I was thinking about researching about this the other day , after using tailscale and it was working great but I wanted something more open source. Thank you men you are awesome!
I’ll have to look into it again. When I looked last it was very sparse on details and it seemed to have some parts still reliant on Zerotier services. Maybe it’s gotten better.
Hi Brian, great content, just 2 observatuons: - it would be great if you add chapters to your video, very useful for reference after the first watch; - maybe you explained in other videos, but why do you open docker ports instead of joining the containers to the same network as nginx proxy and just use the service name and its port? This will increase the security of the whole system. I like to use traefik as reverse proxy because I can set up the routing rules via label on the service container, very handy!
I have timestamps in the description, which is how the chapter markers used to be made. Not sure if TH-cam changed how to do that and I missed it. I'll check and see...but weird. I open ports because I run NGinX Proxy Manger on a different host than I run most of my other applications. You can absolutely do it the way you are saying though.
Unfortunately, it appears that the headscale-webui project has been abandoned. No fixes have been made for over a year and the API adjustments to headscale 0.23 are missing.
I dove into this headfirst (no pun intended, but I'll take the laugh), and ended up trying to do this with headscale and headscale-ui, then found Firezone because of authentic, then found Defguard. My issue is that I'm using Traefik on a docker host, and multiple docker servers, so I've just been adding the containers to the manual file config.
In docker containers, if you are running other containers, common ports are often already in use on the host. The ability to map a different port number is a great feature in docker. It allows you to run multiple services on the same host that may need the same port. So, in order to avoid 8080, I changed it to a less common port.
Later, I left headscale-ui for headscale-admin, it is much more responsive and nicer UI, imo. One setup difference is each device accessing its UI needs its own headscale API key. I'm not sure whether this approach has more risk than the centralized headscale-ui approach.
Hi Brian, I am getting an error when I build the container: FTL go/src/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key: failed to save private key to disk: open : no such file or directory" headscale_headscale_1 exited with code 1 Do you know how to fix it. Thanks
Hello ! @@AwesomeOpenSource I have exactly the same problem, I have absolutely no idea where I should give write or read rights... Can you help us with this?
@AwesomeOpenSource Solution is easy the config file is outdated. You need to manually download the latest release tar an then use that configuration file.
One more thing. In config.xml, the ip-prefix section, you should put the ip4 range before the ip6 range, otherwise, the copy ip function in Tailscale client will always copy ip6 address instead of ip4.
Perfect video man thanks.... One question ...if we use cloudflare dns manager and route a subdomain to the server , do we still need thde reverse proxy ? I dont understsnd why we need them in the first place
Reverse proxy generally runs as a way to route traffic around your internal network of services. So, auth.mydomain.com goes to your authentication tool, chat.mydomain.com goes to your matrix server, and vpn.mydomain.com might go to your headscale UI. The other part is that, in this case, we can point a domain to our headscale network, and allow clients to connect, so the revese proxy says I see your request for xy.mydomain.com, and I have a matching entry at 10.20.30.40, let me send you to that machine on port 29897. Something like taht.
Doesn't work for me in October 2024. When headscale container is started, log just keeps repeating "headscale-1 | Error: unknown command "headscale" for "headscale" headscale-1 | Run 'headscale --help' for usage."
I've been tackling that topic myself. I have the basic ACLs working between users / groups, and device access, but I haven't gotten the ACL for me to access another groups exit route to their LAN setup properly yet. Let me get a bit further, and I'll definitely do one.
This tutorial can't be used anymore since recent updates break a lot of things. Webui is also very buggy so a new updated tutorial with another web management interface would be awesome. i tried myself to use another webui without any success.
Hmmm. I'll have to take a look. This isn't that old of a video. As for Headscale UI it was the best one I found as far as functions. Do you have any others I could look into?
@@AwesomeOpenSource yes, since i finaly succeed in using it, i can even help you if necessary. The best one i found is headscale-admin wich is the best so far with a lot of improvements. the only problem is for nginx proxy manager (be careful, npm latest version is broken with sub domains). I can give you my config files wich will make you gain a few hours of work and avoid trial and errors like i did.
@@AwesomeOpenSource i've tried to answer you a few times but it's deleted each time. try headscale admin. i've all the necessary config if you want them i would be glad to help you and give it
@@Virtualchronos TH-cam will delete comments from viewers if it has a URL or link in it. But if you will jump over to discuss.opensourceisaaesome.com, I’d love to see what you have. I’m mickintx
@@AwesomeOpenSource I didn't included any link. i suspect youtube to ban some specific terms I maybe used without noticing. I'll send you msg there, count on it ^.^
So this is my scenario: machine 192.68.1.10 is where I am running headscale. 192.168.1.11 is running nginx manager. I was able to add the 192.168.1.10 to the host proxy but I was not able to add it with SSL. It gives me error: internal error. I also have a domain name, which I specified in headscale config file and in nginx reverse proxy manager. NOW do I need to set a port forwarding, forwarding to 192.168.1.11. If yes, what port number should I be specifying for both ports in the Port forwarding page of my router. So when I enter the domain name, the packet will go out into the internet, and then enter the router. And then the router forward that packet to the nginx and then nginx forward that to the 192.168.1.10. Am I understanding this right?
