I will teach you a trick. Login with e.g. github. Create a tailnet. Create new user invite link, use it yourself - you can setup login with passkey to this second user. Promote to admin. Leave with your github user. Voila you have an account and tailnet with only passkey, no big brother oauth or anything.
this post was submitted on 02 Mar 2026
53 points (100.0% liked)
Selfhosted
57200 readers
530 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
You can self host the control plane for Tailscale using a community project called Headscale. I use that along with Headplane which gives you a nice admin web UI.
Then you just use the tailscale client on devices like normal but you authenticate new clients with your endpoint instead of the centralized one.
If you have a VPS, consider setting up either Headscale or Netbird if you don't want to use any of Tailscale's built-in auth methods (with all necessary security precautions taken of course). If that's not an option I'd suggest going back to Wireguard for sure.
Since when can you use regular email? That's odd. When i checked it out it wasn't possible and there was even a post why. That tailscale is no identity provider and such things
I don’t want to risk any data compromise at some point
What data compromise are you worried about?
- End-to-End Encryption: Tailscale utilizes WireGuard
- No Centralized Servers: Tailscale creates a direct peer-to-peer connection between devices
- Minimal Metadata: Tailscale may collect some metadata to facilitate connections, but this info does not include the content of your data.
- User-Controlled Access: You have control over which devices can connect
- Tailscale does not, and cannot inspect your traffic
I'm not the Tailscale sales person. Go with whatever suites your threat model. I am just curious what data compromise you are concerned with. If it's the metadata aspect, you already blew that away when you made the post here at Lemmy, even assuming you are using a VPN.
Just a heads up: Headscale will use the official Tailscale DERP servers to resolve NAT traversal.
Headscale includes an embedded DERP server but you need to enable it. Their example yaml has it disabled by default, which I assume is because it needs to be publicly available on the internet, requires HTTPS, and thus a certificate and other network/security considerations.
I know you're trying to tell me something brother, but at this moment in time, I seem more stupid than normal, so if you would, unpack that for me in relation to what I was explaining to OP about Tailscale security.
DERP is the service that actually relays packets between tailscale connected devices when they are crossing a NAT (leaving one private network and going across the internet to another private network).
If you host headscale (the self-hosted community version of the tailscale control plane) and use it with tailscale, by default it will still use the public Tailscale DERP servers. Your traffic is still encrypted and not visible to them, but it does still rely on part of their centralized architecture even though you are hosting the control plane yourself.
That being said, you can just use the embedded DERP that ships with headscale, although there are some other considerations when doing that because it will need to be publicly on the internet, probably with a proper domain name and publicly trusted certificate.
Thanks for explaining. I really didn't mean it as a Headscale v Tailscale. kind of thing as far as data security goes. I've heard a lot of great things about Headscale. OP was just worried about his data being compromised, and I was just pointing out that it's pretty tight.
I use Pocket-ID for my OIDC and it was easy to set up with Tailscale, you just have a custom domain which I do and I just login with my OIDC Account which is 100% self hosted on my local server.
I went with Google.
Edit: I am just saying what I went with. I didn't have another fitting option.
I went with GitHub. In the end it's just an OAuth service, to provide identity. It's not used to gather data on you (just the same we already share by visiting regular websites).
I'm still gonna lookup Headscale and Wireguard because It's been on my radar.
Problem with plain Wireguard is if you can't open ports on some devices to get a direct connection. It should be just fine with hub and spoke model, but NAT Traversal of Tailscale makes a huge difference. I can get a direct connection between 2 devices connected to mobile data and behind CG-NAT.
And also the config management if you have too many devices.
Hub and spoke, you just add new devices to Wireguard on the main device, and the new peer. Full mesh, oof.
But as far as configuring Wireguard goes, that's pretty simple. And then there's the weird stuff with MTU and fragmentation... but that's not something Wireguard-specific.
I avoided tailscale for so long because I was already using wireguard and I didn't know you could self-host with headscale. But once I started using it with headscale the mesh design really is a big improvement to usability. I don't miss having to carefully manage my config files and ip route rules.
I need to get setup with app connectors and then I think it'll finally be a high enough wife-usability factor for me to remove some things I still have exposed over the internet.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| HTTP | Hypertext Transfer Protocol, the Web |
| HTTPS | HTTP over SSL |
| NAT | Network Address Translation |
| SSL | Secure Sockets Layer, for transparent encryption |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
[Thread #131 for this comm, first seen 3rd Mar 2026, 00:01] [FAQ] [Full list] [Contact] [Source code]
headscale /thread
Is there a good guide? I tried setting up headscale and tailscale and I got everything running and linked, but it doesn't pass traffic for the routes I've enabled and I'm not sure how to troubleshoot it.
most of the guides can be outdated because the software changes a lot. You'd find some better support writing on their Discord guild