00:00:00This is Headscale, a free and open-source version of Tailscale that you can install on any server,
00:00:06giving you complete control of your encrypted network in case the internet goes down or Tailscale suddenly hike their prices up.
00:00:13But what's weird is that Headscale was built by an employee of Tailscale.
00:00:18Why are they paying someone to build their competitor?
00:00:22Hit subscribe and let's find out.
00:00:25Let's just quickly see Headscale in action before we get into any of the details.
00:00:30Okay, so right now I have three Hetzner servers, one for the main Headscale control plane and two nodes over here, which I want to connect to each other.
00:00:40So these two currently make part of my encrypted network.
00:00:44If I run this command, because everything is running on Docker, I can have a look at the current nodes I have, which is Ubuntu Test here and Ubuntu Test 2.
00:00:53And these are the IP addresses I can use to connect to them.
00:00:56For now, let's connect to these two nodes from within each other.
00:00:59So first I'll copy this IP address.
00:01:02And now inside Ubuntu Test 2, I'm going to SSH into the root.
00:01:07Yes, I shouldn't do root, but this is just for testing.
00:01:09And that is the IP address from Headscale.
00:01:11And if I hit enter and clear, as you can see, I'm in Ubuntu Test 1.
00:01:17So I've gone into Ubuntu Test 1 from Ubuntu Test 2, and I can exit to go back to Ubuntu Test 2.
00:01:24And I can do the same in Ubuntu Test 1 if I do SSH root and paste the IP address of Ubuntu Test 2.
00:01:31And if I clear, we can see I'm in Ubuntu Test 2 from Ubuntu Test 1.
00:01:36But if I'm outside of the tail net, so if I create a new tab, which is my Mac root and then do SSH root and paste in the IP address of Ubuntu Test 2.
00:01:48You can see it just hangs because I'm outside of the tail net.
00:01:52As you just saw, Headscale gives you complete access to your network.
00:01:56You can control every little detail and you can add as many nodes as you want without any vendor locking.
00:02:03And it can work without internet if you connect it to a NAS on old Raspberry Pi.
00:02:08But the setup is a bit involved.
00:02:11In fact, let me show you how it works.
00:02:13So right now I've created a new server called Ubuntu Test 3, and I'm going to create a new tail net or a new encrypted server with a new user that will connect two nodes.
00:02:24So Ubuntu Test 3 and Ubuntu Test 1, just for testing purposes.
00:02:29So inside my Headscale control plane, I already have Headscale installed, but I'll just run through the process of how I did it.
00:02:37So right now I have three Docker containers running.
00:02:40One is Headscale UI, one is Headscale and another one is Caddy.
00:02:45If we take a look at the Docker compose file for that, we can see this configuration is very similar to the one in the Headscale documentation for Docker compose.
00:02:56Although I've changed a few things like the Headscale version and the path to my directories.
00:03:03Now I also have a container for Headscale UI, which is one of the many open source web UI that you can use with Headscale.
00:03:11And I'll show you that a bit later.
00:03:13Then there's Caddy to act as a reverse proxy.
00:03:16I'll have a link to this specific Docker compose file in the description if you're interested.
00:03:21So also in this directory, we have a lib folder and a config folder.
00:03:26The lib folder, as you can see here, is mainly to keep the SQLite database, which controls user information, node information, DNS information, and many other things.
00:03:36But in the configuration, you can change this to a Postgres database if you don't want to use SQLite.
00:03:43Then in the config directory, this contains the tailscale configuration and the access control list policy in a human JSON file.
00:03:52We'll talk about this later, but let's take a look at this first, which you can get from the tailscale documentation and even curl it into your server, which is what I did.
00:04:01But if we take a look at the example configuration in GitHub, we can see everything we can change from the server to the prefixes and add the location of our policy file.
00:04:11Now this is very similar to my configuration, but all I changed was the server URL, which links to a Cloudflare domain so that the nodes in my network can hit this URL to know where the other nodes are.
00:04:23I also added a path to the location of my policy and that's pretty much it.
00:04:28The domain is a typical Cloudflare one with an A record linking to the IP address of my headscale control plane under the headscale subdomain.
00:04:37And with that in place, if I VI the caddy file, you can see we have two URLs being used, one for the headscaled UI under /web and one for the headscale proxy.
00:04:49So once you have those things in place, the first thing to do is create a new user, which we can do by typing this command.
00:04:56I'm going to create a user called Tom, but this can be anything you want.
00:05:00Now the user's been created, we can run users list to see all our users and we have our new user over here with an ID of 6.
00:05:08But now our user doesn't have any nodes associated to them.
00:05:11So let's give Tom some nodes.
00:05:13Inside Ubuntu test 3, which is the new server I created, the first thing we have to do is add the Tailscale client, which we can do by running this command in our server.
00:05:23And now this gives us access to the Tailscale binary.