You should forward port 80 and 443 to the ip ending in .11. Then on NGinX proxy manager create your entry for headscale. Now just enter port 80 in the first tab, then request a new certificate on the SSL tab, and agree to the TOS. Save. This should get you going.
@@AwesomeOpenSource Thanks. Yeah there many details that I had to try it. Because of the magic of ZFS, any changes I made to the nginx server or headscale server, I have reverse it back using snapshot. So I can try different things. I finally manged to get it to work. So now the client will be using https to connect to headscale server. But its frustrating that I do not know many of the details. Let me list these question, you dont have to answer it. I am already grateful for you videos. I learned so much about nginx and not to mention the webserver for nginx and for headscale, which I knew nothing about. Question #1: when creating port forward in the router, there are two ports that I need to specify; I am assuming that one is for the port the router is listening from the internet. The other port is used to talk to the internal server (in this case its the nginx server). Can these two port be different? Question #2: I am right to assume that for nginx requires two ports: one to listen signals from the router (from port forwarding, the port used to talk to internal server) and the other port that will be used to talk to the headscale server. So the talking and liseterning port between the router and the nginx must be the same. IN the same way, the talking and the listening port between the nginx and the headscale must also be the same.
@@AwesomeOpenSource Another question that you don't have to answer, since the SSL cert is in nginx, that means the encryption data transfer is used between teh client and nginx. And since headscale server is listering to port 80 and in your video, you did not specify ssl cert, the communcation between the nginx and the headscale server is not encrypted, which is find becuase they both are behind the firewall. So if I specify the ssl cert in headscale, do I still need to specify ssl cert in nginx? Probably the answer is "up to me". If no ssl between the internet and nginx, there will be no encryption between the internet and nginx server. But there will be encryption between nginx and headscale. So it is a waste of time to specify ssl in heascale. SSL is only used one time during the machine registration between the headscale server and the tailscale client right? Afterward it does not matter anymore. The wireguard connection will be established between the cliient and the headscale directly, bypassing nginx. Or everytime I switched off tails scale and then turning it back on, it will go through the nginx server to re-establies the connection. Once the connection is established, nginx is no longer needed. I guess nginx is used used to pass secure information to build the tunnel between the client and the headscale server. After the tunnel is created, it is the encryption TLS from writeguard that will guard the data exchange between the twos.
I personally like the ease of setting up routing rules in Netbird. This can be done with Headscale, but it's all done through Yaml files, and it's a bit convoluted as it is today. Other than that, both are rock-solid for connecting.
@@AwesomeOpenSource I think also, Netbird server is easier to setup than Headscale. Netbird Client is also easy to download. Thanks. You have a lot nice Tutorial.
Thanks for the tutorial! Is it ok to leave server url: 127.0.0.1:8080 or it might be less secure than having your own domain? If it's the same, why change it?
Wow, tks for the video, I will try headscale after i faced a not good experience with netmaker (i tried about a year ago, with crashes and updates problems).
Thank you for the great content, was able to set up the server and client by following your video. Do you know if it's possible to route all traffic to the server? I have headscale on a cloud server and I want to route all client traffic to it.
I can't wait for the authentik add-on video to this. I am trying to learn more about both head scale and authentik. It would be nice to get a good start. I already deployed authentik and head scale. both work great. But putting them together would be even better (I think)
Awesome. I think you'll love how easy it really is in the end. And honestly, the ease is because people wayyyy smarter than me are creating these amazing open source tools that make everything a lot easier.
It doesn't. Just 80 and 443 on the network if you're inside a LAN. In my case I forward 80 and 443 to my reverse proxy, and let that deal with calls to the headscale server.
@AwesomeOpenSource Solution is easy the config file is outdated. You need to manually download the latest release tar an then use that configuration file.
If you are trying to run it on a machine with no desktop interface / browser, then it will hang because it's waiting for the auth-key. If you are trying to make it open your Auth screen on a desktop and it's not opening, then I also saw it hang a few times. Just took persistence for me.
@@AwesomeOpenSource because my android can not popup that window, I test other platform and found Tailscale hangs in Linux terminal. then I found I can fix it by change server_url in config.yml of headscale, from to , but don’t know why.
Hey All, everything work suntil i add the custom location in NPM. As soon as I save after adding the "ladmin" at the same IP, the proxy host goes from "Online"to "Offline" in NPM. Any ideas? No error in the headscale or headscale ui logs.Im using a VPS.Firewall is disabled. It did the same thing when i hosted it on my network. thanks
Netmaker is great, and for a newer user, IMO, easier to get certain things setup like exiting into an entire LAN from the Wireguard network. Making an Exit Node so all traffic goes through Wireguard out to the internet, etc. That said, Headscale is not super difficult to use, but going between the headscale docs and Tailscale docs is a bit annoying at times. Overall though, it just takes some experimentation.
