Toribor

I avoided tailscale for so long because I was already using wireguard and I didn't know you could self-host with headscale. But once I started using it with headscale the mesh design really is a big improvement to usability. I don't miss having to carefully manage my config files and ip route rules.

I need to get setup with app connectors and then I think it'll finally be a high enough wife-usability factor for me to remove some things I still have exposed over the internet.

DERP is the service that actually relays packets between tailscale connected devices when they are crossing a NAT (leaving one private network and going across the internet to another private network).

If you host headscale (the self-hosted community version of the tailscale control plane) and use it with tailscale, by default it will still use the public Tailscale DERP servers. Your traffic is still encrypted and not visible to them, but it does still rely on part of their centralized architecture even though you are hosting the control plane yourself.

That being said, you can just use the embedded DERP that ships with headscale, although there are some other considerations when doing that because it will need to be publicly on the internet, probably with a proper domain name and publicly trusted certificate.

Headscale includes an embedded DERP server but you need to enable it. Their example yaml has it disabled by default, which I assume is because it needs to be publicly available on the internet, requires HTTPS, and thus a certificate and other network/security considerations.

We invented a machine that tells you what you want to hear. Should be fine.

You can self host the control plane for Tailscale using a community project called Headscale. I use that along with Headplane which gives you a nice admin web UI.

Then you just use the tailscale client on devices like normal but you authenticate new clients with your endpoint instead of the centralized one.