Comment by benley

I posted a reply to another subthread with some of this: > * Does it work well?

Very well! There are some limitations (see link above), but what's implemented is reliable.

> * Do you recommend it?

Yes, provided your requirements fit headscale's capabilities. If you need things like device trust attestation (e.g. Kandji MDM or Crowdstrike Falcon integration), SCIM provisioning, or various other enterprise features you may find it inadequate. If you can afford to pay for Tailscale, you should just use Tailscale because it's really good.

> * Do your users care?

They like it way better than our previous OpenVPN setup, that's for sure. I don't think they care about Headscale vs commercial Tailscale - the backend implementation is largely invisible to them.

> * Is it difficult? Do you have to maintain it or is it basically set it and forget it?

Not hard at all to set up, and it requires little maintenance attention. I have barely had to touch the control plane (other than version upgrades) since setting it up a year ago.

> * What was memorable about setting it up?

We had to do some custom coding to have automatic user offboarding when employees leave the company, and to emulate app connectors / dynamic routing (this is now OSS!

0 comments

benley

Reply