Here I will walk you through setting up Headscale

Create Directories

mkdir -p /opt/headscale/config /opt/headscale/bin

Install Reqs

apt install -y wireguard-tools nginx apt-transport-https

Generate Key

wg genkey > /opt/headscale/config/private.key

  1. Download newest release from HERE

  2. wget -O /opt/headscale/bin/headscale

  3. Add headscale ~/.bashrc echo PATH=$PATH:/opt/headscale/bin >> ~/.bashrc

  4. Source the new PATH source ~/.bashrc

Download darp file

wget -O /opt/headscale/config/derp.yaml

Create config

Create a config in /opt/headscale/config/config.yml

nano config.yaml

disable_check_updates: false
private_key_path: private.key
db_type: sqlite3
db_path: db.sqlite
ephemeral_node_inactivity_timeout: "30m"
derp_map_path: derp.yaml
#  restricted_nameservers:
#      -
#      -
#      -
  domains: []
  magic_dns: true

Create systemd script

nano /etc/systemd/system/headscale.service


ExecStart=/opt/headscale/bin/headscale serve
# Disable debug mode


Now we can start the headscale service systemctl enable --now headscale.service

Now it’s time to configure NGiNX

Unlink default config unlink /etc/nginx/sites-enabled/default

Create new headscale config nano /etc/nginx/conf.d/

server {
  listen 80;
  return 301$request_uri;

server {

  client_body_timeout 5m;
  client_header_timeout 5m;

  access_log            /var/log/nginx/;
  error_log            /var/log/nginx/ info;

  # reverse proxy
  location / {
     proxy_pass;  # headscale listen_addr
     proxy_read_timeout 6m;
     proxy_ignore_client_abort off;
     proxy_request_buffering off;
     proxy_buffering off;
     proxy_no_cache "always";
     proxy_set_header Host $host;
     proxy_set_header X-Real-IP $remote_addr;
     proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

  listen 443 ssl http2;
  ssl_certificate       /etc/nginx/ssl/;
  ssl_certificate_key   /etc/nginx/ssl/;

Now it’s time to configure UFW

ufw allow http ufw allow https

Now it’s time to install tailscale. Below is a useful script to do so


apt-get update
apt-get install -y apt-transport-https gnupg2

# Add the Tailscale repo

source /etc/os-release

test $VERSION_ID = "7" && versionName="wheezy"
test $VERSION_ID = "8" && versionName="jessie"
test $VERSION_ID = "9" && versionname="stretch"
test $VERSION_ID = "10" && versionName="buster"
test $VERSION_ID = "11" && versionName="bullseye"

curl -fsSL${versionName}.gpg | apt-key add -
curl -fsSL${versionName}.list | tee /etc/apt/sources.list.d/tailscale.list

apt-get update
apt-get install -y tailscale

tailscale up --login-server

This should give you a URL to go to. It will tell you what to time into the headscale CLI. Make sure your in the /opt/headscale/config directory and follow the link.

If you’d like to script adding it you can use the script below and just use the KEY part of the URL. This will be ran as script network_name node_key. This will auto add the node to the network



data=$(curl -s "${key}")
command=$(echo "${data}" | grep '<b>' | grep headscale | cut -d'>' -f2 | cut -d'<' -f1 | sed "s/NAMESPACE/$network/g")