Personally I've not found a need for a UI for Headscale, as I'm happy managing clients via the command line. That said there are several out there that you could try such as github.com/gurucomputing/headscale-ui they do have examples on how to edit your docker-compose.yml to connect them.

Yes, that's how I believe it works. Headscale is a Tailscale control/coordinator server that sets up a connection between clients. In my testing I was able to connect 2 clients on different networks via Headscale then I was able to shutdown Headscale and the WireGuard tunnel and both clients were still connected and able to communicate (since the connection was setup via Tailscale). I believe if they can't create a direct connection between clients then a secure relay maybe used tailscale.com/blog/how-tailscale-works/

indeed you were correct , after multiple testing seems that clients behind firewall advertising routes will go through relays with TCP connection ( might some allow NAT needed ) while if used on pfsense directly there will be direct UDP connection . I have to look for way to force direct connection without relaying on the firewall @@DigitallyRefined

Glad it was helpful. Fly.io is used as a way to expose your Headscale container to the internet via a tunnel. For example if you don't have a public IP address. If you do have a publicly accessible IP address you could remove Fly.io and setup your own DNS or use a service like DuckDNS and then open/forward ports 80 & 443 to your Headscale container. The differences with the Headscale vs. Tailscale coordinators are that you're in control of your infrastructure by self hosting it, so for example you don't need to register for a Tailscale account, you also don't have any device or account limits and it's also better for security as the only way devices can join your network is via the Headscale command line.

@@DigitallyRefined Thank you for clarifying that. I have a Cloudflare domain that is registered, I was thinking of using it but you mentioned that Cloudflare does not support and fly io has no way to see my traffic so I will stick to that for now. Until fly io starts charging for giving out IPs 😅

Cloudflare does support Fly.io, its Cloudflare Tunnels that don't support Headscale. You create a subdomain in Cloudflare and use the IP address from: "fly ips list" 👍

Fly.io no longer offers free dedicated IPv4 addresses, as they will starting charging for them from 2024 which is why they require a credit card. You could try a service that gives you temporary online credit cards if you wanted to try it out, but your account maybe suspended if you don't pay any outstanding charges 😥

tnx, i prefer use another "way" :) @@DigitallyRefined

Yes, that's correct. If the ports are available to the container (i.e. it's on the same Docker network), then you can add any number of additional ports to the comma separated SERVICES list (check the docker-wireguard-tunnel repo for more info). So you only need to run one peer per host. Or alternatively you could expose only the required ports for Headscale and then use Tailscale to connect back to the peer (which is what I do).

@@DigitallyRefined wow it works in first try. IMHO, This is so far the easiest wg tunnel i ever deployed. Now, I'm trying to make it work on nginx proxy manager

Good spot! A Fly.io staff member does say on their community forum that they will start charging for dedicated IPv4 addresses in the future (which is required for UDP apps like WireGuard), however they haven’t enabled billing for them yet. Fly.io does also offer free dedicated anycast IPv6 addresses which should also be fine for WireGuard, but I may need update the setup guide for IPv6.

Correct me if I am wrong, by default we are using shared IPs right? and I have been this setup for quote sometime and have had no issues.

When setting up I selected "Yes" to a dedicated IPv4 IP address, which may become paid for in the future. If that does happen then in theory IPv6 should work and would remain free to use.

@@DigitallyRefined hello again, they will start billing in january. While I have no problem paying the 2$ a month if i have to, I was trying to use the app without the designated IPv4 address and it doesn't seem to work. Any advice? Should I be changing somethink in the fly.toml?

Great video I am using headscale about 7 months now! Now that they are actually billing, did you set it up with ip6 and does it work? And is there an easy way to switch?@@DigitallyRefined

Why not install tailscale on a device that can serve as a jump box and access the devices that way?

After enabling a client to be an exit node, you'll need to find the ID and enable it. On the machine that's running Headscale you should be able to run `docker exec headscale headscale routes list` to find the ID then run `docker exec headscale headscale routes enable -r `. There's more info in their docs at headscale.net/exit-node/#on-the-control-server

@@DigitallyRefined I found already, thx