Tailscale is genuinely one of the best pieces of infrastructure software I’ve used. WireGuard under the hood, zero-config peer-to-peer networking, and it Just Works on every OS. The problem is the coordination server — the thing that manages node registration, key distribution, and ACL policy — is Tailscale’s hosted service.
For a healthcare company, putting network topology data in a third-party cloud service raises questions we’d rather not have to answer. So we run Headscale — an open-source, self-hosted reimplementation of the Tailscale coordination server.
What Headscale Gives You
You get all the Tailscale client goodness — the apps, the WireGuard tunnels, the peer-to-peer routing — with your own coordination server that you control entirely. Our setup connects 100+ nodes across environments: development machines, VM hosts, load balancers, database servers, and everything in between. Subnet routing lets our developer machines reach internal network ranges without any additional VPN configuration.
ACL Policy as Code
Headscale uses the same HuJSON ACL format as Tailscale. Our policy file lives in Git. Access rules are reviewed like code changes — no one gets network access by asking someone to click a button in a dashboard.
We use groups to manage access at scale. group:operationadmins gets broad access. group:uzodevelopers gets access to test environments and specific services. Tagged servers have rules that govern what they can reach. The policy is explicit and auditable.
The Operational Reality
Headscale is not a drop-in replacement for every Tailscale feature. Some things — Tailscale SSH, certain MagicDNS features, the admin console UI — work differently or require workarounds. You’re trading convenience for control.
For us, that trade is worth it. We know exactly what our coordination server is doing, we can audit it, and we can update it on our own schedule. In healthcare infrastructure, that kind of control matters.
If you’re considering it: start small, get comfortable with the CLI (headscale nodes list, headscale routes list become muscle memory fast), and version your ACL policy in Git from day one.