Good video, glad you are talking about Headscale. It is worrying that so many people are pushing Tailscale without any interest in hosting Headscale. Especially in the SelfHosted community
I agree. I find some people just deploy things because they're flavour of the month without considering what it is or how they're increasing attack surface/eroding privacy.
Thing is, for a home setting, not self-hosting tailscale has a lot of advantages in removing a single point of failure. There's nothing wrong with using SaaS even in the self-hosted community. The attack surface is reduced (using Tailscale) by not needing to port forward. You fail to mention that traffic is encrypted peer-to-peer, and Tailscale claim they cannot and do not want to see the data in transit. Great video though, and thanks for raising awareness of Headscale@@Jims-Garage
You lose many advantages of tailscale when you try to self-host headscale. You lose the simplicity, the fact that it automatically handles dynamic IP addresses that change, and that it works over CGNAT. The last one being a top reason why someone would choose tailscale over self-hosting Wireguard or any other VPN if they had the inclination to completely self-host their VPN solution.
@@penguinnexus @Jims-Garage The traffic is encrypted peer-to-peer, but not end-to-end (different concept). The traffic can (in theory) be tapped at the "connecting" end where Tailscale (Third party) controls the traffic. However, I do agree that it's still an improvement from doing port-forwarding at home.
I heard about Tailscale like 2 days ago but was not convinced by the third party thing. Im glad to know about Headscale now thanks to you, nice video :)
Great work Jim. I just used this to help me deploy headscale in kubernetes. Appreciate all the hard work. Next stop setting up authentik as an identity provider via oidc.
If you are trying to follow this tutorial, headscale stopped pushing releases using the `latest` tag. As such you will need to change the docker compose to use the most recent stable release which is 0.22.3. So your docker compose should be: image: headscale/headscale:0.22.3
Yea sad I wasted an hour trying to configure things in another way and then realising this was the problem... should have looked through the comments first
I've just the other day setup my headscale coordination server on a VPS and this was the natural next step. Thanks! Now I just need to to see if I should switch to a docker setup. I do run every other homelab thing as a container.
@jim have you tried deploying the headscale server behind traefik AND ALSO behind a cloudflare tunnel so you don’t have to expose your WAN in dns records (among other reasons)?
Wonders about putting headscale on a $5 Lenode with Pi-hole. Looking to br able to use secure DNS seemlessly at home and when mobile. I think right now my mobile browing goes direct to quad9 via android config, hypassing my piehoke when at home... Reason thinking Lenode is to better support family by letting them use that piehole, etc. Thoughts? Worth a video or crazy talk?
I've been trying to get it to work for months now. But no succes. It is probably partly due to my knowledge, but also there are some changes made: the latest version isn't supported anymore, the alpha5 shouldn't have headscale serve, but only serve. But alpha 5 isn't working correctly enough, etc. etc. I had 404 messages, derp issues, traefik errors. It has nothing to do with your video, but since it is very early in your homelab journey video's I just wanted to share this message also. That it is quite hard for relative 'beginners' in the journey if something doesn't match exactly like in the video. So at this point I'm giving up. Think I will revert to regular tailscale.
Hi Jim! I followed up to 12:35 and created the API key using the command "headscale apikey create" then entered it in the Headscale API Key for the Headscale-UI. However I keep on getting "missing "Bearer" prefix in "Authorizaton" header client". I googled online and the github of headscale-Ui says "Your API key is either not saved or you haven't configured your reverse proxy, Create an API key in headscale (via command line) with headscale apikeys create or docker exec headscale apikeys create and save it in settings". Am I missing a step or something?
@@georgebobolas6363 Unfortunately I have not. I tried several more times with different ways but I still kept running into the issue. So I’m just using the CML now, which is honestly not that bad to learn.
Hello! Thanks for the video, i just set up tailscale yesterday moving from wireguard I noticed tailscale would allow only 3 users, not enough for a family, does headscale have this limit? And is possible to limit some users to some private services (for instance the family from portainer) I also was wondering if headscale would still use the 26 derp servers of Tailscale or also acts as one Subscribing for incoming videos! Edit: i saw has an embedded derp server, thats great even if may be less reliable
@@Jims-Garage thats great, I would have included or at least advised to host the derp server too, the public ones limit you to 7mbps and all your traffic is routed over unknown servers. I would also have added that is not possible to serve UI and hs on different domains unless you fix the cors header
Thanks 👍 no, both use the WireGuard protocol but for different purposes, they're both as secure from a protocol perspective. WireGuard-Easy is great for a simple point to point connection with multiple people. Headscale (or tailscale) is a mesh VPN. You have the ability to completely control how traffic is routed between devices (even through cgnat). If this is new to you then you probably want default WireGuard (or WireGuard-Easy).
I tried getting this up and running behind cloudflare tunnels and it failed, headscale was logs said that I needed to have websocket enabled. I looked around and it was showing that I had websocket enabled...
Hi buddy awesome video , but this requires port forwarding right? If I am using hotspot of my android to connect and access internet in my Linux device this won't work right? Because no port forwarding available
Thanks 👍 this requires port 443 to be forwarded on the server side. I'm pretty sure that any device that is using your Android hotspot (e.g. a pc or laptop) should be able to access it. It should behave the same as accessing any website.
