Most teams first hear about Headscale as "self-hosted Tailscale," and that shorthand is useful only for about ten seconds. After that, it starts to blur the important part. Headscale is not trying to become a universal network appliance. The project's own README describes it more narrowly: an open-source, self-hosted implementation of the Tailscale control server, aimed at self-hosters, hobbyists, and small open-source organizations, with a deliberately limited scope around a single tailnet.[1]

That narrowness is exactly why the project is interesting. The control server is where node registration, address assignment, user boundaries, route exposure, and policy coordination get decided.[1][3][5] If you want those decisions inside your own infrastructure rather than inside a hosted SaaS plane, Headscale gives you a credible path. But the docs also make clear that the rest of the story does not disappear. Identity still has to be wired cleanly, subnet routers and exit nodes still need explicit approval, and relay topology still matters whenever peers cannot connect directly.[2][3][4]

As of 2026-04-10T07:05:10Z UTC, the GitHub API reports 37,257 stars, 2,011 forks, 131 open issues, and a most recent push at 2026-04-09T17:42:25Z for juanfont/headscale.[6] Recent releases include the stable v0.28.0 on 2026-02-04, following v0.28.0-beta.2 on 2026-01-22 and v0.28.0-beta.1 on 2025-12-18.[7] Those numbers do not prove architectural quality by themselves, but they do show that Headscale is not a frozen side project. It is an active, visible control-plane implementation with a real release line.

Image context: the cover uses a real GitHub portrait of Juan Font rather than a tunnel diagram or a stock lock icon. That choice fits because Headscale's value is unusually tied to project scope and maintainer judgment: it succeeds when operators understand what the control server owns, what it deliberately leaves outside itself, and how that boundary is maintained over time.[9]

What Headscale actually replaces

The README is the right place to start because it says the quiet part out loud. Tailscale's control server is the exchange point for WireGuard public keys, client IP assignment, user boundaries, machine sharing, and route exposure.[1] Headscale's project goal is to self-host that plane for one tailnet, suitable for personal use or a small organization.[1] That is a valuable promise, but it is smaller than the mythology that often grows around it.

In practical terms, Headscale is strongest when you have one administrative domain that wants to keep enrollment, policy, and route approval under its own custody. The docs do not pitch it as a multi-tenant giant. They pitch it as a tight replacement for the hosted coordination layer.[1] That is also why the README warns that the project does not support or encourage reverse proxies and containers as the default way to run it.[1] The maintainers are telling operators that this is infrastructure software with opinions, not a "throw it anywhere" convenience binary.

That scope discipline is a feature. Many open-source networking tools become hard to reason about because they keep accepting adjacent jobs. Headscale is easier to understand because it keeps returning to one question: who is allowed into this tailnet, what routes can they advertise, and how do clients discover one another reliably enough to build direct or relayed paths?[1][3][4]

Identity and policy are the real product surface

If Headscale is only described as a WireGuard coordination server, its most important operator surface gets undersold. The identity documentation shows that the project expects authentication to be handled with real external identity providers through OpenID Connect, with discovery, PKCE support, and authorization filters based on domain, email address, or group membership.[2] That is not "extra enterprise frosting." It is the practical answer to whether your self-hosted tailnet can be governed cleanly once it stops being a weekend lab.

The ACL documentation makes the same point from the authorization side. Headscale implements policy ACLs adapted from Tailscale's model, but mapped into a self-hosted environment where you reference local users and groups and load policy from a huJSON file via policy.path.[5] The docs are blunt about the consequence: once ACLs are in play, the default user borders are no longer the whole story; communication becomes whatever the policy allows.[5] That is where Headscale stops being a "VPN thing" and becomes an identity-and-policy control plane.

This is the part teams should evaluate first. If you already have an OIDC-capable identity provider and you want route access, tags, and device reachability to follow explicit policy instead of ad hoc trust, Headscale gets more compelling.[2][5] If you do not have a clean IdP story and do not want to maintain policy files with intention, self-hosting the control server will not magically make the network simpler. It will only move the coordination work onto your side of the boundary.

Routes and exit nodes are where self-hosting becomes operational

The routes documentation is valuable because it shows where the romance ends. Headscale supports subnet routers and exit nodes, but it does not treat them like magical checkboxes.[3] Subnet routers require a double opt-in: the node advertises routes with tailscale up or tailscale set, and the control server must then approve those routes before the tailnet can use them.[3] That is a healthy design choice. It keeps route advertisements from silently becoming network reality.