Good one. But unfortunately, its hard to get a public IP address in many regions and opting for a static IP address is the only option if this method is selected (which obviously costs extra, per month). Majority of the ISP's now a days are choosing to provide CGNAT IP addresses. 😩
True. Depending on what costs more you could potentially setup your server on a VPS for a few bucks a month, or maybe using the Oracle Free Tier. Then use that as your public IP.
I don't have a static IP. However, i have a domain and ddns service running. How do I set up a reverse proxy. Instead of A record, will a redirect to ddns url work ? Thanks for making great videos !
Setup a subdomain of the DDNS, and make sure the ports are setup properly coming into your network. You can still use NGinX proxy manager to proxy the request for the DDNS subdomain around your network as needed.
Download the Tailscale client, then change the server you want to authenticate with, or use the terminal to connect using the command I used in the video.
ok, macbook done, now fighting with the obvious things that were "one clik" step in tailscale - approving exit nodes and routes etc - yeap, tailscale made it easy
Hey Brian, Could you help me know what are the requirements to host Headscale? I can't seem to find that information. Is it okay to do so on a VPS, or a Raspberry Pi, or what other system?
I don't know specifically what specs you need. I am running on docker, as you know. Currently with about 10 connections it's using 28 MB RAM, and goes from 0 to 4% of a single CPU. It's not using much of anything at all really. So I think you could easily run it on a low cost VPS from DO or Linode, etc. I do think there is an RPi version you can run, and seems like I've seen posts from folks who run it on that hardware. I run it on a VM with Docker, and it's running fine so far.
I'm not 100%, as I didn't setup that part. Here's what's in their documentation thought: "WebSockets support is required when using the headscale embedded DERP server. In this case, you will also need to expose the UDP port used for STUN (by default, udp/3478). Please check our config-example.yaml." Hope that helps.
Yes done that. Acme throws weird certificate errors. Kindly consider a short follow up video on running the embedded derp server as it will truly make the headscale private.
Hi Brian... Great tutorial again.. Have you test the tailscale android app ? I can not connect to headscale. Even I changed the server to my selfhosted server. Some idea ?
I haven't. I'm not an Android user, and don't even have a test device. The Headscale documentation indicates that it and iOS should work, but I also have difficulty getting my iOS app to let me use my own server. I'm still working on it, so I'll update when / if I get it working.
Oddly enough. I just tried it again, and now it's letting me add my phone. It essentially loaded a browser window with the command, and a key I need to use to register my device to my server. I had to reset the tailscale app in my settings, then kill the app, reboot the phone, then start the app again.
i'm having issues with tailscale up hanging on ubuntu server (Let's call it #1). I'm using NPM (hosted on #1 and working for other subdomain containers) pointing to dedicated vm for headscale (#2). The only difference in my setup is I'm using the imported certificate that I got from cloudflare, which my domain is proxied through.
Cert shouldn't matter. I had the tailscale up command get me a couple of times too. It was just a matter of me digging in. On an LXC in Proxmox I found I had to pass through the proxmos setting to the LXC container for this to work, as the LXC couldn't access the tun0 that it needed for Tailscale to work. You might make sure the tailscaled service is active, and if not, check the logs. if it is restart tailscaled, and try again.
A question, how do I so that all the traffic goes through headscale? Since when I connect my public IP does not change and my normal public IP continues to appear, but I want to make full use of the headscale internet, is there any option?
@@AwesomeOpenSource That's it, I already did it! Incredible, after searching and analyzing on my own and obviously because of the support in the videos, I managed to do it, I can now pass all the traffic through a node and not only that, many other things, fantastic! :)
@@AwesomeOpenSource thanks. I've been using tailscale for years, and have my own list of next best things to try like Zerotier and Nebula, but never got time
Great tutorial. The only problem that I had was with Nginx Proxy Manager. The latest version 2.11.0 is broken on the custom location part so I had to downgrade to version v2.10.4
If you want to set it up for access over the internet, then it will. You could setup the control server on a VPS with a public IP, and it will coordinate your clients to all find each other as an alternative.
anyone else get? WRN Failed to read configuration from disk error="While parsing config: yaml: line 12: did not find expected key". I coped it right from the site. I also did the wget method. Thanks!
Sometimes, copying yaml, for whatever reason, seems to either include some special hidden character, or not include something needed. I've found I just have to manually type it, or use an online yaml checker to try and figure out what's wrong with it.
@AwesomeOpenSource Solution is easy the config file is outdated. You need to manually download the latest release tar an then use that configuration file.
Just depends on how much you are using it. Should runfine. Essentially Wireguard creates a nice peer-to-peer network. Some devices need the relay server, but desktop and laptops can usually navigate a P2P connection. Mobile devices can as well, it's really the cell network that interferes from what I understand.
Not for the web ui specifically. The https requirement will be to get you mobile device to connect to the headscale server. You need to have a valid cert on an iOS device, but not sure about Android's requirements.