@@Jims-Garage yea any device that is on Hotspot is able to access, just that I was thinking if there was better way for hotspot user so that it could be accessible not just by hotspot user but by anyone anyways I don't think there is a way except tailscale and zero tier in that case but is there any possibility to make application hosted with them more secure like what I max could guess was to use authelia on local host to make them much more secure but can there be more ways and if yes then what are they.
@@trojan6897I recommend placing an Enterprise-Grade firewall in front of it, and perhaps running it through your proxy (e.g., Traefik) with Crowdsec enabled. I suspect that putting Authelia in the way might break things as it won't be able to complete the authentication journey. You could also just use something simple, like wg-easy that I showed in my other VPN video (that also uses WireGuard).
@@Jims-Garage and buddy can u make video on how to become the node and selfhost with zero tier because I can't find any good video with that if we can become node and host our app on our node then it will be accessible by everyone I believe if possible research and make on it please ,will be very helpful
Thanks a lot for this video, I am behind the NAT and can not open ports easily, this way is bit more tricky, but 100% free and very reliable, I noticed one problem, when tailscale client is connected to my headscale oracle server, private DNS on my android phone stops working, does any workaround exists for this?
I’vee taken a look at the docs for headscale and was very apprehensive. This makes the process much more approachable IMO. Thank you! Are all British homes heated with radiators and boilers?
Tailscale is blocked where I live. Would this help me create my mesh network? I'm not sure if they have blocked only Tailscale or the Wireguard protocol.
Interesting. Worth checking if it's tailscale domains that are blocked first, can you access their website? If not, try deploying a simple WireGuard container first and testing. Next if that doesn't work try changing the port. If all that fails it's likely the protocol that's blocked. You can masquerade it but it's not bulletproof.
@@Jims-Garage Thanks. Will try those steps. Tailscale website can be accessed. Btw what is masquerading and how could it help? Is the same technique used by Cloudflare Warp? Asking since warp continues to work in regions where Wireguard is blocked.
Hi Jims, I have a question, about portainer container console. it isn't work, if I click console on portainer (Error, Unable to retrieve image details). You have seen this Error? and how can I fix this? my portainer version (2.19.5). Docker version 26.1.3, build b72abbb thanks for help.
@@Jims-Garage I did the same steps like you did for the win machine and it works great, but I did not see a spot to tap the three dots like you did for your android device. I also did not see anything for the MacOS side. TIA!
great explanation, I have one question for yourself or anyone else reading this, so in a site1 to site2 setup pfsense1 to pfsense2 for a device behind pfsense 1 router how do you get it to be able to use the DNS from pfsense 2 to resolve and connect to a device behind pfsens2 router, advertised routes but what about advertising dns names?
I have to use a computer at work where I can't install software, but need to control my VMware Workstation on my pc at home. I was going to use guacamole but its not that secure so that I was going to use cloudflare with guacamole, but then found out that cloudflare routes everything through them just as you described. I won't be doing much but logging into a guest account and controlling my VMs in there. Is Wireguard the solution? I thought tailscale would be the way to go but I can't install the software on my computer at work.
Hi, How are you doing? I have been trying deploy headscale in my homelab but no luck. I installed the app on my phone, added my custom domain but it returns no keys. I can go to the domain/windows and I can see the instructions. I am using nginx-proxy instead of traefik but that should not be an issue. Any thoughts?
@Jims-Garage there are commands there with the correct domain. But I tried to follow the process on the phone first. After clicking on sign in, it just hang there.
Hi Jim, this was a great video. However, I am using Proxmox now and it has LXC container for Headsclae in Helper Script. I was able to install it but not able to gidure out what to do after that. Can you make a video please ?
@@Jims-Garage I have another dumb question: is it possible to self host on Headscale and still somehow use Tailscale accounts? I really like both concepts.
Would this setup work if I live outside China and want to install VPN server on an old Intel NUC device and place it behind the router in my friend’s house in China (with no public IP). I want to access Chinese websites. In particular, a Chinese server I am trying to get into will block my access if my IP is not in China. If this is doable, what should I install at my home if the device accessing the VPN server in China is an IOT device (e.g., vacuum robot)? Do I need another device installed at my place to serve as a VPN client? Sorry, I have no technical knowledge about networking. If you can provide links on how to install VPN server on NUC and recommend what device to use as a VPN client and provide link on how to install VPN client on such device, it would be greatly appreciated.
In theory, yes, but I've no means of testing it. Essentially you join a machine from inside China to the mesh and advertise it as an exit node. Then on another machine on the mesh you select the machine in China as your gateway (internet access).
Thanks for a detailed video. From my underestanding and I could be wrong but it looks like we need a static ip with to setup the headscale server. Behind CGNAT is why people using Tailscale, isn't it.
Have a read of the documentation: tailscale.com/kb/1094/is-all-traffic-routed-through-tailscale Plus, authentication is still handled by them, it has to be. I don't have a problem with tailscale, I think it's good, but traffic absolutely has to touch their network otherwise it would be superfluous.
I wouldn’t call authentication and coordination traffic is passing through their network. It’s misleading. Their are edge cases (which you can turn off) where no P2P is possible and encrypted traffic is routed. I’m not defending Tailscale but that should be corrected.
hmm so my setup is slightly different. I use https all the way to traefik, not http. So when i try to set this up, traefik isn't handling the websockets properly. How can i fix this?
