The official Tailscale subreddit. Not routinely monitored by Tailscale employees. Please contact support via https://tailscale.com/contact/support if you need further help.
Does traffic pass through headscale?
I know this is technically a tailscale subreddit, not a headscale subreddit, but I'm curious to know if traffic passes through a headscale server or does it simply use that server for authentication and routing? I'd like to set up a VPS to run headscale, but if all the traffic passes through that VPS I don't know if it's such a good idea.
Sort by:
Best
Open comment sort options
Best
Top
New
Controversial
Old
Q&A
Following. I have the same question.
I kinda know it doesn't, but do they get some Metadata? Does the encryption protect me from tailscale as well? Or since tailscale has my keys, they can see my traffic if they wanted to?
Tailscale doesn't have your keys.
Both the servers, Headscale and Tailscale, coordinate the key exchange, but that happens peer to peer.
The Tailscale servers have access to some metadata. The IP addresses and IDs of the nodes, what OS, client version, what node there connecting to. But can't see any of the data.
According to the documentation, there are limited circumstances where the Tailscale protocol is unable to establish a direct connection and requires relaying the traffic through a so-called DERP server. It seems `headscale` provides an embedded DERP server, meaning it could in principle having to relay traffic (but that should not be the norm).
No, traffic won’t pass through it, and would use a DERP server instead which is analogous to STUN servers for SIP. Traffic is encrypted between the nodes and the only major part that concerns me is that you could MITM this in the same way that Facebook does with WhatsApp and the e2e encryption there, but this doesn’t keep me up at night and I use Tailscale and Headscale on my personal systems, and full Tailscale on professional systems.
Unless you enable the DERP relay feature of course...