Headscale Setup Guide: Unlimited Private Networking Without Tailscale Cost Limits

Beyond simple remote access, a mesh network that binds devices across the globe into a single virtual LAN is now a fundamental pillar of modern infrastructure. At the center of this movement is Tailscale. Its setup is effortless, and its connectivity is robust. However, for growing teams or heavy users, Tailscale's pricing policy can become a significant hurdle.

As of 2026, Tailscale's free plan restricts the number of users to just three and imposes strict limits on the number of connected devices. Scaling even slightly can force you into subscription fees ranging from $6 to $18 per user per month. An even greater concern than cost is data sovereignty. The fact that a company's sensitive network metadata passes through external SaaS servers is a recurring point of contention in security audits.

Headscale is the alternative that cuts through all these limitations. Headscale is an open-source implementation of the Tailscale control plane. Device authentication and key exchanges are handled on your own independent server, while the actual data transmission continues to use the proven Tailscale apps. The cost is $0, and node connections are unlimited.

Why Run Your Own Headscale?

The primary reason is to protect your wallet. With a low-cost VPS (Virtual Private Server) costing around $5 per month, you can operate a massive network accommodating thousands of nodes. This represents a maintenance cost reduction of over 90% compared to commercial plans.

From a security perspective, it is overwhelming. All metadata—including device names, internal IP addresses, and access logs—is stored only in a database managed by you. This is an irreplaceable advantage in business environments where compliance with GDPR or local personal information protection laws is mandatory. It is the core of infrastructure independence: owning the control of your network yourself rather than entrusting it to others.

Practical Implementation: Full-Stack Configuration Based on Docker Compose

While many guides recommend the lightweight SQLite, the standard for production environments is to use PostgreSQL for data integrity and scalability. Below is a modern deployment template that automates SSL certification using Caddy.

1. Preparing the Directory Structure

First, access your server and secure the space where configurations and data will be stored.

bash mkdir -p ~/headscale-stack/{config,data/{headscale,postgres,caddy_data,caddy_config}} cd ~/headscale-stack

2. Designing Docker Compose for Production

Container technology simplifies management. The following configuration runs the DB, control plane, and reverse proxy all at once.

`yaml
version: "3.8"
services:
postgres:
image: postgres:15-alpine
container_name: headscale-db
environment:
POSTGRES_DB: headscale
POSTGRES_USER: admin
POSTGRES_PASSWORD: your_strong_password
volumes:
- ./data/postgres:/var/lib/postgresql/data
networks:
- headscale-net

headscale:
image: headscale/headscale:stable
container_name: headscale
volumes:
- ./config:/etc/headscale:ro
- ./data/headscale:/var/lib/headscale
command: serve
ports:
- "8080:8080"
depends_on:
- postgres
networks:
- headscale-net

caddy:
image: caddy:latest
container_name: headscale-proxy
ports:
- "80:80"
- "443:443"
- "443:443/udp"
volumes:
- ./Caddyfile:/etc/caddy/Caddyfile
- ./data/caddy_data:/data
networks:
- headscale-net

networks:
headscale-net:
driver: bridge
`

3. SSL and Domain Setup

Headscale must operate in an HTTPS environment. Using Caddy allows for automatic renewal of Let's Encrypt certificates. In particular, utilizing the Cloudflare DNS-01 challenge allows you to safely issue wildcard certificates without opening external firewall ports. Be sure to modify the server_url entry in the config.yaml file to your own domain address.

Key Points for Device Connection and Management

Once the server is running, it's time to attach the clients.

• Create a User: First, create a logical group using the docker exec headscale headscale users create myteam command.
• Register a Node: For Linux, enter the command tailscale up --login-server https://vpn.yourdomain.com and an authentication URL will be displayed. Copy this URL and approve it on the server to connect immediately.

While Headscale is primarily CLI-based, it is recommended to use a Web UI like Headscale-Admin for visibility. Since it communicates solely via API without separate server-side logic, you can intuitively grasp the status of all nodes while minimizing security threats.

Security and Performance Optimization for Professionals

As the network grows, the design of security policies (ACLs) becomes critical. The default setting is a Full Mesh structure where all devices can communicate with each other. However, if a specific node is compromised, the entire network is exposed to risk.

Adhere to the Deny-by-Default principle. It is safer to block all connections initially and open only the necessary paths based on tags. For example, you might restrict tag:dev so it can only access tag:db.

If performance issues arise, check the following three points:

1. UDP Port 41641: Ensure this port is open in the firewall for Direct Connect. Speed drops significantly if traffic passes through a relay server (DERP).
2. MTU Value: If speed is slow due to packet fragmentation between virtual interfaces, optimize by lowering the MTU value to around 1280.
3. DNS Proxy: When using Cloudflare, turn off the orange icon (Proxy) and set it to DNS-only to prevent non-standard protocol communication from being blocked.

The Final Step Toward Infrastructure Independence

Adopting Headscale offers value far beyond mere cost savings. It is a process of breaking free from the constraints of giant platforms and building a pure network environment that operates exactly as you designed it. This system, combining the transparency of open source with the convenience of Tailscale, is the best choice for engineers pursuing both security and efficiency. Build your own secure private fortress today based on the provided Docker template. Convenience and security are no longer matters of compromise.