Headscale vs Netmaker: Self-Hosted VPN Compared

Quick Verdict

Headscale is the better choice for most self-hosters. It’s a single binary or container, uses standard Tailscale clients on every platform, and takes 15 minutes to deploy. Netmaker is more powerful — kernel WireGuard performance, multiple isolated networks, built-in dashboard, and managed DNS — but requires 5 containers, wildcard DNS, and a custom client agent. Choose Headscale for simplicity and ecosystem compatibility. Choose Netmaker if you need multi-network isolation or maximum throughput.

Overview

Headscale is a self-hosted implementation of the Tailscale coordination server. It doesn’t handle VPN traffic — that flows directly between peers via WireGuard. Headscale only manages key exchange, node registration, and routing rules. It uses official Tailscale clients on all platforms, which means you get the same apps, MagicDNS, and ACL system as Tailscale but with your own control server.

Netmaker is a full WireGuard networking platform. It uses kernel WireGuard (not userspace) for near-native performance, supports multiple isolated overlay networks from one deployment, includes a web dashboard, managed DNS via CoreDNS, egress gateways, relay servers, and ACLs. It requires its own netclient agent rather than standard WireGuard or Tailscale clients.

Feature Comparison

Feature	Headscale	Netmaker
WireGuard mode	Userspace (via Tailscale client)	Kernel (native performance)
Throughput	Good (~800 Mbps typical)	Excellent (~950+ Mbps, near wire speed)
Client	Official Tailscale clients	Custom netclient agent
Platform support	Linux, macOS, Windows, iOS, Android	Linux, macOS, Windows, Docker
iOS/Android app	Tailscale app (mature)	NetMaker Remote Access Client
Multiple networks	No (flat tailnet model)	Yes (multiple isolated networks)
Web dashboard	No (third-party headscale-ui available)	Built-in ReactJS dashboard
Managed DNS	MagicDNS (via Tailscale client)	CoreDNS (auto <device>.<network> names)
NAT traversal	DERP relays (Tailscale infrastructure)	STUN + custom relay servers
ACLs	Tailscale-compatible policy engine	Network-level ACLs
Egress gateway	Tailscale exit nodes	Built-in egress gateway
SSO integration	OIDC support	Okta, OIDC (Pro/Enterprise)
License	BSD-3-Clause	SSPL (Server Side Public License)
Docker containers	1	5 (server, UI, Caddy, MQTT, CoreDNS)
RAM usage	~50-100 MB	~500 MB - 1 GB

Installation Complexity

Headscale is a single Go binary or Docker container. The entire setup:

services:
  headscale:
    image: headscale/headscale:0.25.1
    container_name: headscale
    restart: unless-stopped
    volumes:
      - ./headscale-config:/etc/headscale
      - headscale-data:/var/lib/headscale
    ports:
      - "8080:8080"
    command: serve

Netmaker requires 5 containers, wildcard DNS or 3 subdomain A records, a Caddyfile, and a Mosquitto config. Setup takes 30-45 minutes vs Headscale’s 15 minutes.

Metric	Headscale	Netmaker
Containers	1	5
DNS records	1 (optional)	3 (or wildcard, required)
Config files	1	3 (compose, Caddyfile, mosquitto.conf)
Setup time	15 minutes	30-45 minutes
Maintenance	Minimal	Moderate (5 services to update)

Performance and Resource Usage

Resource	Headscale	Netmaker
RAM (idle)	~50-100 MB	~500 MB
RAM (100 nodes)	~150-200 MB	~1 GB
CPU	Very low	Low-medium
Disk	~50 MB	~200 MB
Throughput	~800 Mbps (userspace WG)	~950+ Mbps (kernel WG)

Netmaker’s kernel WireGuard gives it a measurable throughput advantage, especially on high-bandwidth links. For typical self-hosting (remote access, file sync), both are more than fast enough — the difference matters for large file transfers or media streaming between sites.

Community and Support

Headscale has 25,000+ GitHub stars, active development with regular releases, and a growing community. It benefits from Tailscale’s ecosystem — the official Tailscale clients are well-maintained, polished, and available on every platform.

Netmaker has 10,000+ GitHub stars and is backed by Gravitl (a venture-funded company). It has professional documentation, a Discord community, and enterprise support tiers. The SSPL license is more restrictive than Headscale’s BSD-3-Clause — it prevents cloud providers from offering Netmaker as a service without a commercial agreement.

Use Cases

Choose Headscale If…

• You want the simplest possible self-hosted mesh VPN
• You need iOS/Android clients that work flawlessly (Tailscale apps are excellent)
• You prefer standard Tailscale clients over a custom agent
• You run on limited hardware (Raspberry Pi, small VPS)
• You want a permissive open-source license (BSD-3-Clause)
• You don’t need multiple isolated networks

Choose Netmaker If…

• You need multiple isolated overlay networks (e.g., separate dev/staging/prod)
• Maximum WireGuard throughput matters (kernel vs userspace)
• You want a built-in web dashboard without third-party tools
• You need managed DNS with automatic device naming
• You need egress gateways or relay servers for complex network topologies
• You’re building a production infrastructure with 50+ nodes

Final Verdict

Headscale wins for most self-hosters. The combination of a single-container deployment, official Tailscale clients on every platform, and near-zero maintenance makes it the obvious choice for personal and small-team use. Tailscale’s mobile apps are polished, MagicDNS works seamlessly, and the ACL system is flexible enough for most access control needs.

Netmaker wins for network professionals and complex setups. If you need multiple isolated overlay networks, kernel WireGuard performance, or a full-featured dashboard with egress gateways and relay servers, Netmaker is the more capable platform. The cost is complexity — 5 containers, DNS setup, custom client agent, and more maintenance.

For a middle ground between the two, consider NetBird — it uses kernel WireGuard like Netmaker but with a simpler deployment and standard WireGuard peers.

Related

• How to Self-Host Headscale
• How to Self-Host Netmaker
• How to Self-Host NetBird
• Best Self-Hosted VPN
• Headscale vs Tailscale