The short answer
Headscale = Tailscale's protocol with the coordination server under your control. Same clients, same UX, same mesh shape; different trust boundary, different operational responsibility, different cost structure.
- Pick hosted Tailscale when: you want zero operational burden, you trust Tailscale Inc. with your coordination metadata, the cost is acceptable for your team size.
- Pick Headscale when: open-source / self-host is a hard requirement, cost is a binding constraint at 30+ users, you have operational capacity to run a Go server.
What is Headscale, exactly?
Headscale is a Go binary that re-implements Tailscale's coordination protocol. It exposes the same API surface Tailscale's official servers expose; the same official Tailscale clients (macOS, Windows, Linux, iOS, Android) authenticate against it. From the client's perspective, talking to a Headscale instance is indistinguishable from talking to Tailscale's hosted control plane.
The data plane is identical — WireGuard packets between peers — because Tailscale's data plane is WireGuard at every implementation. Headscale doesn't touch packet data; it only handles the metadata layer (key exchange, peer discovery, ACL evaluation, DERP relay coordination).
Project lead: Juan Font Alonso (since 2021). License: BSD-3. Codebase: ~30k lines of Go. Reasonably mature, actively maintained, no commercial parent company.
Side-by-side comparison
| Aspect | Tailscale (hosted) | Headscale (self-host) |
|---|---|---|
| Clients | Official Tailscale apps | Same official Tailscale apps |
| Coordination server | Tailscale Inc., proprietary | You run it, BSD-3 open-source |
| Data plane | WireGuard | WireGuard (identical) |
| Setup | Sign up, install client, done (~2 min) | Provision server, install Headscale, configure auth, point clients (~30-60 min) |
| Maintenance | None (Tailscale operates it) | Upgrade binary, manage DB, monitor uptime |
| Cost | Free 3 users, $6/user/month Business | ~$5-20/month for VPS hosting Headscale |
| Support | Tailscale TAC (paid tiers) | GitHub issues, community |
| Feature lag | Latest features immediately | 3-12 months behind for new Tailscale features |
| SCIM / advanced enterprise | Available (paid tiers) | Typically not implemented |
| ACL DSL | Tailscale's HuJSON | Same HuJSON (or YAML in Headscale config) |
| DERP relays | Tailscale's global DERP fleet | You run your own or use Tailscale's |
Operational reality of self-hosting
What you're actually committing to when you choose Headscale:
- A Go binary on a server — typically a small VPS ($5-20/month) or a homelab box. Headscale itself is lightweight; even a Raspberry Pi handles a 50-device mesh.
- A database — SQLite by default (fine for small deployments) or Postgres for larger setups.
- Public exposure — Headscale needs an inbound port reachable from the internet so clients can register. Behind Caddy or nginx with auto-TLS is typical.
- Upgrades — new versions ship periodically; you decide when to upgrade.
- Backup of the database — losing the Headscale DB means re-enrolling every device.
- DERP relay decision — use Tailscale's free public DERP servers (they don't charge non-Tailscale users for relay) or run your own.
For an experienced sysadmin, this is a few hours initial setup and ~1 hour/month ongoing. For a non-technical operator, it's a real ongoing commitment.
Cost
Tailscale Business: $6/user/month. For a 25-person team, $150/month, $1,800/year.
Headscale on a $10 VPS: $120/year, fixed regardless of team size.
Crossover at ~17 users. Below that, Tailscale is competitive or cheaper for the convenience. Above 30 users, Headscale's economics dominate (assuming your time has zero cost — which it doesn't, but the operational load is genuinely low after initial setup).
When to pick which
- Hosted Tailscale when: team is small enough that the cost is acceptable, operational capacity is the constraint, you want commercial support to fall back on, or you depend on Tailscale's latest features.
- Headscale when: open-source is a policy requirement, team is large enough that per-user pricing hurts, you have one experienced sysadmin to operate it, or you want the coordination metadata on your own infrastructure.
What about NetBird?
NetBird is the third option in this space — BSD-3 stack with a commercial entity behind it. For self-host with paid support available, NetBird is sturdier than Headscale. For maximum Tailscale-ecosystem compatibility (same clients, same ACL DSL, same DERP), Headscale wins. See Tailscale vs NetBird for the detailed comparison.
Frequently asked questions
What is Headscale?
Headscale is an open-source (BSD-3) re-implementation of Tailscale's coordination server, written in Go. The official Tailscale clients on macOS / Windows / Linux / iOS / Android can authenticate against Headscale instead of Tailscale's hosted control plane — the protocol surface is the same. You run Headscale on your own server (a small VPS, a Raspberry Pi, a Docker container); Tailscale clients point at it; the resulting mesh is functionally equivalent to Tailscale's hosted offering, just with the coordination server under your control.
Is Headscale officially supported by Tailscale?
No. Tailscale Inc. does not formally support Headscale or its users; the project is community-maintained, primarily by Juan Font Alonso who started it in 2021. Tailscale tolerates Headscale's existence and even has Headscale-friendly behaviour in their open-source clients, but you won't get Tailscale TAC support if Headscale breaks. For production deployments where SLAs matter, hosted Tailscale (or NetBird, which has commercial self-host support) is the more defensible choice.
Does Headscale have feature parity with Tailscale?
Approximately, with caveats. Core features — device authentication, peer-to-peer connectivity, DERP relay for NAT traversal, ACLs, subnet routing, MagicDNS — all work in Headscale. New Tailscale features typically take 3-12 months to reach Headscale because the team is small. Features that exist only in Tailscale's paid tiers (some integrations, SCIM provisioning, certain enterprise features) may not be re-implemented at all. For a 'just give me the mesh' use case, Headscale covers it; for 'we depend on the latest Tailscale integration to AWS,' hosted is safer.
Why self-host Headscale instead of using Tailscale?
Three real reasons. First, your organisation requires fully open-source / self-hosted infrastructure — Tailscale's proprietary coordination server fails that policy regardless of its technical quality. Second, data residency: Tailscale's coordination metadata transits Tailscale's servers; Headscale's stays on your own infrastructure. Third, cost: Tailscale Business is $6/user/month; Headscale costs the price of a small VPS (~$5-20/month total). For a 50-person team that's a meaningful difference.
Is Headscale hard to operate?
Less hard than rolling your own WireGuard mesh, more hard than using hosted Tailscale. Operationally you run a Go binary, expose a port to the internet, persist its database (SQLite by default or Postgres), manage upgrades, and handle backups. None of these are particularly difficult individually; together they're real operational work that hosted services do for you. Operators who already run Linux servers find Headscale straightforward; operators who'd prefer to never SSH into anything find it more friction than they expected.
What about NetBird's self-host option?
NetBird is the closer-to-Tailscale alternative if you want self-host as a first-class story — NetBird's stack is open-source end-to-end, the project formally supports self-host, and there's a commercial entity (NetBird, the company) backing it for paid support. Headscale is community-maintained by individuals. For organisations that want the option of paying someone if self-host goes sideways, NetBird's structure is sturdier. For organisations that want maximum compatibility with the Tailscale ecosystem (existing Tailscale ACL DSL, existing integrations), Headscale wins.
Next steps
For router-based multi-branch shapes where neither Tailscale nor Headscale fits cleanly, MeshWG's free tier covers 2 routers indefinitely.