Hi, not sure I quite understand your comment. In my video and config it's HTTPS to Traefik, that is then routed to 8080 on Headscale. If you're using Traefik it should just work. What error are you facing?
Removes a dependency on Portainer for those who do not wish to use it. The great thing is that you can simply copy a compose over and it will work for both audiences.
Headscale is great but i reccomend tailscale for the same reason I still use tailscale myself. I dont want to punch a hole in my firewall or deal with something like duckDNS. And while I could stand up a VPS with akami or the like to run my headscale instance, its just more cost and time then I am currently willing to put in. Maybe once tailscale hits its crap phase like most other internet services ill fully jump ships but until then ill keep watching and testing headscale while using tailscale in my production setups.
Have you heard of netbird? It's a nicer alternative to Tailscale/Headscale. It can be selfhosted, does have a nice GUI and can be integrated with Keycloak ;)
after a bit of roaming I noticed netbird misses of the exitnode feature and "taildrop" feature + the netbird gui would also be avialable when selfhosted?
Thank you for the amazing tutorial! I just had a quick question, is it possible to remotely access one of my VMs such as a windows server from proxmox with this?
Yes, absolutely. Either install the client on the VM, or put it on another device in the network (e.g., a 'jump box') and connect via something like RDP.
@@Jims-Garage I’ll definitely look into installing it onto the client, I’ve been wanting to do RDP and give it to someone outside my network to connect to but everyone keeps telling me how unsafe it is and etc.
@@williamsnowball4267 for starters you might be better off with my WireGuard video, it's much simpler and achieves basically the same thing for your use case.
@@Jims-Garage Alright, I’ll go watch it right now. I’ve been basically wanting to host a VM mainly windows machine for a few of my friends to use for there needs, unfortunately since I’m on a home network it’s been a lot harder to do.
Hi Jim, I noticed you mentioned that both sub-domains have to be the same but I'm just wondering how that is possible since both headscale and headscale ui are on different ports. I'm not running this behind traefik but instead am using haproxy since I use that for all my other sub-domains. Thanks
It's because headscale is served from / and the UI is served from /web. You can check the config on the UI documentation, it explains it in the docker compose example. That uses Traefik but it should be possible on haproxy.
@@Jims-Garage Tailscale and headscale docs also don't explain it well. There's users, tags, and groups of users. There's lots of schemes that could be used, but it's hard for new users (ie, me!) to choose one. The flexibility might be good (it's hard to judge as a noob, maybe it's overly complex) but the learning curve is steep. The "tailscale way" is nodes a user uses get a user, else they get a tag. You can only have a user OR a tag, not both. Except in headscale you CAN have both (in fact are forced to, can't add a node with only tags) which is odd. Another way might be to use a single user and use tags for everything. That sounds like it'd work OK. Tailscale warns not to do this, because when a user goes away their tagged nodes don't, but I have a small network and can easily manage that. Also consider taildrop (which sends files to other nodes, super cool eg from Android to desktop) can only send to nodes the same user owns. With one user that is any node, otherwise it's more limited. With one user per node, taildrop isn't useful at all.
All of the guides surrounding this need an overhaul now unfortunately. Tried this and had an immense amount of issues, mostly centered around the handling of the headscale repo and how they are handling the versions. A few things for anyone doing this nowadays: 1. The latest version tag is deprecated, you MUST specify a target version. 2. You need to grab the version of the config.yaml that is specific to your target version and not pull the one specified in the guide. If you pull the latest config it will NOT work with the version shown in the video. 3. If you aren't using portainer, use "docker exec (headscale container id) (command, ie headscale routes list)" to use the console instead. 4. The android app had an overhaul that redesigns the UI. If you would like to change it now, tap the gear and go to Accounts > 3 dots top right > use an alternate server Its great, I just wish that the documentation wasn't so godawful and incorrect.
@@Jims-Garage Thank you! It didn't show up in my youtube search for some reason. I checked out the new guide, and it looks pretty good. Is there a compose file you have without traefik, though? I use npm instead, and I am sure many others do.
@@Jims-Garage please do, I would appreciate it immensely. There only seem to be 2 main options in the proxy world right now, traefik and npm. Not sure if any other ones have much traction in the self hosted community right now. Are there? Still learning, sorry.
@@inflatablemicrowave8187 Traefik, nginx and caddy are probably the most common (along with Apache but that's a little different). I don't use npm due to its poor security record.
After several month using Tailscale, just came back here, just to share my experience so far. It has been great, but the mobile app is a battery killer. It has become so bad, that I am trying to move away Tailscale. I am using Android, every time I have to leave home and 4G data is used instead, it kills it. The consume is aberrant. And I really like to keep connected all the time automatically, and not managing it by hand when I need it, just to avoid the battery consuption. Have any of you guys experienced something like that? My next stop is what I was considering at the very beginning, Nebula.