For me, they both have pros and cons. Netmaker, IMO, once up and running is much easier to just start using, and the built on Web Admin panel is really great. Things like the subnet routing (getting onto a LAN from the wireguard VPN) is also quite a bit easier with Netmaker. Alex really has done a ton of work to make everything very easy. Headscale, is a bit more piece-meal, and you need to read a bit to find the right commands to do various things. The tailscale client is good, but again, no GUI from Tailscale for linux...thus Trayscale comes into play as yet another piece you can add on. You can do all the same things, but Netmaker still makes it easier as a fully self hosted solution.
Hi Brian....I am certain you already know this, but when creating more than one directory, just use the one command and add the names of the other directories you want to create.......less typing....LOL
I do, I just like for folks to be able to follow what I'm doing, especially those who may be more new to the command line. But I still appreciate you sharing the tips with me. Keep 'em coming.
I'm already using Authentik, but it's actually quite "simple" once you get your head around what you need to do. It may translate to Zitadel as well. I'll look into it to see what I can figure out.
i wish tailscale was built into the nextcloud solution and app so you could run a vpn and still access your nextcloud without having to open a port on mobile.
@@AwesomeOpenSource yeah but there is no option for choosing custom server, like if you use bitwarden it gives me option to select server (vault waden works) here there are no such options 😕
That's a shame, docker is really a great way to run your services. You can install any project directly on your system as well. Docker just makes that a bit easier by 1. scripting out the installation, 2. using a very minimal image to install it on, and 3 making it a very lean virtual machine (container) which segregates it from the rest of the system unless you make the in-roads for it.
I speak from experience, eg. 10x ram usage and 5x cpu usage for pi-hole This is not viable for any efficiency minded individual or server admin@@AwesomeOpenSource
Sorry, I wrote a message I cant find about some issues I encounter. It took me time but might this helps others too... I finally got it to work: It took me a while but I find a solution... I used the latest tag available and change the Command (line) to serve rather than headscale serve. That did the trick and now is u and running. This is my .yml file now: services: headscale: image: headscale/headscale:v0.23.0-beta1 volumes: - ./config:/etc/headscale/ - ./data:/var/lib/headscale ports: - 23568:8080 command: serve restart: unless-stopped ------ I though this might help someone Thank you
I was thinking about researching about this the other day , after using tailscale and it was working great but I wanted something more open source. Thank you men you are awesome!
My pleasure! And thank you!
also you can host your own derp server which will be 100% self hosted.
This is one of today's projects for me :) excellent video!
Fantastic!
I'd no idea something like this existed, fantastic!
Glad you like it!
Nice video. Thanks for mentioning Trayscale.
You bet.
This is just great Brian
Going to definitely try this out
Awesome! It works quite well.
Thank you man, I liked your video! Respect
Have a good day!
Thank you.
I hope that you will create a similar awesome video about self-hosted zerotier server too :)
I’ll have to look into it again. When I looked last it was very sparse on details and it seemed to have some parts still reliant on Zerotier services. Maybe it’s gotten better.
Hi Brian, great content, just 2 observatuons:
- it would be great if you add chapters to your video, very useful for reference after the first watch;
- maybe you explained in other videos, but why do you open docker ports instead of joining the containers to the same network as nginx proxy and just use the service name and its port? This will increase the security of the whole system. I like to use traefik as reverse proxy because I can set up the routing rules via label on the service container, very handy!
I have timestamps in the description, which is how the chapter markers used to be made. Not sure if TH-cam changed how to do that and I missed it. I'll check and see...but weird. I open ports because I run NGinX Proxy Manger on a different host than I run most of my other applications. You can absolutely do it the way you are saying though.
Thank you for the video. +1 for a follow up video showing how to use OpenID to provide authentication.
You are welcome, and hopefully recording this evening!
great Video! Thanks for that! worked like a charm!
Super glad it's working for you.
Unfortunately, it appears that the headscale-webui project has been abandoned. No fixes have been made for over a year and the API adjustments to headscale 0.23 are missing.
Sorry to hear that.
Anyway, great tutorial like many other from you.
You might check out this one github.com/gurucomputing/headscale-ui
I dove into this headfirst (no pun intended, but I'll take the laugh), and ended up trying to do this with headscale and headscale-ui, then found Firezone because of authentic, then found Defguard. My issue is that I'm using Traefik on a docker host, and multiple docker servers, so I've just been adding the containers to the manual file config.
hahahahah. Adding Firezone and DefGuard to my list for future coverage! Very cool!
I dont understand your step on 47:37. Why you specify a different port number? Shouldnt that be port 8080?
In docker containers, if you are running other containers, common ports are often already in use on the host. The ability to map a different port number is a great feature in docker. It allows you to run multiple services on the same host that may need the same port. So, in order to avoid 8080, I changed it to a less common port.
Later, I left headscale-ui for headscale-admin, it is much more responsive and nicer UI, imo. One setup difference is each device accessing its UI needs its own headscale API key. I'm not sure whether this approach has more risk than the centralized headscale-ui approach.
I tried several, I showed headscale-ui on the video, but believe I also ended up on headscale-admin.
Thanks for the video. It is very informative. Yes can do a video on setting up routes? Again great work.
