Self Host Tailscale with Headscale - How To Setup
HTML-код
- Опубликовано: 2 июл 2024
- Deploy Headscale so you can self-host Tailscale and avoid using their infrastructure!
Learn how to deploy and configure Headscale, connect an Android device, and deploy a tailscale container. GitHub files are linked below.
Docker-Compose: github.com/JamesTurland/JimsG...
Headscale Documentation:
headscale.net/running-headsca...
Headscale UI:
github.com/gurucomputing/head...
Discord: / discord
Twitter: / jimsgarage_
Reddit: / jims-garage
GitHub: github.com/JamesTurland/JimsG...
00:00 - Introduction to Headscale and Tailscale
05:40 - Docker Config Overview
08:28 - Docker Setup and Deployment
13:35 - Android Setup
16:18 - Tailscale Docker Container Deployment
19:28 - Test Working Configuration
20:36 - Outro 
Наука
Good video, glad you are talking about Headscale. It is worrying that so many people are pushing Tailscale without any interest in hosting Headscale. Especially in the SelfHosted community
I agree. I find some people just deploy things because they're flavour of the month without considering what it is or how they're increasing attack surface/eroding privacy.
Thing is, for a home setting, not self-hosting tailscale has a lot of advantages in removing a single point of failure. There's nothing wrong with using SaaS even in the self-hosted community. The attack surface is reduced (using Tailscale) by not needing to port forward. You fail to mention that traffic is encrypted peer-to-peer, and Tailscale claim they cannot and do not want to see the data in transit. Great video though, and thanks for raising awareness of Headscale@@Jims-Garage
You lose many advantages of tailscale when you try to self-host headscale. You lose the simplicity, the fact that it automatically handles dynamic IP addresses that change, and that it works over CGNAT. The last one being a top reason why someone would choose tailscale over self-hosting Wireguard or any other VPN if they had the inclination to completely self-host their VPN solution.
@@penguinnexus @Jims-Garage The traffic is encrypted peer-to-peer, but not end-to-end (different concept). The traffic can (in theory) be tapped at the "connecting" end where Tailscale (Third party) controls the traffic. However, I do agree that it's still an improvement from doing port-forwarding at home.
If you are trying to follow this tutorial, headscale stopped pushing releases using the `latest` tag. As such you will need to change the docker compose to use the most recent stable release which is 0.22.3. So your docker compose should be:
image: headscale/headscale:0.22.3
Thanks for the demo and video, very concise and detailed. Have a great day
Thanks, Chris.
I heard about Tailscale like 2 days ago but was not convinced by the third party thing.
Im glad to know about Headscale now thanks to you, nice video :)
Great work Jim. I just used this to help me deploy headscale in kubernetes. Appreciate all the hard work. Next stop setting up authentik as an identity provider via oidc.
Thanks. Glad it helped!
Found by accident, will stay for more! As others said, very good explanation and chill video😊, thanks.
Thanks 👍
Simply, keep up the great work!
Thanks 👍
Great video! Thanks for sharing. Implementing as we speak!!
Great video and great explanation! Will take a look at your other videos as well :)
Thank you. My recent video details how to do this involving a VPS in case you're stuck behind cgnat and cannot port forward.
Hi Jim, good work :) thank you for sharing
Thanks 👍
Thank you so much for this video. You helped me decide!
You're welcome, glad it was useful
Very well done Jim 🙂
Thanks, appreciate the feedback.
I've just the other day setup my headscale coordination server on a VPS and this was the natural next step. Thanks!
Now I just need to to see if I should switch to a docker setup. I do run every other homelab thing as a container.
Awesome, good job 👍
Thanks for this! You’ve answered the voice in the back of my mind regarding trusting third parties with fingers crossed. - new subscriber now!
Glad it was helpful!
Thanks for the video! Regards from Chile
You're welcome
i love the poster in the background.
Haha, thanks :)
Amazing stuff, thank you!
You're welcome 😁
Very useful video, THX.
Thanks, be sure to check out my other headscale video with an oracle VPS.
genial, muchas gracias por compartir. saludos desde la region de la araucania en chile.
thanks works perfectly with pfsense tailscale addon :)
Great to hear
Nice vid! it would be good to explore a bit more on how to use ACLs here.
Thanks for your feedback, I'm considering doing a follow up with a more advanced setup.
Good video. TY
Thanks, you're welcome
Really good video thanks!
I set it to 1,25 playback speed which I found a great speed to listen to your voice.
Thanks. I'll try to speak 1.25x faster 😂
@@Jims-Garage 😂🙌
Thanks!