That's bad to hear, I haven't experienced that. What phone and Android OS version are you running? Newer models should have it baked into the kernel. FYI I have a pixel 6 pro
@@Jims-Garage Hi Jim, I am using Android 13. I have read about it, and it seems a common issue for the mobile app (both Android and iOS). They have a post in where explain and acknowledge the issue, but it seems it is not simple to fix. Have you checked your app consumption stats while connected to the mobile network? I was really happy with it until I saw that :/
Bro.... the db.sqlite file goes in the keys directory (not config directory) as per your config.yaml file and docker-compose volumes section. This is your first error, but not a big deal. Second error, you completely skip over how to make the subdomain resolve to the headscale server. Maybe or maybe not, ppl should understand that from your other video. But you don't even make _that_ clear. You just skip over it. What you're doing with your homelab series is fine, but its just incomplete.
Thanks for your feedback. According to official docs the db resides in /etc/headscale which is mounted to /config locally (unless I'm misunderstanding you). You're right I skip over some of the subdomain low level details, that's because I've covered it in detail in previous videos in the series and I cannot retread the same items each video.
I have compared several docker containers to native and we're talking 10x ram usage and 4x cpu usage... I can bet there is some latency penalty as well.
Good video, glad you are talking about Headscale. It is worrying that so many people are pushing Tailscale without any interest in hosting Headscale. Especially in the SelfHosted community
I agree. I find some people just deploy things because they're flavour of the month without considering what it is or how they're increasing attack surface/eroding privacy.
Thing is, for a home setting, not self-hosting tailscale has a lot of advantages in removing a single point of failure. There's nothing wrong with using SaaS even in the self-hosted community. The attack surface is reduced (using Tailscale) by not needing to port forward. You fail to mention that traffic is encrypted peer-to-peer, and Tailscale claim they cannot and do not want to see the data in transit. Great video though, and thanks for raising awareness of Headscale@@Jims-Garage
You lose many advantages of tailscale when you try to self-host headscale. You lose the simplicity, the fact that it automatically handles dynamic IP addresses that change, and that it works over CGNAT. The last one being a top reason why someone would choose tailscale over self-hosting Wireguard or any other VPN if they had the inclination to completely self-host their VPN solution.
@@penguinnexus @Jims-Garage The traffic is encrypted peer-to-peer, but not end-to-end (different concept). The traffic can (in theory) be tapped at the "connecting" end where Tailscale (Third party) controls the traffic. However, I do agree that it's still an improvement from doing port-forwarding at home.
@@JorgeGarciaMsays end to end in the docks tho.
Also the private keys never leaves the device they was created on.
I heard about Tailscale like 2 days ago but was not convinced by the third party thing.
Im glad to know about Headscale now thanks to you, nice video :)
Great work Jim. I just used this to help me deploy headscale in kubernetes. Appreciate all the hard work. Next stop setting up authentik as an identity provider via oidc.
Thanks. Glad it helped!
If you are trying to follow this tutorial, headscale stopped pushing releases using the `latest` tag. As such you will need to change the docker compose to use the most recent stable release which is 0.22.3. So your docker compose should be:
image: headscale/headscale:0.22.3
what about omitting the "latest" or "0.22.3"? Does it pull the latest image?
Yea sad I wasted an hour trying to configure things in another way and then realising this was the problem... should have looked through the comments first
Found by accident, will stay for more! As others said, very good explanation and chill video😊, thanks.
Thanks 👍
Thanks for this! You’ve answered the voice in the back of my mind regarding trusting third parties with fingers crossed. - new subscriber now!
Glad it was helpful!
Thanks!
Wow, thank you, that's extremely generous!
Simply, keep up the great work!
Thanks 👍
Thanks
Thanks, that's extremely generous
Thanks for the demo and video, very concise and detailed. Have a great day
Thanks, Chris.
I've just the other day setup my headscale coordination server on a VPS and this was the natural next step. Thanks!
Now I just need to to see if I should switch to a docker setup. I do run every other homelab thing as a container.
Awesome, good job 👍
Love the cycling stuff on your wall (I know, not IT related…)
@@toddzilla thanks! I know a lot of guys in IT that also do extreme amounts of cycling 😁
Nice vid! it would be good to explore a bit more on how to use ACLs here.
Thanks for your feedback, I'm considering doing a follow up with a more advanced setup.
Amazing stuff, thank you!
You're welcome 😁
Thank you so much for this video. You helped me decide!
You're welcome, glad it was useful
Thanks for the video! Regards from Chile
You're welcome
@jim have you tried deploying the headscale server behind traefik AND ALSO behind a cloudflare tunnel so you don’t have to expose your WAN in dns records (among other reasons)?
thanks works perfectly with pfsense tailscale addon :)
Great to hear
genial, muchas gracias por compartir. saludos desde la region de la araucania en chile.
Great video and great explanation! Will take a look at your other videos as well :)
Thank you. My recent video details how to do this involving a VPS in case you're stuck behind cgnat and cannot port forward.
Very useful video, THX.
Thanks, be sure to check out my other headscale video with an oracle VPS.
Really good video thanks!
I set it to 1,25 playback speed which I found a great speed to listen to your voice.
Thanks. I'll try to speak 1.25x faster 😂
@@Jims-Garage 😂🙌
Very well done Jim 🙂
Thanks, appreciate the feedback.
Hi Jim, good work :) thank you for sharing
Thanks 👍
Wonders about putting headscale on a $5 Lenode with Pi-hole. Looking to br able to use secure DNS seemlessly at home and when mobile.
I think right now my mobile browing goes direct to quad9 via android config, hypassing my piehoke when at home...
Reason thinking Lenode is to better support family by letting them use that piehole, etc.