I'll see what I can do.
Hi Brian, I am getting an error when I build the container:
FTL go/src/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key: failed to save private key to disk: open : no such file or directory"
headscale_headscale_1 exited with code 1
Do you know how to fix it. Thanks
You might check the permissions of the folder it's trying to create the key in, and make usre it can write a file there.
Hello ! @@AwesomeOpenSource I have exactly the same problem, I have absolutely no idea where I should give write or read rights...
Can you help us with this?
@AwesomeOpenSource Solution is easy the config file is outdated. You need to manually download the latest release tar an then use that configuration file.
@@alexfields1334 This fixed the problem for me as well
One more thing. In config.xml, the ip-prefix section, you should put the ip4 range before the ip6 range, otherwise, the copy ip function in Tailscale client will always copy ip6 address instead of ip4.
Great tip! Thanks for that!
Perfect video man thanks....
One question ...if we use cloudflare dns manager and route a subdomain to the server , do we still need thde reverse proxy ? I dont understsnd why we need them in the first place
Reverse proxy generally runs as a way to route traffic around your internal network of services. So, auth.mydomain.com goes to your authentication tool, chat.mydomain.com goes to your matrix server, and vpn.mydomain.com might go to your headscale UI. The other part is that, in this case, we can point a domain to our headscale network, and allow clients to connect, so the revese proxy says I see your request for xy.mydomain.com, and I have a matching entry at 10.20.30.40, let me send you to that machine on port 29897. Something like taht.
Doesn't work for me in October 2024. When headscale container is started, log just keeps repeating "headscale-1 | Error: unknown command "headscale" for "headscale"
headscale-1 | Run 'headscale --help' for usage."
I think Headscale changed some things. I'll see if I can make an update video soon=ish.
Hi Brian I love your videos !!!! been a massive inspiration I have been learning a lot, could you maybe do a video on ACLs ?
I've been tackling that topic myself. I have the basic ACLs working between users / groups, and device access, but I haven't gotten the ACL for me to access another groups exit route to their LAN setup properly yet. Let me get a bit further, and I'll definitely do one.
Great video as always
Thank you my friend, Glad you enjoyed!
This tutorial can't be used anymore since recent updates break a lot of things. Webui is also very buggy so a new updated tutorial with another web management interface would be awesome. i tried myself to use another webui without any success.
Hmmm. I'll have to take a look. This isn't that old of a video. As for Headscale UI it was the best one I found as far as functions. Do you have any others I could look into?
@@AwesomeOpenSource yes, since i finaly succeed in using it, i can even help you if necessary. The best one i found is headscale-admin wich is the best so far with a lot of improvements. the only problem is for nginx proxy manager (be careful, npm latest version is broken with sub domains). I can give you my config files wich will make you gain a few hours of work and avoid trial and errors like i did.
@@AwesomeOpenSource i've tried to answer you a few times but it's deleted each time. try headscale admin. i've all the necessary config if you want them i would be glad to help you and give it
@@Virtualchronos TH-cam will delete comments from viewers if it has a URL or link in it. But if you will jump over to discuss.opensourceisaaesome.com, I’d love to see what you have. I’m mickintx
@@AwesomeOpenSource I didn't included any link. i suspect youtube to ban some specific terms I maybe used without noticing. I'll send you msg there, count on it ^.^
So this is my scenario: machine 192.68.1.10 is where I am running headscale. 192.168.1.11 is running nginx manager. I was able to add the 192.168.1.10 to the host proxy but I was not able to add it with SSL. It gives me error: internal error. I also have a domain name, which I specified in headscale config file and in nginx reverse proxy manager. NOW do I need to set a port forwarding, forwarding to 192.168.1.11. If yes, what port number should I be specifying for both ports in the Port forwarding page of my router. So when I enter the domain name, the packet will go out into the internet, and then enter the router. And then the router forward that packet to the nginx and then nginx forward that to the 192.168.1.10. Am I understanding this right?
You should forward port 80 and 443 to the ip ending in .11. Then on NGinX proxy manager create your entry for headscale. Now just enter port 80 in the first tab, then request a new certificate on the SSL tab, and agree to the TOS. Save. This should get you going.
@@AwesomeOpenSource Thanks. Yeah there many details that I had to try it. Because of the magic of ZFS, any changes I made to the nginx server or headscale server, I have reverse it back using snapshot. So I can try different things. I finally manged to get it to work. So now the client will be using https to connect to headscale server. But its frustrating that I do not know many of the details. Let me list these question, you dont have to answer it. I am already grateful for you videos. I learned so much about nginx and not to mention the webserver for nginx and for headscale, which I knew nothing about. Question #1: when creating port forward in the router, there are two ports that I need to specify; I am assuming that one is for the port the router is listening from the internet. The other port is used to talk to the internal server (in this case its the nginx server). Can these two port be different? Question #2: I am right to assume that for nginx requires two ports: one to listen signals from the router (from port forwarding, the port used to talk to internal server) and the other port that will be used to talk to the headscale server. So the talking and liseterning port between the router and the nginx must be the same. IN the same way, the talking and the listening port between the nginx and the headscale must also be the same.
