Your private mesh VPN, run by us
A single-tenant Headscale control plane on our cloud, plus optional VPN routers in our facilities. Standard Tailscale clients connect through it; WireGuard does the work underneath.
Tailscale-compatible mesh, on your terms
Managed Headscale is a single-tenant Headscale instance, operated by our team, with standard Tailscale clients on your devices connecting through it. You get the admin CLI and API, the ACL file, the device list, and the audit trail. We get the server, the upgrades, the monitoring, and the pager when the control plane needs attention.
Optionally we operate VPN routers in our Troy facilities that join the same mesh as subnet routers, exit nodes, or BGP-aware gateways. That gives branch sites and customer datacenters a real piece of network equipment to land on instead of an endpoint client, and lets your fleet exit through addresses on our network instead of a residential ISP.
The stack, plainly
Open-source control plane, standard WireGuard data plane, optional routers we operate.
Open-source coordination server compatible with standard Tailscale clients. Your own instance, your own ACLs, your own user namespace.
Standard WireGuard data plane. Encryption stays between clients; the control plane never sees the traffic itself.
Optional VPN routers at our Troy facilities, acting as subnet routers, exit nodes, or BGP-aware gateways for branch connectivity.
Where the work happens
Provisioning is ours. We size the Headscale deployment to your device count, stand up the server with TLS, wire your identity provider in over OIDC, seed the initial user namespace and ACL file, and hand over CLI and admin API credentials. If you want managed VPN routers in our facilities, we rack and configure those during the same project.
Day-2 operations are ours too. Headscale updates, OS patches, certificate renewal, OIDC integration changes, and any managed router maintenance run on a schedule we hold. The control plane is monitored from outside; if registrations start failing or a router degrades, we see it before your team does.
ACL changes go through whatever workflow you want: open a ticket and we apply them, or you push directly via the admin API and we hold the rollback. Key rotation, device pruning, and audit-log exports are part of the standard work. Coverage and credit terms are written into the SLA so the bar is in writing, not in conversation.
Questions network teams ask first
The ones we hear when a team is weighing self-hosted mesh against a hosted service.
Will my Tailscale clients work with this?
Yes. Standard Tailscale clients on Linux, macOS, Windows, Android, and most server platforms support pointing at a custom login server, which is what Headscale is. On iOS the path is a little narrower and we'll talk you through what's available. The data plane underneath is the same WireGuard either way.
Why run Headscale instead of using a hosted mesh service?
Three reasons we hear most. Data residency: the coordination server and the device list stay on infrastructure you can audit. Device economics: no per-device monthly fee scaling, the cost is the server. Operational sovereignty: ACL changes, key rotation, and the audit log are yours to run, not a vendor's roadmap to wait on.
Can you operate VPN routers for me too, or is this just the control plane?
Both options exist. Default is just the Headscale control plane and your clients connect through it. We can also stand up VPN routers in our facilities that act as subnet routers (to expose your private subnets to the mesh), exit nodes (to route client traffic out through our network), or BGP-aware gateways (for branch sites that need a router instead of an endpoint).
How does identity work?
Headscale supports OpenID Connect, so your existing identity provider (Microsoft Entra, Google Workspace, Okta, Keycloak, others) drives who can register a device and what tags they get. We wire the OIDC integration during provisioning. ACLs are written in the standard Tailscale ACL format and version-controlled with your changes.
Big enough to deliver, small enough to care
Tell us your device count, your identity provider, and whether you want VPN routers in our facilities. We'll quote a deployment that fits.
Get in Touch