Thoughts? Worth a video or crazy talk?
I have a separate video showing how to use a free oracle VPS with headscale. It should provide you with what you need.
insane video congrats
@@runema13 thanks 👍
I've been trying to get it to work for months now. But no succes. It is probably partly due to my knowledge, but also there are some changes made: the latest version isn't supported anymore, the alpha5 shouldn't have headscale serve, but only serve. But alpha 5 isn't working correctly enough, etc. etc. I had 404 messages, derp issues, traefik errors. It has nothing to do with your video, but since it is very early in your homelab journey video's I just wanted to share this message also. That it is quite hard for relative 'beginners' in the journey if something doesn't match exactly like in the video. So at this point I'm giving up. Think I will revert to regular tailscale.
Thanks for letting me know. If it's changed significantly I'll likely do a new video.
Hello, dont know if I've missed it or if not mentioned. Is there a need to open ports on the firewall? Thank you for the great video
Thanks! It works over HTTPS, so you'd need 443 forwarded (or whatever DNAT you want).
@@Jims-Garage thank you for the answer. Have a good day!
Hi Jim! I followed up to 12:35 and created the API key using the command "headscale apikey create" then entered it in the Headscale API Key for the Headscale-UI. However I keep on getting "missing "Bearer" prefix in "Authorizaton" header client". I googled online and the github of headscale-Ui says "Your API key is either not saved or you haven't configured your reverse proxy, Create an API key in headscale (via command line) with headscale apikeys create or docker exec headscale apikeys create and save it in settings".
Am I missing a step or something?
I have the exact same problem with the missing bearer in the API key :( Did you manage to figure what was the problem after all?
@@georgebobolas6363 Unfortunately I have not. I tried several more times with different ways but I still kept running into the issue. So I’m just using the CML now, which is honestly not that bad to learn.
@@davisclark0776 Thanks. I'll give it a few more tries and post an update in case I manage to work something out.
15:27 I want to exit from mobile from other network. Why won't it work?
Have you added routes and advertised all devices?
Hello! Thanks for the video, i just set up tailscale yesterday moving from wireguard
I noticed tailscale would allow only 3 users, not enough for a family, does headscale have this limit? And is possible to limit some users to some private services (for instance the family from portainer)
I also was wondering if headscale would still use the 26 derp servers of Tailscale or also acts as one
Subscribing for incoming videos!
Edit: i saw has an embedded derp server, thats great even if may be less reliable
Hey, thanks. As Headscale is self-hosted there should be no limitations to users. I have tested with 5 with problem.
@@Jims-Garage thats great, I would have included or at least advised to host the derp server too, the public ones limit you to 7mbps and all your traffic is routed over unknown servers. I would also have added that is not possible to serve UI and hs on different domains unless you fix the cors header
i love the poster in the background.
Haha, thanks :)
nicely explained. Thanks.
Wireguard is easier to install and use, right?
Headscale is better, faster and more secure than wireguard-easy?
Thanks 👍 no, both use the WireGuard protocol but for different purposes, they're both as secure from a protocol perspective. WireGuard-Easy is great for a simple point to point connection with multiple people. Headscale (or tailscale) is a mesh VPN. You have the ability to completely control how traffic is routed between devices (even through cgnat). If this is new to you then you probably want default WireGuard (or WireGuard-Easy).
ok. I use longtime wireguard-easy.
now. I try to setup (like you) headscale.
ist netbird eine art wireguard. kennst du? ist ähnlich wie headscale? ist nicht so komplex zu setup, wie headscale?
Netbird also uses WireGuard
I tried getting this up and running behind cloudflare tunnels and it failed, headscale was logs said that I needed to have websocket enabled. I looked around and it was showing that I had websocket enabled...
It's probably the Cloudflare Tunnel blocking the traffic but I'm not certain. Try without?
Hi buddy awesome video , but this requires port forwarding right? If I am using hotspot of my android to connect and access internet in my Linux device this won't work right? Because no port forwarding available
Thanks 👍 this requires port 443 to be forwarded on the server side.
I'm pretty sure that any device that is using your Android hotspot (e.g. a pc or laptop) should be able to access it. It should behave the same as accessing any website.
@@Jims-Garage yea any device that is on Hotspot is able to access, just that I was thinking if there was better way for hotspot user so that it could be accessible not just by hotspot user but by anyone anyways I don't think there is a way except tailscale and zero tier in that case but is there any possibility to make application hosted with them more secure like what I max could guess was to use authelia on local host to make them much more secure but can there be more ways and if yes then what are they.
@@trojan6897I recommend placing an Enterprise-Grade firewall in front of it, and perhaps running it through your proxy (e.g., Traefik) with Crowdsec enabled. I suspect that putting Authelia in the way might break things as it won't be able to complete the authentication journey.
You could also just use something simple, like wg-easy that I showed in my other VPN video (that also uses WireGuard).
@@Jims-Garage setting up wireguard will also require port forwarding right?
@@Jims-Garage and buddy can u make video on how to become the node and selfhost with zero tier because I can't find any good video with that if we can become node and host our app on our node then it will be accessible by everyone I believe if possible research and make on it please ,will be very helpful
My ISP has setup CGNAT. I do not have any public IP. Can I setup headscale and use it with tailscale client? Thank you for the video.
