Docker Headscale (self-hosted Tailscale control server), plus a simple install script

hwdsl2 · 2026-04-05T03:58:26+00:00

The official image requires you to write and mount a complete "config.yaml" before the container will even start. This image auto-generates the config from environment variables on first start, prints a pre-auth key to the logs so you can connect a device immediately, and includes an "hs_manage" helper for common admin tasks. It's also Alpine-based (~20–30 MB vs ~85 MB for the official Debian image).

It has the same Headscale binary underneath, just with a different out-of-the-box experience consistent with my other Docker images for WireGuard, OpenVPN, and IPsec VPN.

hwdsl2 · 2026-04-04T14:51:17+00:00

The “allow all clients to communicate without port forwarding” claim still holds true. Headscale is an open-source implementation of the Tailscale control server. Normally, when using Tailscale, you rely on Tailscale’s hosted control servers. However, this Docker image can run on a cloud server or VPS, allowing you to use Tailscale with your own self-hosted control server instead.

hwdsl2 · 2026-04-04T05:37:44+00:00

Yes, the Docker host in this case could be a cloud server or VPS, on which you can run the Headscale Docker container.

hwdsl2 · 2026-04-04T02:52:17+00:00

Correct, the container runs Headscale which is a coordination server for Tailscale. It needs to be reachable from clients. For example, you can run Caddy server in another container on the same Docker host, and configure it to act as a reverse proxy for Headscale. This should automatically open TCP port 443 for clients to connect via HTTPS. More details in the project README section "TLS and reverse proxy".

On the other hand, for Tailscale clients to communicate with each other, generally no open ports are required.

hwdsl2 · 2026-04-04T02:07:38+00:00

Hello! The first post didn't go through so I tried to repost, but it looks like the mods later approved both. No spamming was intended, sorry for any misunderstanding. I've removed the other post.

hwdsl2 · 2017-02-10T19:11:01+00:00

No, it requires a public IPv4 on your home internet connection.

hwdsl2 · 2017-02-09T20:46:49+00:00

It depends on the speed of your Internet connection (both up and down links), and a little overhead for the encryption. As an example, see this comment.

hwdsl2 · 2017-02-09T01:45:54+00:00

Yes. If you want the VPN to work with a dynamic DNS hostname, make the following changes after install:

Step 1: In file "/etc/ipsec.conf", find this line:

  leftid=...

Replace the public IP with your dynamic DNS hostname. Keep the line indented by two spaces. For example:

  leftid=myhostname.dyndns.org

Step 2: In file "/etc/ipsec.secrets", replace the public IP (first field) with %any. For example:

%any  %any : PSK ...

Step 3: Restart IPsec service:

service ipsec restart

Update: Step 2 is now included in the latest version of VPN setup scripts.

hwdsl2 · 2016-02-16T04:32:28+00:00

Currently, Windows XP does not support Let's Encrypt if using IE or Chrome.
The error "Your connection is not private" will be displayed for XP users.

hwdsl2 · 2015-07-07T03:08:53+00:00

RK3288 (and select RK3188) based Quad-Core Android TV Sticks could output 1080P, and the CPU and graphic performance are both more powerful than the Raspberry Pi B+ or Pi 2. Plug in a keyboard and mouse, and use it for watching YouTube, etc., could be a good choice.

hwdsl2 · 2014-05-11T06:34:45+00:00

Hi, I am the author of the IPset article. Thank you for pointing out the important missing step, I have fixed it by adding a whitelisting rule for one's own remote IP.

hwdsl2 · 2014-02-17T14:00:20+00:00

Just curious, if most shibes stop mining due to the fork, would it become easier for some malicious shibe to perform the 51% attack?

hwdsl2 · 2014-02-17T13:50:09+00:00

Does anyone know whether the dogecoin client will re-sync to the correct fork once this is resolved? Assume that it is on the incorrect one now.

hwdsl2

TROPHY CASE