This article was originally published on selfhosting.sh. Check us out for 770+ self-hosting guides.
Quick Verdict
Use Tailscale's hosted service unless you have a specific reason to self-host the control plane. Headscale gives you full control over device registration, key management, and access policies — but it requires a publicly accessible server, SSL certificates, and ongoing maintenance. For most self-hosters, Tailscale's free tier (up to 100 devices) is more than enough, and you avoid running critical infrastructure yourself.
Overview
Tailscale and Headscale are not competing products — they work together. Tailscale is a mesh VPN service that uses WireGuard under the hood. It has two components: the client (open source, runs on your devices) and the coordination server (proprietary, run by Tailscale Inc.). The coordination server handles device registration, public key exchange, and network policy distribution.
Headscale is a self-hosted, open-source replacement for Tailscale's coordination server. It implements the same coordination protocol, so all official Tailscale clients (Linux, macOS, Windows, iOS, Android) connect to it without modification. You get the same mesh VPN experience but with the coordination layer running on your own hardware.
The data plane is identical in both cases — WireGuard tunnels flow directly between devices. The only difference is who runs the coordination server.
Feature Comparison
| Feature | Tailscale (hosted) | Headscale (self-hosted) |
|---|---|---|
| Coordination server | Tailscale Inc. (cloud) | Your server |
| Client software | Official Tailscale clients | Same official Tailscale clients |
| Data plane | Direct WireGuard P2P | Direct WireGuard P2P |
| NAT traversal | Tailscale DERP relays | Custom DERP or Tailscale's public relays |
| MagicDNS | Yes | Yes (since Headscale v0.23+) |
| ACLs | Yes (HuJSON policies) | Yes (same format) |
| SSO/OIDC | Google, Microsoft, GitHub, Apple, Okta | Any OIDC provider (Authelia, Keycloak, etc.) |
| Taildrop (file sharing) | Yes | Yes (since Headscale v0.23+) |
| Exit nodes | Yes | Yes |
| Subnet routing | Yes | Yes |
| Funnel (public ingress) | Yes | No |
| SSH via Tailscale | Yes | Experimental |
| Multi-user / teams | Yes (up to 3 users free) | Yes (unlimited users) |
| Device limit | 100 (free), more on paid | Unlimited |
| Admin UI | Polished web dashboard | Headscale-UI (community) |
| Mobile app support | Full | Full (same clients) |
| Uptime/reliability | Tailscale's SLA | Your infrastructure |
| Cost | Free (100 devices) / $6-18/user/mo | Free (your server costs only) |
| Privacy | Keys pass through Tailscale's servers | Keys never leave your infrastructure |
Installation Complexity
Tailscale (hosted): Create an account, install the client, authenticate. Done. No server to manage, no SSL certificates, no DNS configuration. The fastest possible setup.
Headscale: Requires a VPS or server with a public IP, a domain name, SSL certificates (via reverse proxy or built-in ACME), and initial configuration. Setup takes 30-60 minutes. You also need to configure a DERP server if you want relay functionality independent of Tailscale's public relays. See our Headscale Docker guide for the full walkthrough.
Winner: Tailscale, obviously. Headscale is for people who consciously choose self-hosting for privacy or control reasons — not for ease of setup.
Performance and Resource Usage
Performance is identical for the data plane. Both use the same WireGuard protocol, and traffic flows directly between devices in both cases. The coordination server is only involved during device registration and key exchange — not during active data transfer.
Headscale resource usage:
- RAM: ~50-100 MB
- CPU: Minimal (only active during coordination events)
- Disk: ~50 MB + SQLite database
The coordination server is lightweight. A $5/month VPS can handle hundreds of devices.
Community and Support
| Metric | Tailscale | Headscale |
|---|---|---|
| License | Proprietary (server), BSD-3 (client) | BSD-3-Clause |
| Maintainer | Tailscale Inc. | Community (Juan Font + contributors) |
| GitHub stars | N/A (proprietary server) | 24,000+ |
| Documentation | Excellent (official docs) | Good (improving) |
| Support | Community forum + paid support | GitHub Issues only |
| Update frequency | Regular | Regular (monthly releases) |
Use Cases
Choose Tailscale (Hosted) If...
- You want zero server maintenance for your VPN infrastructure
- The free tier (100 devices, 3 users) covers your needs
- You need Funnel (public ingress) or polished SSH features
- You don't have a publicly accessible server to run Headscale
- You want an admin dashboard that just works
- Uptime of your VPN is critical and you don't want to be your own SRE
Choose Headscale If...
- You want no dependency on any third-party service for your VPN
- Privacy is paramount — you don't want key exchange data on Tailscale's servers
- You need more than 100 devices or 3 users without paying
- You want to use any OIDC provider (Authelia, Keycloak) for authentication
- You're building infrastructure for a homelab, small business, or community
- You enjoy running your own infrastructure and accept the maintenance burden
Final Verdict
Tailscale's hosted service is the right default. It's free for personal use, the clients are open source, and the coordination server is a lightweight metadata service — it never sees your traffic. The privacy concern is minimal for most people.
Headscale is the right choice if you have a specific need for self-hosted coordination: regulatory requirements, extreme privacy preferences, more than 100 devices, or integration with your own identity provider. It's well-maintained, fully compatible with Tailscale clients, and costs nothing beyond the server it runs on.
The beauty of this ecosystem is that switching is straightforward. Start with Tailscale's hosted service. If you later decide you need self-hosted coordination, deploy Headscale, re-point your clients, and everything keeps working.
FAQ
Can I use Tailscale clients with Headscale?
Yes. All official Tailscale clients (every platform) work with Headscale. You point the client at your Headscale server URL instead of Tailscale's default.
Does Headscale support all Tailscale features?
Most of them. MagicDNS, ACLs, Taildrop, exit nodes, and subnet routing all work. Tailscale Funnel and some newer features are not yet implemented. Check the Headscale GitHub for the latest compatibility.
Is my data at risk with Tailscale's hosted service?
No. The coordination server only handles public keys and device metadata. Your actual traffic flows directly between devices over WireGuard — Tailscale cannot see or decrypt it.
Can I migrate from Tailscale to Headscale?
Yes, but devices need to re-register with your Headscale server. There's no automated migration tool — you reconfigure each client to point to your Headscale instance and re-authenticate.
What if my Headscale server goes down?
Existing WireGuard tunnels between devices continue working. You just can't add new devices or update ACLs until the coordination server is back online.
Top comments (0)