When Your Competitor's Employee Builds Your Alternative

Here's the strange thing about Headscale: It's an open-source replacement for Tailscale's control plane, giving you encrypted networking without subscription fees or device limits. And it was built by Kristoffer Dalby, who works at Tailscale.

That's the kind of thing that makes you stop and think about what competition actually means in open source. Because on the surface, this looks like strategic self-sabotage. Why would a company pay someone to build the thing that lets users avoid paying them?

The answer becomes clear once you try to set it up.

The Moat Is the Complexity

Better Stack's Richard Bray walks through the entire installation process in a new video, and it's... involved. We're talking Docker Compose configurations, manual user creation via command line, pre-authorization keys, ACL policy files in "human-readable JSON" (which is still JSON), Caddy reverse proxy setup, CloudFlare DNS records, and a web UI that crashes with TypeScript errors.

As Bray puts it: "Someone without a technical background or even a junior developer would struggle setting this up on their own, which is probably why the Tailscale team have allowed their employee to work on this because it doesn't really pose much of a threat to their company right now."

He's right, but there's more going on here than just technical barriers.

What You Get (And What You Don't)

Headscale delivers impressive feature parity with Tailscale's core functionality. You get MagicDNS, subnet routers, exit nodes, custom ACL policies—the fundamentals that make Tailscale useful. Bray demonstrates connecting Ubuntu servers through his self-hosted control plane: "As you just saw, headscale gives you complete access to your network. You can control every little detail and you can add as many nodes as you want without any vendor locking."

The missing pieces are telling. No funnel or serve commands for exposing services. No multiple tailnets. No ephemeral nodes. No native network flow logs. These aren't random features—they're the things that matter to teams, to organizations, to the customers who actually generate revenue.

Headscale is perfect for homelabs. It's great for the technically sophisticated user who wants offline capability and complete control. It's free as in beer and free as in freedom. And none of that threatens Tailscale's business model.

The Labor Economics of DIY

There's a certain kind of developer who will spend eight hours setting up Headscale to avoid a $5/month subscription. I say this without judgment—I've been that developer. But that math only works if you don't value your time, or if you're learning something in the process, or if the control itself is the point.

For everyone else, the calculation is different. Bray's setup involves three Docker containers, manual configuration files, debugging UI crashes, and understanding networking concepts that most developers never need to think about. Even after watching his tutorial, you'd need to troubleshoot your specific environment, manage updates, handle your own security, and be your own support when something breaks at 2 AM.

Tailscale charges money to handle all of that. Headscale lets you handle it yourself. Neither approach is wrong—they serve different needs.

The UI Problem That Reveals Everything

Bray spends time on Headscale UI, one of several community-built web interfaces. He creates an API key, pulls up the interface, and then: "The problem I had with this is the device view. So, as you can see, there isn't much information here, and it's something to do with the console with a TypeScript type error, which shouldn't be my fault because I haven't actually edited the source code. But at this point, the app tends to freeze."

This is the open source experience in microcosm. The tool works. The community is passionate. The UI exists because someone needed it and built it. And it crashes because that someone isn't being paid to maintain it, document it, or make it bulletproof.

Bray mentions other Headscale UIs, some that even handle ACL policies more elegantly. Which means if you want a good UI experience, you need to research multiple options, understand their trade-offs, and potentially switch if your choice stops being maintained. All of which is fine if you're into that. Most people are not into that.

What Tailscale Actually Understands

There's a specific business insight embedded in Tailscale allowing—even funding—Headscale's development. They understand that the people who want to self-host their VPN control plane are not the same people who would otherwise pay for Tailscale. These users were never going to be customers. They were going to roll their own WireGuard setup or use ZeroTier or find some other solution.

By having an employee build Headscale, Tailscale accomplishes several things:

1. They control the narrative around the "free alternative"
2. They ensure Headscale stays compatible with Tailscale clients
3. They learn from the community's use cases and feature requests
4. They get credit for being open-source-friendly without open-sourcing their actual product
5. They make it very clear where the line is between free and paid

It's actually pretty clever. The existence of Headscale makes Tailscale look more legitimate, not less.

The License Tension

Bray observes: "All it really takes is someone to use Claude Opus to create a very nice UI around it and they could be on to something cool which might get squished by this license."

He's pointing at something real. Headscale uses a BSD 3-Clause license, which is permissive. But the moment someone builds a competitive product on top of it—something that actually threatens Tailscale's revenue—the dynamics change. The license allows it, but the relationship between Headscale's development and Tailscale's funding creates... complications.

This is the tension in corporate-adjacent open source: It's genuinely open until it isn't. Nothing prevents someone from forking Headscale and building a commercial product. But you'd be competing with a project that has Tailscale's implicit backing, and that changes the game.

The Real Value Proposition

After all the setup complexity, Bray's conclusion is measured: "Once you have everything up and running, Headscale works amazingly well. Although there are a few features it doesn't yet support... But for an open-source tool, this is really impressive."

That "for an open-source tool" qualifier does a lot of work. It acknowledges that we judge OSS projects differently—not just on what they do, but on the fact that they exist at all without corporate backing (even when they have corporate backing).

Headscale is valuable because it proves the model is viable. Because it gives technical teams an option when Tailscale's pricing becomes untenable. Because it enables offline use cases that SaaS fundamentally can't serve. Because some environments require complete data sovereignty, and "trust us" isn't good enough.

Those are real benefits. They're just not benefits that most users need enough to deal with the complexity.

Where This Goes

The interesting question isn't whether Headscale will compete with Tailscale. It's whether someone will eventually wrap Headscale in enough convenience that it does start competing. One-click installers. Hosted-but-you-control-it options. Managed Headscale services that charge less than Tailscale but more than free.

That's when we'll see what Tailscale's relationship with Headscale actually means. When the existence of the OSS alternative stops being a marketing asset and starts being a revenue threat.

For now, though, the equilibrium holds. Technical users get their control plane. Tailscale gets to point at Headscale and say "see, we're not anti-open-source." And the vast majority of users keep paying for the convenience of not having to think about any of this.

Which might be exactly what everyone wanted all along.

— Dev Kapoor