The same is true for exit nodes. Clients can advertise exit-node capability, administrators can enable that path on the control server, and ACLs or auto-approvers can narrow who gets to use it.[3][5] Read closely, and the docs are really describing an approval workflow, not a convenience flag. Your edge node still needs IP forwarding, still needs correct placement, and still becomes part of your network-security story.[3]

That matters because many operators come to Headscale in search of sovereignty. The project can indeed give you sovereignty over registration and route approval, but it does not erase network geometry. A subnet router into a VPC, a lab LAN, or a home network remains an operational commitment. Headscale gives that commitment a coherent control surface; it does not make the commitment disappear.[3]

DERP is the clearest example of the remaining boundary

The DERP documentation is where Headscale becomes easiest to explain honestly. DERP exists to relay traffic when a direct peer-to-peer path cannot be established.[4] Headscale ships with an embedded DERP server, but it is disabled by default, requires extra ports, and uses STUN on UDP/3478 to help clients discover public addresses and traverse NAT.[4] In other words, the relay layer is available, but it is still infrastructure.

The docs go further. When you enable Headscale's embedded DERP, it gets added alongside Tailscale's free-to-use DERP servers unless you explicitly clear the default DERP map.[4] And if you do remove Tailscale's defaults, the documentation warns that you are now left with a single DERP server and therefore a single point of failure.[4] That warning is probably the most useful sentence in the whole project for prospective adopters. It explains the boundary better than any marketing comparison could.

Headscale can let you self-host coordination and, if you choose, self-host relay infrastructure too. But it does not pretend that one small control-plane binary automatically gives you a globally resilient relay network. Teams that understand this usually make better decisions: keep the hosted DERP map while you learn the operational shape, or self-host DERP only when you actually need location control, dependency reduction, or stricter traffic locality.[4]

The day-two story is better than hobbyware, but it is still your day two

One sign that Headscale has crossed beyond hobby-demo status is that operators have started building observability around it. Adin Hodovic's late-2025 write-up on tailscale-exporter shows a monitoring surface built around Headscale's gRPC API: node status, routes, tags, API keys, pre-auth keys, and database health are all exposed into Prometheus and Grafana dashboards.[8] That is not proof that every deployment is mature. It is proof that real users now expect this control plane to be measurable like other infrastructure.

That observation pairs well with the project's GitHub activity. A repo can be popular for shallow reasons, but frequent pushes, an active issue queue, and fresh releases do matter for something that sits in your network-control path.[6][7] Headscale's current state suggests a project that has enough operator gravity to keep improving, but not one that should be mistaken for a fully managed service. You own the identity integration, the policy hygiene, the route approvals, and the relay topology decisions.[2][3][4][5][8]

So the right way to think about Headscale in 2026 is not "finally, Tailscale but mine." A better framing is: a self-hosted coordination layer for one tailnet, with explicit control over who joins, what they can reach, and how routes become trusted, while the hard realities of network edges and relay resilience remain visible on purpose.[1][2][3][4][5]

Bottom line

Headscale is a good project introduction candidate because its appeal is easy to exaggerate and worth rescuing from exaggeration. The project is not trying to self-host every part of connectivity. It is trying to give operators a clean, open control plane for one Tailscale-compatible tailnet, with real hooks for identity, policy, route approval, and optional DERP infrastructure.[1][2][3][4][5]

That is already substantial. If your team wants one self-hosted tailnet and is prepared to own the day-two work around OIDC, ACLs, subnet routers, exit nodes, and relay topology, Headscale looks increasingly credible in 2026.[2][3][4][5][6][7] If you want the feeling of sovereignty without the maintenance surface, the docs are honest enough to tell you where that fantasy stops.

Sources

  1. juanfont/headscale README - project scope, control-server role, single-tailnet design goal, maintainer notes, and operational caveats.
  2. Headscale documentation, "OpenID Connect" - external IdP support, discovery, PKCE, and authorization filters.
  3. Headscale documentation, "Routes" - subnet routers, exit nodes, double opt-in approval flow, and auto-approvers.
  4. Headscale documentation, "DERP" - embedded DERP server, STUN requirement, default DERP map behavior, and single-point-of-failure warning.
  5. Headscale documentation, "ACLs" - policy file format, user/group references, and ACL behavior in the self-hosted environment.
  6. GitHub API snapshot for juanfont/headscale: stars, forks, open issues, and recent push timestamp.
  7. GitHub API release listing for juanfont/headscale: current stable and recent prerelease tags with publication timestamps.
  8. Adin Hodovic, "Observability for Headscale: Metrics and Dashboards in Grafana" - independent operator view of Headscale metrics, gRPC access, and day-two monitoring.
  9. GitHub API profile for Juan Font, including the avatar source used for the article image.