what that looks like in production for distributed plants in Australia. On request we handle design, build and operations end to end as part of our remote-management platforms.

Further guides

• Headscale expertise - deployment and operations
• What is NetBird? - the complete self-hosted mesh platform
• WireGuard for site connectivity - the data plane beneath Headscale
• WireGuard expertise - fundamentals and operations

Want to self-host the control plane instead of handing it over? Get to know us or take a look at our remote-management platforms.