I Built My Own VPN with WireGuard and Headscale. Here Is Why You Should Too.

Tailscale is the easiest VPN to set up because you install it on your devices and log in and you are connected, using WireGuard under the hood and handling all the complexity of NAT traversal and key exchange automatically. But Tailscale depends on their coordination servers to tell your devices how to find each other, and if those servers go down your devices cannot connect and you are trusting their infrastructure with your network topology. Headscale is the open-source Tailscale control server that uses the same protocol and the same clients but runs on your own infrastructure.

WireGuard is a VPN protocol that is blazing fast with modern cryptography built into the Linux kernel. Tailscale adds a coordination layer on top where devices find each other through Tailscale’s servers and then connect directly over WireGuard. Headscale replaces Tailscale’s servers so your devices talk to your Headscale instance instead of Tailscale’s cloud.

The Docker setup runs Headscale with a data volume and ports for the web interface and for DERP relay which handles connections when direct WireGuard connections are not possible. You run docker compose up, create a user through the command line, and generate a pre-authentication key that your devices use to join.

Connecting devices uses the standard Tailscale app with a flag pointing at your Headscale server. On desktop you run tailscale up with the login server URL and your authentication key. On mobile you open the Tailscale app and enter your custom server URL in the settings. The experience is identical to using Tailscale directly except the coordination happens on your server.

DERP relays handle the case where two devices cannot connect directly because of restrictive NATs or firewalls. Headscale includes a built-in DERP server that routes traffic through your own infrastructure so no third-party relays are involved. If two devices cannot make a direct WireGuard connection the traffic routes through your DERP server on your own hardware.

Access control lists let you define which devices can communicate with each other. I have ACLs that let my phone access my server’s services but not connect to other devices on my network. The ACL syntax is straightforward and follows the same patterns as Tailscale’s configuration.

The comparison with Cloudflare Tunnel comes up often and the answer is that they serve different purposes. Cloudflare Tunnel is for exposing services to the internet with DDoS protection and edge caching. Headscale with WireGuard is for connecting your devices privately and accessing your server’s SSH and admin interfaces remotely. I use both and they complement each other perfectly.

Tailscale is great but depending on their coordination servers is a risk. Headscale gives you the same experience on your own infrastructure with the same clients and the same ease of use.

Subscribe to the newsletter to keep getting similar posts about self-hosting networking and security.