Yes, but you'd need a node elsewhere that isn't behind cgnat (like a vps or a relative's house)
Hi, do you need to enable all 5 of them in your demo? thanks
You only need to enable the nodes you need. 2 is fine.
@@Jims-Garage still i don't get it, i can enable any will work? why they repeat only create 2 nodes but in node list show me 5
@@armanis1234 every device you add is a node. You can then route traffic however you want between nodes.
@@Jims-Garagesomething changed since you made a video, because i don't have any option to only run an exit node... on android app
Thanks a lot for this video, I am behind the NAT and can not open ports easily, this way is bit more tricky, but 100% free and very reliable,
I noticed one problem, when tailscale client is connected to my headscale oracle server, private DNS on my android phone stops working, does any workaround exists for this?
@@giokiborg change your DNS server to the local server. Everything should work as expected
I’vee taken a look at the docs for headscale and was very apprehensive. This makes the process much more approachable IMO.
Thank you!
Are all British homes heated with radiators and boilers?
Thank you! I would say most homes have central heating, certainly with radiators. Either gas if you're on the grid, or oil if you're more remote.
Tailscale is blocked where I live. Would this help me create my mesh network? I'm not sure if they have blocked only Tailscale or the Wireguard protocol.
Interesting. Worth checking if it's tailscale domains that are blocked first, can you access their website? If not, try deploying a simple WireGuard container first and testing. Next if that doesn't work try changing the port. If all that fails it's likely the protocol that's blocked. You can masquerade it but it's not bulletproof.
@@Jims-Garage Thanks. Will try those steps. Tailscale website can be accessed. Btw what is masquerading and how could it help? Is the same technique used by Cloudflare Warp? Asking since warp continues to work in regions where Wireguard is blocked.
Thanks for this. very informative. Tried to get running on a pi but sadly it doesn't work on arm/v7 only AMD64.
Hopefully that will change in the near future.
Hi Jims, I have a question, about portainer container console.
it isn't work, if I click console on portainer (Error, Unable to retrieve image details).
You have seen this Error? and how can I fix this?
my portainer version (2.19.5). Docker version 26.1.3, build b72abbb
thanks for help.
Try a different shell on the drop-down menu
@@Jims-Garage Thanks, where is the drop-down menu on portainer?
I don't see it 😞
Is there limit in number of users?
I don't think so, at least not in a practical sense
I did not see any supporting docs for MacOS/iOS for headscale. Could you point me in the right direction?
You need to use the tailscale client.
@@Jims-Garage I did the same steps like you did for the win machine and it works great, but I did not see a spot to tap the three dots like you did for your android device. I also did not see anything for the MacOS side. TIA!
@@Daz2281 check out this Reddit post. It's in your phone settings for the app www.reddit.com/r/Tailscale/s/cZDq4pi1AJ
@@Jims-Garage YOU SIR ARE THE MAN!!!!!
@@Jims-Garage YOU SIR ARE THE MAN!!! Thank you!
great explanation, I have one question for yourself or anyone else reading this, so in a site1 to site2 setup pfsense1 to pfsense2 for a device behind pfsense 1 router how do you get it to be able to use the DNS from pfsense 2 to resolve and connect to a device behind pfsens2 router, advertised routes but what about advertising dns names?
You can specify the DNS server in the config. I guess when you share the route you just set it to your local DNS.
Unrelated but you've got amazing voice, can try mediation podcasts :P
Haha, so what you're saying is that I send you to 😴 lol
8:24 no link 😞
Oops, let me fix that when I'm home
Excellent tutorial and explanation very appreciated thank you a sub and a 👍 deserved
Glad you liked it
I have to use a computer at work where I can't install software, but need to control my VMware Workstation on my pc at home. I was going to use guacamole but its not that secure so that I was going to use cloudflare with guacamole, but then found out that cloudflare routes everything through them just as you described. I won't be doing much but logging into a guest account and controlling my VMs in there. Is Wireguard the solution? I thought tailscale would be the way to go but I can't install the software on my computer at work.
I don't think you can install WireGuard without admin privileges. You might need a HTTPS based VPN.
Hi, How are you doing? I have been trying deploy headscale in my homelab but no luck. I installed the app on my phone, added my custom domain but it returns no keys. I can go to the domain/windows and I can see the instructions. I am using nginx-proxy instead of traefik but that should not be an issue. Any thoughts?
So when you visit domain/windows there is no command to paste into the terminal?
@Jims-Garage there are commands there with the correct domain. But I tried to follow the process on the phone first. After clicking on sign in, it just hang there.
Hi Jim, this was a great video. However, I am using Proxmox now and it has LXC container for Headsclae in Helper Script. I was able to install it but not able to gidure out what to do after that. Can you make a video please ?
Dumb question but can this be deployed over UniFi’s stuff?
Yes, no different to the setup I demonstrated
@@Jims-Garage sweet!!
@@Jims-Garage I have another dumb question: is it possible to self host on Headscale and still somehow use Tailscale accounts? I really like both concepts.
is this only available to run in Linux?
Server, yes. Client, no.
Wiuld love to see more about your remote famiky support and remote backuo with anf for them.
Are we locked to 3 users still (tailscale) or?
3 users, but I think many devices per user
@@Jims-Garage But using headscale should solve this, no?