@@AwesomeOpenSource Another question that you don't have to answer, since the SSL cert is in nginx, that means the encryption data transfer is used between teh client and nginx. And since headscale server is listering to port 80 and in your video, you did not specify ssl cert, the communcation between the nginx and the headscale server is not encrypted, which is find becuase they both are behind the firewall. So if I specify the ssl cert in headscale, do I still need to specify ssl cert in nginx? Probably the answer is "up to me". If no ssl between the internet and nginx, there will be no encryption between the internet and nginx server. But there will be encryption between nginx and headscale. So it is a waste of time to specify ssl in heascale. SSL is only used one time during the machine registration between the headscale server and the tailscale client right? Afterward it does not matter anymore. The wireguard connection will be established between the cliient and the headscale directly, bypassing nginx. Or everytime I switched off tails scale and then turning it back on, it will go through the nginx server to re-establies the connection. Once the connection is established, nginx is no longer needed. I guess nginx is used used to pass secure information to build the tunnel between the client and the headscale server. After the tunnel is created, it is the encryption TLS from writeguard that will guard the data exchange between the twos.
a question: You also have a tutorial about netbird. very good. Now, which is better and safer, netbird or headscale?
thanks.
I personally like the ease of setting up routing rules in Netbird. This can be done with Headscale, but it's all done through Yaml files, and it's a bit convoluted as it is today. Other than that, both are rock-solid for connecting.
@@AwesomeOpenSource I think also, Netbird server is easier to setup than Headscale. Netbird Client is also easy to download. Thanks. You have a lot nice Tutorial.
Thanks for the tutorial!
Is it ok to leave server url: 127.0.0.1:8080 or it might be less secure than having your own domain?
If it's the same, why change it?
Wow, tks for the video, I will try headscale after i faced a not good experience with netmaker (i tried about a year ago, with crashes and updates problems).
Sorry you had a hard time with Netmaker, but maybe Headscale will give you what you need.
Thank you for the great content, was able to set up the server and client by following your video. Do you know if it's possible to route all traffic to the server? I have headscale on a cloud server and I want to route all client traffic to it.
I think in the client config you want to set the DNS to a provider you like, then set allowed IPs to be 0.0.0.0/0, and that should do it.
I can't wait for the authentik add-on video to this. I am trying to learn more about both head scale and authentik. It would be nice to get a good start. I already deployed authentik and head scale. both work great. But putting them together would be even better (I think)
Awesome. I think you'll love how easy it really is in the end. And honestly, the ease is because people wayyyy smarter than me are creating these amazing open source tools that make everything a lot easier.
Great video. Going to set up my own server this week following your guide. Does this allow for unlimited clients or is there still limits? Thanks
As far as I know, there are no hard (preset / programmatic) limits on number of clients.
Hi, thank you for sharing knowledge !
What are the NGINX first login credentials ?
You mean nginx proxy manager? I believe they are admin@example.com and changeme if you mean the defaults.
@@AwesomeOpenSource yes they were !
Hi! Question, does headscale require any port forwarding or any pre-requisites (i.e. VPS)?
Oh I see, so seems like this is just wireguard without port forwarding through the tailscale client?
It doesn't. Just 80 and 443 on the network if you're inside a LAN. In my case I forward 80 and 443 to my reverse proxy, and let that deal with calls to the headscale server.
I don't think it's permission problem. I get the same error when I build the container with root permissions......
Hmmm. Not sure then.
@AwesomeOpenSource Solution is easy the config file is outdated. You need to manually download the latest release tar an then use that configuration file.
Thanks for this tutorial. When I don't use --auth-key, it hangs without returning. why?
If you are trying to run it on a machine with no desktop interface / browser, then it will hang because it's waiting for the auth-key. If you are trying to make it open your Auth screen on a desktop and it's not opening, then I also saw it hang a few times. Just took persistence for me.
@@AwesomeOpenSource because my android can not popup that window, I test other platform and found Tailscale hangs in Linux terminal. then I found I can fix it by change server_url in config.yml of headscale, from to , but don’t know why.
Thank you so much!
You're very welcome!
Hey All, everything work suntil i add the custom location in NPM. As soon as I save after adding the "ladmin" at the same IP, the proxy host goes from "Online"to "Offline" in NPM. Any ideas? No error in the headscale or headscale ui logs.Im using a VPS.Firewall is disabled. It did the same thing when i hosted it on my network. thanks
are you putting "ladmin"? or "/admin"?
Interested to hear thoughts of headscale vs netmaker?
Netmaker is great, and for a newer user, IMO, easier to get certain things setup like exiting into an entire LAN from the Wireguard network. Making an Exit Node so all traffic goes through Wireguard out to the internet, etc. That said, Headscale is not super difficult to use, but going between the headscale docs and Tailscale docs is a bit annoying at times. Overall though, it just takes some experimentation.
Good one.
But unfortunately, its hard to get a public IP address in many regions and opting for a static IP address is the only option if this method is selected (which obviously costs extra, per month).
