Integrating Headscale and Headplane with Pangolin

player684 · April 3, 2025, 9:17pm

These are my traefik labels which work. Headplan developer changed it from /admin to /admin/

labels:
  - traefik.enable=true
  # Router Definition 
  - traefik.http.routers.headplane-rtr.rule=Host(`${HS_URL}`) && PathPrefix(`/admin`)
  - traefik.http.routers.headplane-rtr.priority=100 # sets priority over base-domain
  - traefik.http.routers.headplane-rtr.entrypoints=websecure
  - traefik.http.routers.headplane-rtr.tls.certresolver=myresolver
  - traefik.http.services.headplane-svc.loadbalancer.server.port=3000 # headplane port
  # ---- Middleware for redirect ----
  - traefik.http.middlewares.headplane-addslash.redirectregex.regex=^https?://([^/]+)/admin$$
  - traefik.http.middlewares.headplane-addslash.redirectregex.replacement=https://$${1}/admin/
  - traefik.http.middlewares.headplane-addslash.redirectregex.permanent=true

netsrot303 · April 9, 2025, 3:54pm

does anyone here use pocket-id (oidc) to secure headscale? if so, how did you do it?

rabbitt · April 10, 2025, 9:01pm

Hey HHF, can you tell me if you still have time to show how to enable the internal Headscale DERP server in combination with Pangolin? I have no idea what routes and middleware might look like.

asudave · April 12, 2025, 9:58am

I’m a bit confused (what else is new?). So, by following this guide, will my end users still be able to access my pangolin-proxied resources without being on the headscale vpn?

hhf.technoloy · April 12, 2025, 10:12am

this is self-hosted tailscale. if doesn’t interfere with pangolin at all. both are running parallel.

hhf.technoloy · April 12, 2025, 10:22am

i haven’t tried it yet. will let you know once if try it

rabbitt · April 12, 2025, 10:37am

That would be nice. Thanks👍

asudave · April 12, 2025, 10:34pm

That’s what I thought. Just wanted to confirm.

You mention that it would be too difficult to manage this and crowdsec? What makes it difficult?

asudave · April 14, 2025, 6:57am

I’m getting this error when trying to start up the headscale/headplane containers.

Any idea what is causing this?

hhf.technoloy · April 14, 2025, 6:59am

i can’t see the error(not clear). can you please attach logs and your deployment files so i can check. use paste bin if possible

asudave · April 14, 2025, 7:33am

Apologies for that. I actually figured out the issue. I was pointing to the wrong config file. Seems to be working now.

hhf.technoloy · April 14, 2025, 7:34am

about your other question on crowdsec, i have a work around. ping me on cord

asudave · April 14, 2025, 7:45am

I’m actually about to log off for the night. I’ll try to catch you later.

I was able to get headscale/plane set up and I can access headplane. I’m having trouble connecting to a client i tried to set up. I’ll have to troubleshoot that as well.

Thanks for your help!

netsrot303 · May 16, 2025, 7:37pm

Has anyone here tested headscale 0.26.0?
If so, does it work with the configuration shown above?

netsrot303 · June 1, 2025, 6:23pm

Did anybody test this config with headscale 0.26 and headplane 0.6?

odoncm · June 3, 2025, 10:51am

Yes, work!!!

Is important update two images, tale/headplane:0.6.0 and headscale/headscale:0.26.0

Make a backup before.

Sebastiaan_Jacobs · June 10, 2025, 11:46pm

Thanks! Is there a way to reverse proxy to headscale machines?

Aflame · June 25, 2025, 2:22pm

Hello, Thanks for the docs, i can connect to headscale but on connecting i lose access to public internet. Any one idea what I might have been wrong?
Note i have crowdsec running as well, if i should be disabling that?

hhf.technoloy · June 25, 2025, 2:52pm

You need to whitelist ips for local and clients in crowdsec. That. Might be the issue.

Aflame · June 25, 2025, 5:15pm

You’re awesome. that worked, thanks