Wow, thank you, that's extremely generous!
Wiuld love to see more about your remote famiky support and remote backuo with anf for them.
Excellent tutorial and explanation very appreciated thank you a sub and a 👍 deserved
Glad you liked it
@jim have you tried deploying the headscale server behind traefik AND ALSO behind a cloudflare tunnel so you don’t have to expose your WAN in dns records (among other reasons)?
Thanks for this. very informative. Tried to get running on a pi but sadly it doesn't work on arm/v7 only AMD64.
Hopefully that will change in the near future.
Hi Jim,
Nice video. When running headscale behind traefik do you get the expected blank screen or a 404 (page can’t be found) when acessing your subdomain without specifying paths?
I'm receiveing a 404 (page can’t be found) on the subdomain but pages correctly resolve https for paths /windows and /key perfectly. Headscale is however working.
Also, Have you managed to setup oidc as I would expect this to be necessary if hosting in the cloud?
Hi Simon. No, I receive a blank page and I am able to reach the windows page with the installation instructions (as shown. Check the network tab in chrome). It is a little tricky to get it working but if you terminate on Traefik and then forward HTTP traffic you should be good. It's hard to give a concrete answer as there are a number of ways to deploy traefik (either same compose or external). At least you have headscale working so that's the main thing.
My understanding is that the /windows page should be public facing. I'm guessing you could oidc it but there might need to be some clever workarounds to not block functionality. I guess you could restrict access to it through IP or DNS on your firewall.
@@Jims-Garage Thank you Jim, it seems that only chrome is giving 404 on the sub domain page. Everything works as expected on Firefox.
@@simonlock9718 Good to know, I hadn't actually tried on different browsers.
Have you heard of netbird? It's a nicer alternative to Tailscale/Headscale. It can be selfhosted, does have a nice GUI and can be integrated with Keycloak ;)
I haven't, let me check that out. Thanks for the info.
after a bit of roaming I noticed netbird misses of the exitnode feature and "taildrop" feature + the netbird gui would also be avialable when selfhosted?
Hello! Thanks for the video, i just set up tailscale yesterday moving from wireguard
I noticed tailscale would allow only 3 users, not enough for a family, does headscale have this limit? And is possible to limit some users to some private services (for instance the family from portainer)
I also was wondering if headscale would still use the 26 derp servers of Tailscale or also acts as one
Subscribing for incoming videos!
Edit: i saw has an embedded derp server, thats great even if may be less reliable
Hey, thanks. As Headscale is self-hosted there should be no limitations to users. I have tested with 5 with problem.
@@Jims-Garage thats great, I would have included or at least advised to host the derp server too, the public ones limit you to 7mbps and all your traffic is routed over unknown servers. I would also have added that is not possible to serve UI and hs on different domains unless you fix the cors header
Thanks for a detailed video. From my underestanding and I could be wrong but it looks like we need a static ip with to setup the headscale server. Behind CGNAT is why people using Tailscale, isn't it.
In this example, yes. My other headscale video uses a VPS for those who are behind cgnat.
@@Jims-Garage Yes Jim, watched the other video as well. Thanks for that.
@@Jims-Garage can I make it work behind CGNAT if I have a No-IP DDNS registered?
Hello, dont know if I've missed it or if not mentioned. Is there a need to open ports on the firewall? Thank you for the great video
Thanks! It works over HTTPS, so you'd need 443 forwarded (or whatever DNAT you want).
@@Jims-Garage thank you for the answer. Have a good day!
great vid content, some feedback on the slides, the transitions are a bit 2000's powerpointy and hurt my head ;-)
Haha, thanks. Will see what I can do (editing kills me inside).
The traffic is NOT routed through their network, it only opens up connections to bypass NAT and such.
Read their documents. If a direct connection isn't available it goes over their network.
great explanation, I have one question for yourself or anyone else reading this, so in a site1 to site2 setup pfsense1 to pfsense2 for a device behind pfsense 1 router how do you get it to be able to use the DNS from pfsense 2 to resolve and connect to a device behind pfsens2 router, advertised routes but what about advertising dns names?
You can specify the DNS server in the config. I guess when you share the route you just set it to your local DNS.
I’vee taken a look at the docs for headscale and was very apprehensive. This makes the process much more approachable IMO.
Thank you!
Are all British homes heated with radiators and boilers?
Thank you! I would say most homes have central heating, certainly with radiators. Either gas if you're on the grid, or oil if you're more remote.
