Overlay Network across WAN in 2025

Comments

• zed Member

  March 2025

  I'm still running plain wireguard across my systems, but mighty curious to see people's suggestions thanks.
• nghialele Member

  March 2025

  Interesting topic.
• jsg Member, Resident Benchmarker

  March 2025 edited March 2025

  As one can do it the "hard manual way" if one is so inclined (with WG or whatever) the one thing I want most of a layer on top is ease of use and some comfort -> hence any option that is not available on anything that doesn't run away fast enough IMO is NOT an option (in other words, if OpenBSD, FreeBSD, Android are not fully supported via a package/port I click away).
  A GUI is something that I find nice but not vital (except for basically click/touch only toys like Android). That said I wouldn't want to use a web-GUI; if needed I can code a local front-end.

  TL;DR: Headscale and be done.

  Thanked by 5admax vicaya nghialele unsafetypin JohnnySac
• Sixer91 Member

  April 2025

  @CloudHopper said:

  @Penguin said:

  @FAT32 said:
  I have been thinking of using Tailscale exclusively, but I would prefer something fully open-source.

  Headscale is an open source, self-hosted implementation of the Tailscale control server
  https://github.com/juanfont/headscale

  I'm using Headscale and it does everything I need. I have it setup with Authentik for user access control over OIDC, ACLs to control who can access what, Prometheus/Grafana to monitor node activity and I'm using the built-in Derp server so that none of my traffic every touches Taiilscale's network.

  Headscale is installed as a binary, (i.e. not Docker), and it runs comfortably on a 1c/1g VPS with Debian 12. My instance is currently serving 40+ active clients with no issues and it never peaks above ~15% CPU. Traffic requirements are also very minimal because the Derp Relay is barely used so it mostly serves keys and metadata.

  The only things to be aware of is that the Headscale server shouldn't be part of the Tailnet, (i.e. don't install Tailscale on that server), and ACLs are really important because the default setup allows all clients to communicate with each other, which you almost certainly don't want.

  I've also managed to setup a load of Exit Nodes that route traffic out over a commercial VPN, (using a cluster of docker containers on one VPS), but at the moment I have performance issues and only get about ~30Mbps. I'm pretty sure it's related to MTUs but I haven't investigated it properly because I have a couple of DMCA-ignore endpoints with Exit Nodes that I can use for torrenting.

  I'm not using a UI for it because I prefer the CLI, but I'm thinking about setting up Headplane for it at some point. However I suspect it'll need more than a 1c/1g to run them both together and I'm just not that bothered about a UI anyway: https://github.com/tale/headplane

  Any reason not to have headscale and a tailscale client installed on the same server?
• CloudHopper Member

  April 2025

  @Sixer91 said:

  @CloudHopper said:

  @Penguin said:

  @FAT32 said:
  I have been thinking of using Tailscale exclusively, but I would prefer something fully open-source.

  Headscale is an open source, self-hosted implementation of the Tailscale control server
  https://github.com/juanfont/headscale

  I'm using Headscale and it does everything I need. I have it setup with Authentik for user access control over OIDC, ACLs to control who can access what, Prometheus/Grafana to monitor node activity and I'm using the built-in Derp server so that none of my traffic every touches Taiilscale's network.

  Headscale is installed as a binary, (i.e. not Docker), and it runs comfortably on a 1c/1g VPS with Debian 12. My instance is currently serving 40+ active clients with no issues and it never peaks above ~15% CPU. Traffic requirements are also very minimal because the Derp Relay is barely used so it mostly serves keys and metadata.

  The only things to be aware of is that the Headscale server shouldn't be part of the Tailnet, (i.e. don't install Tailscale on that server), and ACLs are really important because the default setup allows all clients to communicate with each other, which you almost certainly don't want.

  I've also managed to setup a load of Exit Nodes that route traffic out over a commercial VPN, (using a cluster of docker containers on one VPS), but at the moment I have performance issues and only get about ~30Mbps. I'm pretty sure it's related to MTUs but I haven't investigated it properly because I have a couple of DMCA-ignore endpoints with Exit Nodes that I can use for torrenting.

  I'm not using a UI for it because I prefer the CLI, but I'm thinking about setting up Headplane for it at some point. However I suspect it'll need more than a 1c/1g to run them both together and I'm just not that bothered about a UI anyway: https://github.com/tale/headplane

  Any reason not to have headscale and a tailscale client installed on the same server?

