The Headscale project develops an open source implementation of the Tailscale VPN server component, which allows you to create Tailscale-like VPN networks at your own facilities without being tied to third-party services. Headscale's code is written in Go and distributed under the BSD license. The project is being developed by Juan Font Alonso of the European Space Agency.
Tailscale allows you to combine an arbitrary number of geographically dispersed hosts into one network built in the image of a mesh network, in which each node interacts with other nodes directly (P2P) or through neighboring nodes, without passing traffic through the VPN provider's centralized external servers. ACL-based access and route control is supported. To establish communication channels in the conditions of using address translators (NAT), support for the STUN, ICE and DERP mechanisms (similar to TURN, but based on HTTPS) is provided. In case of blocking the communication channel between certain nodes, the network can rebuild the routing to direct traffic through other nodes.
Tailscale differs from the Nebula project, also designed to create distributed mesh-routed VPN networks, by using the Wireguard protocol to organize data transfer between nodes, while Nebula uses the developments of the Tinc project, which uses the AES-256 algorithm to encrypt packets -GSM (Wireguard uses the ChaCha20 cipher, which in tests demonstrates higher throughput and responsiveness).
Separately, another similar project is being developed - Innernet, in which the Wireguard protocol is also used to exchange data between nodes. Unlike Tailscale and Nebula, Innernet uses a different access separation system, based not on ACLs with tags attached to individual nodes, but on subnetting and allocation of different ranges of IP addresses, as in ordinary Internet networks. In addition, instead of the Go language, the Innernet uses the Rust language. Three days ago, the Innernet 1.5 update was published with improved support for NAT traversal. There is also a Netmaker project that allows you to combine networks with different topologies using Wireguard, but its code is supplied under the SSPL (Server Side Public License), which is not open due to discriminatory requirements.
Tailscale is distributed using the Freemium model, with free use for individuals and paid access for businesses and teams. Tailscale's client components, with the exception of graphical applications for Windows and macOS, are developed as open source projects under the BSD license. Tailscale's proprietary server software that provides authentication for new clients, coordinates key management, and manages communication between nodes is proprietary. The Headscale project addresses this shortcoming and provides an independent open source implementation of the Tailscale server components.
Headscale takes over the functions of the exchange of public keys of nodes, and also performs the operations of assigning IP addresses and distributing routing tables between nodes. In its current form, Headscale implements all the main features of the management server, with the exception of MagicDNS and Smart DNS support. In particular, the functions of registering nodes (including via the web), adapting the network to add or remove nodes, separating subnets using namespaces (one VPN network can be created for several users), organizing shared access of nodes to subnets in different namespaces, routing control (including assigning exit nodes to the outside world), access sharing through ACLs, and DNS service operation.
Source: opennet.ru