Self-host tailscale with headscale in NAT VPS

Natvps.id – You canHosting Your own TailScale server uses headscale. Using headscale avoid information about networks (such as nodeDevice registration, and account) are sent to the outside server, giving you full control to your data. Self-hosting headscale also allows you to install authentication habit based on Openid Connect (OIDC). Also, you are not bound by tailscale because Control server managed by yourself.

This article discusses the steps to install Headscale + Headscale-UI on NAT VPS using a docker, along with the Nginx configuration for Reverse-Proxy. This article uses Ubuntu 22.04 as a reference, but you can use other distributions such as Debian and Centos. Make sure the OS used supports the docker.

Port forwarding configuration

Considering we use grout, we need to add 2 Port Forwarding Configuration on the virtualizor panel (or other VPS panels according to the provider), namely Port Forwarding HTTP and HTTPS For domain headscale.

For example, in this article will use a domain hs.tutorial.mdinata.my.id to access headscale. You are free to change the domain according to your choice. Record this port and domain, because we will use it again in the installation process.

Don’t forget to add DNS Records to go to your NAT VPS public IP, like this:

Install Docker

First, install curly Using Orders:

apt update && apt install curl -y

Then, run manuscript Automatic installation from the docker by entering:

curl -fsSL get.docker.com | sh

Wait until the installation process is complete.

Install headscale

Before installing, we need to check the latest version of Headscale.

Open https://github.com/juanfont/headscale/releases/lestThen check the latest version. When this article was written, the latest version was 0.26.1 (Without a letter v.)

Then, enter the following command to start the headscale installation:

HEADSCALE_VERSION="0.26.1" # Ganti dengan versi terbaru Headscale yang tersedia
HEADSCALE_ARCH="amd64"

wget --output-document=headscale.deb "

sudo apt install ./headscale.deb

Change 0.26.1 in headscale_version according to the latest version of headscale.

Wait until the installation is complete.

Open the headscale configuration file with nano:

apt install nano -y # Jika belum
nano /etc/headscale/config.yaml

In the section server_urlChange to the domain you want to use to access headscale.

Save the file with Ctrl-x, YThen Enter.

Activate headscale with the command:

systemctl enable --now headscale

Install headscale-UI

Headscale does not provide a web interface to regulate the configuration. We can use third -party applications such as Headscale-UI to manage headscale.

Run the following peirntah to run headscale-ui:

docker run -d -p 8443:8443 --restart unless-stopped --name headscale-ui ghcr.io/gurucomputing/headscale-ui:latest

Wait until the process interesting finished.

Nginx Reverse-Proxy settings

H
E
ADSCALE_VERSION="0.26.1"
HEADSCALE_ARCH="amd64"

wget --output-document=headscale.deb "

sudo apt install ./headscale.deb

So that we can access headscale through domains like hs.tutorial.mdinata.my.idwe can use Reverse Proxy Like Nginx.

First, install Nginx through the command:

# Hapus Apache2 dan pendukungnya (biasanya terpasang secara bawaan di VPS OpenVZ)
apt purge apache2* -y

# Install NGINX
apt install nginx -y

Create a new host configuration specifically for headscale:

nano /etc/nginx/sites-available/headscale

Then stick the following configuration:

# 
# Reference:
#   - 
#   - 

map $http_upgrade $connection_upgrade {
    default upgrade;
    '' close;
}

server {
    listen 80;
    listen [::]:80;
    server_name hs.tutorial.mdinata.my.id;

    # Headscale
    location / {
        proxy_pass 
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $server_name;
        proxy_redirect http:// 
        proxy_buffering off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
    }

    # Headscale-UI
    location /web/ {
        proxy_pass 
        proxy_http_version 1.1;
        proxy_set_header Host $server_name;
        proxy_buffering off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
    }
}

Adjust hs.tutorial.mdinata.my.id with your domain.

Activate the configuration with:

ln -sf /etc/nginx/sites-available/headscale /etc/nginx/sites-enabled/headscale

# Restart NGINX
systemctl restart nginx

Produce SSL certificate (let’s encryption)

So that our domain can be accessed through HTTPS, we need to make a SSL certificate. We can use a free SSL certificate from Let’s Encrypt through Certbot.

Install Certbot and Nginx plugin use the command:

apt install python3-certbot python3-certbot-nginx

So, produce Certificate through Certbot with the command

certbot --nginx -d hs.tutorial.mdinata.my.id

Change hs.tutorial.mdinata.my.id with your domain.

Happy! Your current domain can be accessed via a safe connection https.

Headscale-UI configuration

Dashboard Headscale-UI can be accessed at Headscale>/web. Example: https://hs.tutorial.mdinata.my.id/web/.

We need to adjust our headscale url before you can use headscale-ui.

Go to the tab Arrangement.

In the section Server settings,

• Url Heafagscale: URL HEADSCALE
• API Key HeadScale: API Key for authentication with headscale

To make a key fire, log in to NAT VPS, then type:

headscale api create

Add users

You need to add user which will be used for login to the headscale server from the device client.

Enter the tab User display.

Click New userThen enter last name free.

Add devices

To add device And connect it to the headscale server, we need to re -log in with the server address directed to our server.

1. Windows

For Windows devices, open the terminal/powershell, then type:

tailscale login --login-server  headscale>

Open the appearance of the URL that appears. You will get rule to authenticate the device.

Enter the command on NAT VPS. Don’t forget to change USERNAME With the username of the username that you have created.

If successful, the tailscale on the Windows device will be connected to your headscale server.

Cover

Thus this article is about the steps to install headscale on NAT VPS. If you are confused or doubtful, don’t hesitate to ask questions in the telegram group @ipv6indonesia. Thank You!