Michael

Help me out please Fediverse,

I’m interested in running my own headscale server for the fun of it. I’d probably have 3 users (me, OH, kid), and about a dozen devices (laptops, phones, servers).

What I don’t understand is how authentication works there. The docs mention Open ID. Do I have to set up an Open ID server and provision accounts for everyone? Can people ‘just use passkeys’? I don’t fully understand that part.

#headscale #SelfHosting #AskFedi

Jun 6 at 6:20pmWeb
Show threadLorgo NumputzJun 6

@michael

If it's like Tailscale then, yes, you'll need something providing OIDC such as Authentik.

I use Tailscale but set up Authentik for auth so I wasn't relying on the good graces of Google to be allowed to make my Tailnet.

Show threadLorgo NumputzJun 6

@michael

From https://www.infralovers.com/blog/2026-05-22-headscale-self-hosted-tailscale-alternative/

Show threadMichaelJun 6
@lorgonumputz Thank you. Very helpful
Show threadselfhosting.couchsurfingJun 6
@michael I'm running one of those and haven't touched anything resembling that, but my setup is headless and (AFAIK) doesn't have much if any web interface. so maybe there's a simpler way?
Show threadaJun 6
@michael you can create a OIDC service but you don't have to. you can create users in headscale
Show threadMichaelJun 6
@a How do those users authenticate then?
Show threadaJun 6
@michael you create the users in headscale
Show threadaJun 6
@michael
```
 docker exec -it headscale headscale users create username
```

when running in docker
Show threadMichaelJun 6

@a Yes, understood. But after the user is created how does he authenticate?

Say you want to connect a device to the tailnet, you presumably need more than a username.

Show threadaJun 6
@michael like in Tailscale although not such a nice UI. The client register a device, control plane approves it and that’s it
Show threadMaryam SheikhJun 6

@michael If you want something simple for OIDC, Pocket ID might be up your alley: https://pocket-id.org/

Single binary, passkeys only.

Pocket ID | Simple OIDC Provider

A simple and easy-to-use OIDC provider that allows users to authenticate with their passkeys to your services.

Pocket ID
Show threadJakobJun 7

@michael
Yes, that's how I had it set up.

I switched to netbird, seems to me like the better selfhosted solution IMHO. And while I run it against authelia, you don't need OIDC anymore to run netbird, it's just an option.