@trivimlatinum8756 correct
My country often blocks wireguard. Does that mean Headscale won't work?
Probably. You should be able to get around that with a VPS. Check my other Headscale video.
Would this setup work if I live outside China and want to install VPN server on an old Intel NUC device and place it behind the router in my friend’s house in China (with no public IP). I want to access Chinese websites. In particular, a Chinese server I am trying to get into will block my access if my IP is not in China. If this is doable, what should I install at my home if the device accessing the VPN server in China is an IOT device (e.g., vacuum robot)? Do I need another device installed at my place to serve as a VPN client? Sorry, I have no technical knowledge about networking. If you can provide links on how to install VPN server on NUC and recommend what device to use as a VPN client and provide link on how to install VPN client on such device, it would be greatly appreciated.
In theory, yes, but I've no means of testing it. Essentially you join a machine from inside China to the mesh and advertise it as an exit node. Then on another machine on the mesh you select the machine in China as your gateway (internet access).
I was trying to use headscale on my homelab then i quit since i dont have a fixed public ip (my isp doesnt give that option)
Check my other headscale video that uses a VPS to overcome your problem.
@@Jims-Garage i'll check it thank you
Thanks for a detailed video. From my underestanding and I could be wrong but it looks like we need a static ip with to setup the headscale server. Behind CGNAT is why people using Tailscale, isn't it.
In this example, yes. My other headscale video uses a VPS for those who are behind cgnat.
@@Jims-Garage Yes Jim, watched the other video as well. Thanks for that.
@@Jims-Garage can I make it work behind CGNAT if I have a No-IP DDNS registered?
02:00 I‘m sorry but the claim is completely wrong.
The traffic is not routed through Tailscale‘s network.
Have a read of the documentation: tailscale.com/kb/1094/is-all-traffic-routed-through-tailscale
Plus, authentication is still handled by them, it has to be. I don't have a problem with tailscale, I think it's good, but traffic absolutely has to touch their network otherwise it would be superfluous.
I wouldn’t call authentication and coordination traffic is passing through their network. It’s misleading.
Their are edge cases (which you can turn off) where no P2P is possible and encrypted traffic is routed.
I’m not defending Tailscale but that should be corrected.
hmm so my setup is slightly different. I use https all the way to traefik, not http. So when i try to set this up, traefik isn't handling the websockets properly. How can i fix this?
Hi, not sure I quite understand your comment. In my video and config it's HTTPS to Traefik, that is then routed to 8080 on Headscale. If you're using Traefik it should just work.
What error are you facing?
netbird is a kind of wireguard. do you know? is similar to headscale? is not as complex to setup as headscale?
I tried self hosting netbird but could never get it to work between networks sadly
Good video. TY
Thanks, you're welcome
Hi Jim, quick question.
Is there a specific reason you deploy the containers via docker-compose instead of using Portainer Stacks?
Removes a dependency on Portainer for those who do not wish to use it. The great thing is that you can simply copy a compose over and it will work for both audiences.
Can I test this without taking down Tailscale first?
I don't believe it would conflict. At most, you'd need to change default ports.
@@Jims-Garage I might give it a chance. Either on my unRAID or Synology.
Headscale is great but i reccomend tailscale for the same reason I still use tailscale myself.
I dont want to punch a hole in my firewall or deal with something like duckDNS.
And while I could stand up a VPS with akami or the like to run my headscale instance, its just more cost and time then I am currently willing to put in.
Maybe once tailscale hits its crap phase like most other internet services ill fully jump ships but until then ill keep watching and testing headscale while using tailscale in my production setups.
Yeah, I can't fault that approach. Here's to hoping Tailscale remains awesome.
Have you heard of netbird? It's a nicer alternative to Tailscale/Headscale. It can be selfhosted, does have a nice GUI and can be integrated with Keycloak ;)
I haven't, let me check that out. Thanks for the info.
after a bit of roaming I noticed netbird misses of the exitnode feature and "taildrop" feature + the netbird gui would also be avialable when selfhosted?
I couldn't get Netbird self hosting to work, tried for ages. Could get peer to peer working on same network but not to other networks.
Thank you for the amazing tutorial! I just had a quick question, is it possible to remotely access one of my VMs such as a windows server from proxmox with this?
Yes, absolutely. Either install the client on the VM, or put it on another device in the network (e.g., a 'jump box') and connect via something like RDP.
@@Jims-Garage I’ll definitely look into installing it onto the client, I’ve been wanting to do RDP and give it to someone outside my network to connect to but everyone keeps telling me how unsafe it is and etc.
@@williamsnowball4267 for starters you might be better off with my WireGuard video, it's much simpler and achieves basically the same thing for your use case.
@@Jims-Garage Alright, I’ll go watch it right now. I’ve been basically wanting to host a VM mainly windows machine for a few of my friends to use for there needs, unfortunately since I’m on a home network it’s been a lot harder to do.
Hi Jim, I noticed you mentioned that both sub-domains have to be the same but I'm just wondering how that is possible since both headscale and headscale ui are on different ports. I'm not running this behind traefik but instead am using haproxy since I use that for all my other sub-domains. Thanks
It's because headscale is served from / and the UI is served from /web. You can check the config on the UI documentation, it explains it in the docker compose example. That uses Traefik but it should be possible on haproxy.