00:05:27Note, if you're not a root user, you may have to use sudo to run Tailscale.
00:05:31But before we run any of these commands to put Tailscale up or log in, we need to do it in a specific way that will work with headscale.
00:05:38To do that, we'll have to create some pre-auth keys, which we can find the command for in the getting started page of the headscale documentation.
00:05:46So I'm going to scroll down and copy this command.
00:05:49Then inside my headscale control plane, I'm going to write docker exec, paste the command.
00:05:54And here where it says user ID, we're going to add the user ID of Tom, which is 6.
00:05:59And before I do that, I have to add a second headscale since we're going into the headscale container.
00:06:04And now we have our pre-auth key.
00:06:07Then we're going to copy this command and paste it in Ubuntu test 3.
00:06:11We'll then copy our pre-auth key and paste it over here.
00:06:15And then we have to change the login server over here to our headscale server, which we configured to be headscale.pandor.css.
00:06:23Pandora was taken, otherwise I would have had it.
00:06:26So now if we hit enter, we should have a new node added to our headscale network.
00:06:31So now if we go back to our control plane and run nodes list, we should see we have Ubuntu test 3 over here, which belongs to our user Tom with this IP address and this IPv6 address.
00:06:44Now let's add Ubuntu test 1 to our Tom user.
00:06:47But first I'm going to delete the existing Ubuntu test node that has an ID of 1 and I'm going to force delete it so I can skip any confirmations.
00:06:56And now that's done, I'm going to create another pre-auth key and add that to Ubuntu test, not forgetting to enable SSH with this SSH flag since it already has it in place.
00:07:06Let's also go to Ubuntu test 3 and also set up SSH, which just enables the ability to connect via SSH.
00:07:13Now, if I look at the list of nodes available, I have Ubuntu test 1 down here and Ubuntu test 3, both under Tom.
00:07:20So let's connect to them both.
00:07:21I'm going to grab the IP for Ubuntu test 3 and go into Ubuntu test 1, then run SSH root with the IP.
00:07:30And once I enable the key, we can see I'm in Ubuntu test 3 from Ubuntu test 1.
00:07:35And I can also do the same from Ubuntu test 3 into Ubuntu test 1.
00:07:41Now, if you followed my steps exactly, there is a huge chance this may not work for you because you need to add a access control policy.
00:07:49So let me show you mine.
00:07:51If I clear this and go into my head scale directory, we can see in the configuration folder that we have an ACL human readable JSON file.
00:08:01And if I go into it, here is a very simple configuration that basically accepts any source, so anyone from my network to any destination or any port.
00:08:11And also under SSH accepts any node inside of my tail net and lets them connect to any other node via SSH without any approval, but just to the root user.
00:08:24Now, of course, based on your network and situation, you may want to tighten this up or make it more secure so that certain nodes can only connect to other nodes on a specific port.
00:08:33But this is a very simple configuration to get you started.
00:08:37And again, I'll have the link to this in the description.
00:08:40Now, you may be wondering what about headscale UI?
00:08:43Does that make this whole process easier?
00:08:45I'd say yes and no.
00:08:47Let me show you.
00:08:48So here is the URL for my headscale UI, and right now you can see both of my users, Tess and Tom, with some information about both of them.
00:08:57So the keys and the nodes that are connected for this to work.
00:09:01Initially, you have to add a headscale API key, which you can get by running this command.
00:09:06But the problem I had with this is the device view.
00:09:09So as you can see, there isn't much information here, and it's something to do with the console with a TypeScript type error, which shouldn't be my fault because I haven't actually edited the source code.
00:09:22But at this point, the app tends to freeze, so nothing works.
00:09:26And I should be able to add a new device from here and change some configurations as well.
00:09:32But because it's so buggy, I haven't found it that much useful.
00:09:35Now there are many other headscale UIs, some of which make it even easier to add access control policies.
00:09:42But in my opinion, I haven't found a headscale UI very useful.
00:09:46So yes, the setup is a bit involved.
00:09:49Okay, it's really involved.
00:09:51Someone without a technical background or even a junior developer would struggle setting this up on their own.
00:09:57Which is probably why the Tailscale team have allowed their employee to work on this because it doesn't really pose much of a threat to their company right now.
00:10:07I mean, all it really takes is someone to use Clawed Opus to create a very nice UI around it and they could be onto something cool, which might get squished by this license.
00:10:18But once you have everything up and running, headscale works amazingly well.
00:10:22Although there are a few features it doesn't yet support, like the funnel and serve commands that you can use to expose a server publicly or just to your network.
00:10:32It doesn't support multiple tail nets, ephemeral nodes, and native network flow logs.
00:10:38But for an open source tool, this is really impressive.
00:10:42And if I ever get to the stage where I want my OpenClaw to run completely offline with a local LLM, then I may consider it.