Majority of the ISP's now a days are choosing to provide CGNAT IP addresses. 😩
True. Depending on what costs more you could potentially setup your server on a VPS for a few bucks a month, or maybe using the Oracle Free Tier. Then use that as your public IP.
I don't have a static IP. However, i have a domain and ddns service running. How do I set up a reverse proxy. Instead of A record, will a redirect to ddns url work ? Thanks for making great videos !
Setup a subdomain of the DDNS, and make sure the ports are setup properly coming into your network. You can still use NGinX proxy manager to proxy the request for the DDNS subdomain around your network as needed.
I think if you selfhost headscale and tailscale then you would have to open port to access tail-scale over the internet from outside ?!
If you already have port 80 and 443 open, then that's it. The rest is done through that.
how to connect macbook? the default client has no options for different server (headscale) or so
Download the Tailscale client, then change the server you want to authenticate with, or use the terminal to connect using the command I used in the video.
@@AwesomeOpenSource I am trying... just found the CLI there as well but not yet successful ;-)
ok, macbook done, now fighting with the obvious things that were "one clik" step in tailscale - approving exit nodes and routes etc - yeap, tailscale made it easy
thanks. nicely explained.
Glad it was helpful!
Hey Brian,
Could you help me know what are the requirements to host Headscale? I can't seem to find that information. Is it okay to do so on a VPS, or a Raspberry Pi, or what other system?
I don't know specifically what specs you need. I am running on docker, as you know. Currently with about 10 connections it's using 28 MB RAM, and goes from 0 to 4% of a single CPU. It's not using much of anything at all really. So I think you could easily run it on a low cost VPS from DO or Linode, etc. I do think there is an RPi version you can run, and seems like I've seen posts from folks who run it on that hardware. I run it on a VM with Docker, and it's running fine so far.
Witch domain provider you are using
I was using GoDaddy at the time, but moved that domain to Hover now.
How do I use the embedded derp server when running headscale behind the reverse proxy ?
I'm not 100%, as I didn't setup that part. Here's what's in their documentation thought: "WebSockets support is required when using the headscale embedded DERP server. In this case, you will also need to expose the UDP port used for STUN (by default, udp/3478). Please check our config-example.yaml." Hope that helps.
Yes done that. Acme throws weird certificate errors. Kindly consider a short follow up video on running the embedded derp server as it will truly make the headscale private.
Hi Brian... Great tutorial again.. Have you test the tailscale android app ? I can not connect to headscale. Even I changed the server to my selfhosted server. Some idea ?
I haven't. I'm not an Android user, and don't even have a test device. The Headscale documentation indicates that it and iOS should work, but I also have difficulty getting my iOS app to let me use my own server. I'm still working on it, so I'll update when / if I get it working.
Oddly enough. I just tried it again, and now it's letting me add my phone. It essentially loaded a browser window with the command, and a key I need to use to register my device to my server. I had to reset the tailscale app in my settings, then kill the app, reboot the phone, then start the app again.
@@AwesomeOpenSource I have done the same in Android...and it runs too. Thanks.. greetings from Germany ... Michael ..
i'm having issues with tailscale up hanging on ubuntu server (Let's call it #1). I'm using NPM (hosted on #1 and working for other subdomain containers) pointing to dedicated vm for headscale (#2). The only difference in my setup is I'm using the imported certificate that I got from cloudflare, which my domain is proxied through.
Cert shouldn't matter. I had the tailscale up command get me a couple of times too. It was just a matter of me digging in. On an LXC in Proxmox I found I had to pass through the proxmos setting to the LXC container for this to work, as the LXC couldn't access the tun0 that it needed for Tailscale to work. You might make sure the tailscaled service is active, and if not, check the logs. if it is restart tailscaled, and try again.
A question, how do I so that all the traffic goes through headscale? Since when I connect my public IP does not change and my normal public IP continues to appear, but I want to make full use of the headscale internet, is there any option?
I believe if you look at "Exit Route" or "Exit Node"' on the headscale and tailscale documentation, you'll be able to find how to do this.
@@AwesomeOpenSource That's it, I already did it! Incredible, after searching and analyzing on my own and obviously because of the support in the videos, I managed to do it, I can now pass all the traffic through a node and not only that, many other things, fantastic! :)
Awsome as always
Thank you so much 😀
Thank you Brian 🙏
My pleasure!
Awesome video. Thanks.
Glad you liked it!
Have you reviewed Nebula on your channel?
I haven't. I tried to get it all setup a couple of years ago, but it was a bit difficult at the time. I should re-visit it.
@@AwesomeOpenSource thanks. I've been using tailscale for years, and have my own list of next best things to try like Zerotier and Nebula, but never got time
it seems latst flag doesnt work I used headscale/headscale:0.22.3 for now
Maybe they took down latest for some reason.
Great tutorial. The only problem that I had was with Nginx Proxy Manager. The latest version 2.11.0 is broken on the custom location part so I had to downgrade to version v2.10.4
Sorry you had that trouble. Did you create an issue for the developer of NGinX Proxy Manger?