I have to use a computer at work where I can't install software, but need to control my VMware Workstation on my pc at home. I was going to use guacamole but its not that secure so that I was going to use cloudflare with guacamole, but then found out that cloudflare routes everything through them just as you described. I won't be doing much but logging into a guest account and controlling my VMs in there. Is Wireguard the solution? I thought tailscale would be the way to go but I can't install the software on my computer at work.
I don't think you can install WireGuard without admin privileges. You might need a HTTPS based VPN.
Wonders about putting headscale on a $5 Lenode with Pi-hole. Looking to br able to use secure DNS seemlessly at home and when mobile.
I think right now my mobile browing goes direct to quad9 via android config, hypassing my piehoke when at home...
Reason thinking Lenode is to better support family by letting them use that piehole, etc.
Thoughts? Worth a video or crazy talk?
I have a separate video showing how to use a free oracle VPS with headscale. It should provide you with what you need.
I tried getting this up and running behind cloudflare tunnels and it failed, headscale was logs said that I needed to have websocket enabled. I looked around and it was showing that I had websocket enabled...
It's probably the Cloudflare Tunnel blocking the traffic but I'm not certain. Try without?
ist netbird eine art wireguard. kennst du? ist ähnlich wie headscale? ist nicht so komplex zu setup, wie headscale?
Netbird also uses WireGuard
hmm so my setup is slightly different. I use https all the way to traefik, not http. So when i try to set this up, traefik isn't handling the websockets properly. How can i fix this?
Hi, not sure I quite understand your comment. In my video and config it's HTTPS to Traefik, that is then routed to 8080 on Headscale. If you're using Traefik it should just work.
What error are you facing?
Tailscale is blocked where I live. Would this help me create my mesh network? I'm not sure if they have blocked only Tailscale or the Wireguard protocol.
Interesting. Worth checking if it's tailscale domains that are blocked first, can you access their website? If not, try deploying a simple WireGuard container first and testing. Next if that doesn't work try changing the port. If all that fails it's likely the protocol that's blocked. You can masquerade it but it's not bulletproof.
@@Jims-Garage Thanks. Will try those steps. Tailscale website can be accessed. Btw what is masquerading and how could it help? Is the same technique used by Cloudflare Warp? Asking since warp continues to work in regions where Wireguard is blocked.
nicely explained. Thanks.
Wireguard is easier to install and use, right?
Headscale is better, faster and more secure than wireguard-easy?
Thanks 👍 no, both use the WireGuard protocol but for different purposes, they're both as secure from a protocol perspective. WireGuard-Easy is great for a simple point to point connection with multiple people. Headscale (or tailscale) is a mesh VPN. You have the ability to completely control how traffic is routed between devices (even through cgnat). If this is new to you then you probably want default WireGuard (or WireGuard-Easy).
ok. I use longtime wireguard-easy.
now. I try to setup (like you) headscale.
Hi, How are you doing? I have been trying deploy headscale in my homelab but no luck. I installed the app on my phone, added my custom domain but it returns no keys. I can go to the domain/windows and I can see the instructions. I am using nginx-proxy instead of traefik but that should not be an issue. Any thoughts?
So when you visit domain/windows there is no command to paste into the terminal?
@Jims-Garage there are commands there with the correct domain. But I tried to follow the process on the phone first. After clicking on sign in, it just hang there.
Hi Jim! I followed up to 12:35 and created the API key using the command "headscale apikey create" then entered it in the Headscale API Key for the Headscale-UI. However I keep on getting "missing "Bearer" prefix in "Authorizaton" header client". I googled online and the github of headscale-Ui says "Your API key is either not saved or you haven't configured your reverse proxy, Create an API key in headscale (via command line) with headscale apikeys create or docker exec headscale apikeys create and save it in settings".
Am I missing a step or something?
I have the exact same problem with the missing bearer in the API key :( Did you manage to figure what was the problem after all?
@@georgebobolas6363 Unfortunately I have not. I tried several more times with different ways but I still kept running into the issue. So I’m just using the CML now, which is honestly not that bad to learn.
@@davisclark0776 Thanks. I'll give it a few more tries and post an update in case I manage to work something out.
netbird is a kind of wireguard. do you know? is similar to headscale? is not as complex to setup as headscale?
Hi Jims, I have a question, about portainer container console.
it isn't work, if I click console on portainer (Error, Unable to retrieve image details).
You have seen this Error? and how can I fix this?
my portainer version (2.19.5). Docker version 26.1.3, build b72abbb
thanks for help.
Try a different shell on the drop-down menu
@@Jims-Garage Thanks, where is the drop-down menu on portainer?