@@Jims-Garage Got it. let me try to configure it on my haproxy. Thanks
I still can't figure it out with my Haproxy. Have you made it work?
great, but how to connect MacOS client - there are no 3 dots ;-(
Thanks for the video.
Have only one problem. I use Swag with nginx have someone a working nginx config?
Sorry, I don't have one. Perhaps someone on the Discord could help you with that.
Didn't explain why I'm creating a user per device.
Gives you the option to add more people was my rationale but appreciate I might not have stipulated that.
@@Jims-Garage Tailscale and headscale docs also don't explain it well. There's users, tags, and groups of users. There's lots of schemes that could be used, but it's hard for new users (ie, me!) to choose one. The flexibility might be good (it's hard to judge as a noob, maybe it's overly complex) but the learning curve is steep.
The "tailscale way" is nodes a user uses get a user, else they get a tag. You can only have a user OR a tag, not both. Except in headscale you CAN have both (in fact are forced to, can't add a node with only tags) which is odd.
Another way might be to use a single user and use tags for everything. That sounds like it'd work OK. Tailscale warns not to do this, because when a user goes away their tagged nodes don't, but I have a small network and can easily manage that.
Also consider taildrop (which sends files to other nodes, super cool eg from Android to desktop) can only send to nodes the same user owns. With one user that is any node, otherwise it's more limited. With one user per node, taildrop isn't useful at all.
All of the guides surrounding this need an overhaul now unfortunately. Tried this and had an immense amount of issues, mostly centered around the handling of the headscale repo and how they are handling the versions.
A few things for anyone doing this nowadays:
1. The latest version tag is deprecated, you MUST specify a target version.
2. You need to grab the version of the config.yaml that is specific to your target version and not pull the one specified in the guide. If you pull the latest config it will NOT work with the version shown in the video.
3. If you aren't using portainer, use "docker exec (headscale container id) (command, ie headscale routes list)" to use the console instead.
4. The android app had an overhaul that redesigns the UI. If you would like to change it now, tap the gear and go to Accounts > 3 dots top right > use an alternate server
Its great, I just wish that the documentation wasn't so godawful and incorrect.
@@inflatablemicrowave8187 check my last video, I revisited headscale.
@@Jims-Garage Thank you! It didn't show up in my youtube search for some reason.
I checked out the new guide, and it looks pretty good. Is there a compose file you have without traefik, though? I use npm instead, and I am sure many others do.
@@inflatablemicrowave8187 I don't, sorry. I might cover it in the future. Hard to accommodate every variable.
@@Jims-Garage please do, I would appreciate it immensely. There only seem to be 2 main options in the proxy world right now, traefik and npm. Not sure if any other ones have much traction in the self hosted community right now. Are there? Still learning, sorry.
@@inflatablemicrowave8187 Traefik, nginx and caddy are probably the most common (along with Apache but that's a little different). I don't use npm due to its poor security record.
great vid content, some feedback on the slides, the transitions are a bit 2000's powerpointy and hurt my head ;-)
Haha, thanks. Will see what I can do (editing kills me inside).
After several month using Tailscale, just came back here, just to share my experience so far. It has been great, but the mobile app is a battery killer. It has become so bad, that I am trying to move away Tailscale. I am using Android, every time I have to leave home and 4G data is used instead, it kills it. The consume is aberrant. And I really like to keep connected all the time automatically, and not managing it by hand when I need it, just to avoid the battery consuption.
Have any of you guys experienced something like that?
My next stop is what I was considering at the very beginning, Nebula.
That's bad to hear, I haven't experienced that. What phone and Android OS version are you running? Newer models should have it baked into the kernel. FYI I have a pixel 6 pro
@@Jims-Garage Hi Jim, I am using Android 13. I have read about it, and it seems a common issue for the mobile app (both Android and iOS). They have a post in where explain and acknowledge the issue, but it seems it is not simple to fix.
Have you checked your app consumption stats while connected to the mobile network? I was really happy with it until I saw that :/
the UI refuses to work based on this config and github is no more helpful for it.
The traffic is NOT routed through their network, it only opens up connections to bypass NAT and such.
Read their documents. If a direct connection isn't available it goes over their network.
no longer working...
I'm going to come back to headscale in the near future
Bro.... the db.sqlite file goes in the keys directory (not config directory) as per your config.yaml file and docker-compose volumes section. This is your first error, but not a big deal. Second error, you completely skip over how to make the subdomain resolve to the headscale server. Maybe or maybe not, ppl should understand that from your other video. But you don't even make _that_ clear. You just skip over it.
What you're doing with your homelab series is fine, but its just incomplete.
Thanks for your feedback. According to official docs the db resides in /etc/headscale which is mounted to /config locally (unless I'm misunderstanding you). You're right I skip over some of the subdomain low level details, that's because I've covered it in detail in previous videos in the series and I cannot retread the same items each video.
You forgot to mention that there are native ARM and X86 MacOS HeadScale servers
Check 02:24 - that shows all of the available clients.
sorry I meant servers @@Jims-Garage
Wonderful project, but dislike for using docker
Why don't you like it using Docker?
I have compared several docker containers to native and we're talking 10x ram usage and 4x cpu usage... I can bet there is some latency penalty as well.
Is it faster?
On paper it should be as it cuts out 3rd party infrastructure.