Does this configuration require a ip public sir ?
If you want to set it up for access over the internet, then it will. You could setup the control server on a VPS with a public IP, and it will coordinate your clients to all find each other as an alternative.
anyone else get? WRN Failed to read configuration from disk error="While parsing config: yaml: line 12: did not find expected key". I coped it right from the site. I also did the wget method. Thanks!
Sometimes, copying yaml, for whatever reason, seems to either include some special hidden character, or not include something needed. I've found I just have to manually type it, or use an online yaml checker to try and figure out what's wrong with it.
Thanks Brian, now that is seemingly working but it freezes when adding a client with an auth key?
@AwesomeOpenSource Solution is easy the config file is outdated. You need to manually download the latest release tar an then use that configuration file.
I wonder how this would run for enterprise - like 100 users? Enterprise Tailscale at 20/user/month minimum for 100 users is a lot of cash.
Just depends on how much you are using it. Should runfine. Essentially Wireguard creates a nice peer-to-peer network. Some devices need the relay server, but desktop and laptops can usually navigate a P2P connection. Mobile devices can as well, it's really the cell network that interferes from what I understand.
Thank you!
My pleasure!
Is this doable on a network without https?
You could probably use the IP only, but https is just for the Web UI that's separate from Headscale itself.
@@AwesomeOpenSource ya. im trying to install headscale UI and it doesnt work with IP only. https is a must for web UI?
Not for the web ui specifically. The https requirement will be to get you mobile device to connect to the headscale server. You need to have a valid cert on an iOS device, but not sure about Android's requirements.
How do you rate this over metmaker ?
For me, they both have pros and cons. Netmaker, IMO, once up and running is much easier to just start using, and the built on Web Admin panel is really great. Things like the subnet routing (getting onto a LAN from the wireguard VPN) is also quite a bit easier with Netmaker. Alex really has done a ton of work to make everything very easy.
Headscale, is a bit more piece-meal, and you need to read a bit to find the right commands to do various things. The tailscale client is good, but again, no GUI from Tailscale for linux...thus Trayscale comes into play as yet another piece you can add on. You can do all the same things, but Netmaker still makes it easier as a fully self hosted solution.
Hi Brian....I am certain you already know this, but when creating more than one directory, just use the one command and add the names of the other directories you want to create.......less typing....LOL
I do, I just like for folks to be able to follow what I'm doing, especially those who may be more new to the command line. But I still appreciate you sharing the tips with me. Keep 'em coming.
@@AwesomeOpenSourcegreat explanation, thanks a lot.
Could you please investigate "Zitadel" instead of "Authentik"? It seems quite promising! 😊
I'm already using Authentik, but it's actually quite "simple" once you get your head around what you need to do. It may translate to Zitadel as well. I'll look into it to see what I can figure out.
I've waiting for. It so much. Van you give us a step by spet tuto for netbird with proxy nginx manager
Let me see what I can figure out.
i wish tailscale was built into the nextcloud solution and app so you could run a vpn and still access your nextcloud without having to open a port on mobile.
You can run the tailscale client on the same server as your nextcloud, then add the tailscale IP to your nextcloud allowed origins configuration.
Maybe do one on Loki?
I'll check it out and see what I find.
Workes fine for Desktop Clients and bad for mobile Clients.
It's a pain to get the mobile clients setup for it, but once I got them setup, they just work. Turn them on, turn them off, just works.
@@AwesomeOpenSource Change Server worked. But it is too unsafe for a productivity System...I switched back to the original Service.
I need this
It's pretty awesome!
Everything looks great but i need on android phone or some portable device. I think termux route :p
Tailscale has apps for both iOS and Android. They should work with Headscale as well.
@@AwesomeOpenSource yeah but there is no option for choosing custom server, like if you use bitwarden it gives me option to select server (vault waden works) here there are no such options 😕
dislike cuz docker
That's a shame, docker is really a great way to run your services. You can install any project directly on your system as well. Docker just makes that a bit easier by 1. scripting out the installation, 2. using a very minimal image to install it on, and 3 making it a very lean virtual machine (container) which segregates it from the rest of the system unless you make the in-roads for it.
I speak from experience, eg. 10x ram usage and 5x cpu usage for pi-hole
This is not viable for any efficiency minded individual or server admin@@AwesomeOpenSource
yes all the work you save by the scripting is lost by having to forward all kinds of things between systems@@AwesomeOpenSource
Sorry, I wrote a message I cant find about some issues I encounter. It took me time but might this helps others too...
I finally got it to work:
It took me a while but I find a solution...
I used the latest tag available and change the Command (line) to serve rather than headscale serve. That did the trick and now is u and running. This is my .yml file now:
services:
headscale:
image: headscale/headscale:v0.23.0-beta1
volumes:
- ./config:/etc/headscale/
- ./data:/var/lib/headscale
ports:
- 23568:8080
command: serve
restart: unless-stopped
------
I though this might help someone
Thank you
Thanks for adding what you did to solve the issue.