I don't see it 😞
Hi buddy awesome video , but this requires port forwarding right? If I am using hotspot of my android to connect and access internet in my Linux device this won't work right? Because no port forwarding available
Thanks 👍 this requires port 443 to be forwarded on the server side.
I'm pretty sure that any device that is using your Android hotspot (e.g. a pc or laptop) should be able to access it. It should behave the same as accessing any website.
@@Jims-Garage yea any device that is on Hotspot is able to access, just that I was thinking if there was better way for hotspot user so that it could be accessible not just by hotspot user but by anyone anyways I don't think there is a way except tailscale and zero tier in that case but is there any possibility to make application hosted with them more secure like what I max could guess was to use authelia on local host to make them much more secure but can there be more ways and if yes then what are they.
@@trojan6897I recommend placing an Enterprise-Grade firewall in front of it, and perhaps running it through your proxy (e.g., Traefik) with Crowdsec enabled. I suspect that putting Authelia in the way might break things as it won't be able to complete the authentication journey.
You could also just use something simple, like wg-easy that I showed in my other VPN video (that also uses WireGuard).
@@Jims-Garage setting up wireguard will also require port forwarding right?
@@Jims-Garage and buddy can u make video on how to become the node and selfhost with zero tier because I can't find any good video with that if we can become node and host our app on our node then it will be accessible by everyone I believe if possible research and make on it please ,will be very helpful
Would this setup work if I live outside China and want to install VPN server on an old Intel NUC device and place it behind the router in my friend’s house in China (with no public IP). I want to access Chinese websites. In particular, a Chinese server I am trying to get into will block my access if my IP is not in China. If this is doable, what should I install at my home if the device accessing the VPN server in China is an IOT device (e.g., vacuum robot)? Do I need another device installed at my place to serve as a VPN client? Sorry, I have no technical knowledge about networking. If you can provide links on how to install VPN server on NUC and recommend what device to use as a VPN client and provide link on how to install VPN client on such device, it would be greatly appreciated.
In theory, yes, but I've no means of testing it. Essentially you join a machine from inside China to the mesh and advertise it as an exit node. Then on another machine on the mesh you select the machine in China as your gateway (internet access).
Hi, do you need to enable all 5 of them in your demo? thanks
You only need to enable the nodes you need. 2 is fine.
@@Jims-Garage still i don't get it, i can enable any will work? why they repeat only create 2 nodes but in node list show me 5
@@armanis1234 every device you add is a node. You can then route traffic however you want between nodes.
@@Jims-Garagesomething changed since you made a video, because i don't have any option to only run an exit node... on android app
I've been trying to get it to work for months now. But no succes. It is probably partly due to my knowledge, but also there are some changes made: the latest version isn't supported anymore, the alpha5 shouldn't have headscale serve, but only serve. But alpha 5 isn't working correctly enough, etc. etc. I had 404 messages, derp issues, traefik errors. It has nothing to do with your video, but since it is very early in your homelab journey video's I just wanted to share this message also. That it is quite hard for relative 'beginners' in the journey if something doesn't match exactly like in the video. So at this point I'm giving up. Think I will revert to regular tailscale.
Thanks for letting me know. If it's changed significantly I'll likely do a new video.
Thank you for the amazing tutorial! I just had a quick question, is it possible to remotely access one of my VMs such as a windows server from proxmox with this?
Yes, absolutely. Either install the client on the VM, or put it on another device in the network (e.g., a 'jump box') and connect via something like RDP.
@@Jims-Garage I’ll definitely look into installing it onto the client, I’ve been wanting to do RDP and give it to someone outside my network to connect to but everyone keeps telling me how unsafe it is and etc.
@@williamsnowball4267 for starters you might be better off with my WireGuard video, it's much simpler and achieves basically the same thing for your use case.
@@Jims-Garage Alright, I’ll go watch it right now. I’ve been basically wanting to host a VM mainly windows machine for a few of my friends to use for there needs, unfortunately since I’m on a home network it’s been a lot harder to do.
I did not see any supporting docs for MacOS/iOS for headscale. Could you point me in the right direction?
You need to use the tailscale client.
@@Jims-Garage I did the same steps like you did for the win machine and it works great, but I did not see a spot to tap the three dots like you did for your android device. I also did not see anything for the MacOS side. TIA!
@@Daz2281 check out this Reddit post. It's in your phone settings for the app www.reddit.com/r/Tailscale/s/cZDq4pi1AJ
@@Jims-Garage YOU SIR ARE THE MAN!!!!!
@@Jims-Garage YOU SIR ARE THE MAN!!! Thank you!