  In the FAQs it says: https://headscale.net/stable/about/faq/#why-is-my-reverse-proxy-not-working-with-headscale

  "Running headscale on a machine that is also in the tailnet can cause problems with subnet routers, traffic relay nodes, and MagicDNS. It might work, but it is not supported."

  I'm planning to test deploying Headscale in a Docker container and running a Tailscale client on the same server, which I'm hoping will work without conflicts but I haven't tried it yet
• Shakib Member, Patron Provider

  April 2025

  I am currently using Dual WAN Load Balancer. It just spreads my data across 2 ISPs 50/50 while giving me double the bandwidth.

  Thanked by 1FAT32
• e2bs2k1 Member

  April 2025

  tinc for ondemand usage. You only need to run a server side on a small vps. The client will auto direct peering via v6 and v4. The client is not a system daemon so you only need to run it when you need it.

  Thanked by 1FAT32
• nghialele Member

  April 2025

  Oh, someone bring this one back front.

  I'm back to Tailscale, but should I start Headscale or just use Tailscale for easier.

  Chat please advise

  Thanked by 1FAT32
• mandala Member, Megathread Squad

  April 2025

  @nghialele said:
  Oh, someone bring this one back front.

  I'm back to Tailscale, but should I start Headscale or just use Tailscale for easier.

  Chat please advise

  Use what you like. You're on Tailscale means you don't need it self-hosted.
  If it's something I can set up and forget about it, I'll probably host it myself.

  Thanked by 3nghialele FAT32 admax
• subb Member

  April 2025

  tailscale is simple yet enough.
  my use case is new vps --> install tailscale --> ufw default deny.

  Thanked by 1nghialele
• Sixer91 Member

  April 2025

  @CloudHopper said:

  @Sixer91 said:

  @CloudHopper said:

  @Penguin said:

  @FAT32 said:
  I have been thinking of using Tailscale exclusively, but I would prefer something fully open-source.

  Headscale is an open source, self-hosted implementation of the Tailscale control server
  https://github.com/juanfont/headscale

  I'm using Headscale and it does everything I need. I have it setup with Authentik for user access control over OIDC, ACLs to control who can access what, Prometheus/Grafana to monitor node activity and I'm using the built-in Derp server so that none of my traffic every touches Taiilscale's network.

  Headscale is installed as a binary, (i.e. not Docker), and it runs comfortably on a 1c/1g VPS with Debian 12. My instance is currently serving 40+ active clients with no issues and it never peaks above ~15% CPU. Traffic requirements are also very minimal because the Derp Relay is barely used so it mostly serves keys and metadata.

  The only things to be aware of is that the Headscale server shouldn't be part of the Tailnet, (i.e. don't install Tailscale on that server), and ACLs are really important because the default setup allows all clients to communicate with each other, which you almost certainly don't want.

  I've also managed to setup a load of Exit Nodes that route traffic out over a commercial VPN, (using a cluster of docker containers on one VPS), but at the moment I have performance issues and only get about ~30Mbps. I'm pretty sure it's related to MTUs but I haven't investigated it properly because I have a couple of DMCA-ignore endpoints with Exit Nodes that I can use for torrenting.

  I'm not using a UI for it because I prefer the CLI, but I'm thinking about setting up Headplane for it at some point. However I suspect it'll need more than a 1c/1g to run them both together and I'm just not that bothered about a UI anyway: https://github.com/tale/headplane

  Any reason not to have headscale and a tailscale client installed on the same server?

  In the FAQs it says: https://headscale.net/stable/about/faq/#why-is-my-reverse-proxy-not-working-with-headscale

  "Running headscale on a machine that is also in the tailnet can cause problems with subnet routers, traffic relay nodes, and MagicDNS. It might work, but it is not supported."

  I'm planning to test deploying Headscale in a Docker container and running a Tailscale client on the same server, which I'm hoping will work without conflicts but I haven't tried it yet

  Interesting. I am running headscale in docker and have tested a tailscale client on the same machine both in docker and on host directly. It works as long as your headscale is in docker and you're not using the headscale custom derp. If I use the custom derp of headscale these clients on the same machine cannot make direct connects with other machines on my tailnet for some reason

  Thanked by 1nghialele