Like the title says. In my current setup I have a headscale server hosted in my DMZ. I use DDNS via cloudflare and have a dns-only A record pointed at my headscale server.
This setup is working at the moment, but I don’t love that it exposes my home network’s IP address via the A record. Is it possible to get headscale working while proxying through cloudflare? So far I haven’t been able to get clients to connect to the coordination server while proxying is enabled.
This is a case of RTFM. Specifically, TFM says:
Notwithstanding the above, there is community documentation to run headscale behind conventional reverse proxies.
However, per the headscale discord, cloudflare does not work because tailscale/headscale utilize a non-standard websocket negotiation.
If you want an alternative to headscale without publicly exposing your home IP too much, I highly recommend trying something like innernet.
What I like about innernet is that the control interface is only exposed within the VPN network, so there is no big deal that your IP is internet-facing — all non-WG connections to the open WG port are dropped, and WG connections require authentication.