Hi Jim, I noticed you mentioned that both sub-domains have to be the same but I'm just wondering how that is possible since both headscale and headscale ui are on different ports. I'm not running this behind traefik but instead am using haproxy since I use that for all my other sub-domains. Thanks
It's because headscale is served from / and the UI is served from /web. You can check the config on the UI documentation, it explains it in the docker compose example. That uses Traefik but it should be possible on haproxy.
@@Jims-Garage Got it. let me try to configure it on my haproxy. Thanks
I still can't figure it out with my Haproxy. Have you made it work?
great, but how to connect MacOS client - there are no 3 dots ;-(
I was trying to use headscale on my homelab then i quit since i dont have a fixed public ip (my isp doesnt give that option)
Check my other headscale video that uses a VPS to overcome your problem.
@@Jims-Garage i'll check it thank you
is this only available to run in Linux?
Server, yes. Client, no.
02:00 I‘m sorry but the claim is completely wrong.
The traffic is not routed through Tailscale‘s network.
Have a read of the documentation: tailscale.com/kb/1094/is-all-traffic-routed-through-tailscale
Plus, authentication is still handled by them, it has to be. I don't have a problem with tailscale, I think it's good, but traffic absolutely has to touch their network otherwise it would be superfluous.
I wouldn’t call authentication and coordination traffic is passing through their network. It’s misleading.
Their are edge cases (which you can turn off) where no P2P is possible and encrypted traffic is routed.
I’m not defending Tailscale but that should be corrected.
8:24 no link 😞
Oops, let me fix that when I'm home
Hi Jim, quick question.
Is there a specific reason you deploy the containers via docker-compose instead of using Portainer Stacks?
Removes a dependency on Portainer for those who do not wish to use it. The great thing is that you can simply copy a compose over and it will work for both audiences.
Dumb question but can this be deployed over UniFi’s stuff?
Yes, no different to the setup I demonstrated
@@Jims-Garage sweet!!
@@Jims-Garage I have another dumb question: is it possible to self host on Headscale and still somehow use Tailscale accounts? I really like both concepts.
Can I test this without taking down Tailscale first?
I don't believe it would conflict. At most, you'd need to change default ports.
@@Jims-Garage I might give it a chance. Either on my unRAID or Synology.
Thanks for the video.
Have only one problem. I use Swag with nginx have someone a working nginx config?
Sorry, I don't have one. Perhaps someone on the Discord could help you with that.
no longer working...
I'm going to come back to headscale in the near future
After several month using Tailscale, just came back here, just to share my experience so far. It has been great, but the mobile app is a battery killer. It has become so bad, that I am trying to move away Tailscale. I am using Android, every time I have to leave home and 4G data is used instead, it kills it. The consume is aberrant. And I really like to keep connected all the time automatically, and not managing it by hand when I need it, just to avoid the battery consuption.
Have any of you guys experienced something like that?
My next stop is what I was considering at the very beginning, Nebula.
That's bad to hear, I haven't experienced that. What phone and Android OS version are you running? Newer models should have it baked into the kernel. FYI I have a pixel 6 pro
@@Jims-Garage Hi Jim, I am using Android 13. I have read about it, and it seems a common issue for the mobile app (both Android and iOS). They have a post in where explain and acknowledge the issue, but it seems it is not simple to fix.
Have you checked your app consumption stats while connected to the mobile network? I was really happy with it until I saw that :/
the UI refuses to work based on this config and github is no more helpful for it.
You forgot to mention that there are native ARM and X86 MacOS HeadScale servers
Check 02:24 - that shows all of the available clients.
sorry I meant servers @@Jims-Garage
Bro.... the db.sqlite file goes in the keys directory (not config directory) as per your config.yaml file and docker-compose volumes section. This is your first error, but not a big deal. Second error, you completely skip over how to make the subdomain resolve to the headscale server. Maybe or maybe not, ppl should understand that from your other video. But you don't even make _that_ clear. You just skip over it.
What you're doing with your homelab series is fine, but its just incomplete.
Thanks for your feedback. According to official docs the db resides in /etc/headscale which is mounted to /config locally (unless I'm misunderstanding you). You're right I skip over some of the subdomain low level details, that's because I've covered it in detail in previous videos in the series and I cannot retread the same items each video.
Wonderful project, but dislike for using docker
Why don't you like it using Docker?
I have compared several docker containers to native and we're talking 10x ram usage and 4x cpu usage... I can bet there is some latency penalty as well.
Is it faster?
On paper it should be as it cuts out 3rd party infrastructure.