Headscale / WireGuard Zero Trust VPN
A modern "just works" VPN like Tailscale is convenient, but the server that decides which machines exist and who's allowed to talk to whom, the coordination, is a proprietary SaaS hosted in the US. Bunker runs that same coordination server in Europe, built on Headscale, the open source reimplementation of Tailscale's server. Your traffic itself stays peer-to-peer WireGuard, encrypted end to end.
Access: a coordination server dedicated to your project, for example managed-yourslug-headscale-yourproject.apps.france-nuage.fr.
The two layers of a VPN
A modern VPN splits into two planes. Conflating them makes an encrypted tunnel look like enough to be sovereign. It isn't.
- The data plane carries the traffic. WireGuard encrypts it end to end, machine to machine, with ChaCha20-Poly1305, right in the Linux kernel. No one in the middle reads it, neither Tailscale nor Bunker.
- The control plane orchestrates the network: which machines exist, which are allowed to join, and it distributes the keys. It's your network's directory, and it's the part Bunker keeps in Europe.
Encryption already protects the content. What leaks to a third party under US law is the directory: the identity of your machines and the map of who connects to what. The Network and infrastructure page describes where these building blocks run.
Comparison
| Criterion | Bunker (managed Headscale) | Tailscale (SaaS) | Self-hosting |
|---|---|---|---|
| Control plane | Hosted in Europe | Hosted in the US | Up to you |
| Coordination metadata | Sovereign, EU law | Under US law | Up to you |
| Data plane | WireGuard encrypted end to end | WireGuard encrypted end to end | WireGuard encrypted end to end |
| Client | Standard Tailscale client | Standard Tailscale client | Standard Tailscale client |
| NAT fallback | Relays in Europe | Tailscale relays | On you |
| Reversibility | Open source, re-internalisable | Proprietary SaaS | Total |
| Updates & availability | Managed | Managed | On you |
The client experience is identical to Tailscale, by design: you install the standard Tailscale client. The only difference is where the coordination server lives, and the law that applies to it.
How it works
You install the usual Tailscale client on your machines, then point it at your coordination server hosted at Bunker. From there, your machines discover each other and bring up direct WireGuard tunnels, peer to peer. Traffic goes straight from one machine to another, without passing through a central server.
When two machines can't reach each other directly (strict NAT, closed firewall), the fallback goes through our own relays, hosted in Europe. Traffic there stays encrypted end to end, never read, and doesn't leave the region.
The Tailscale client remains Tailscale Inc.'s software: its updates are distributed by Tailscale Inc. What Bunker makes sovereign is your network's coordination: the machine directory, the access rights, the key distribution.
Quick start
1. Enable the service
- Go to console.france-nuage.fr and sign in.
- Enable the Zero Trust network service. Bunker provisions your dedicated Headscale coordination server and gives you its URL (
--login-server).
2. Install the client on a machine
Install the standard Tailscale client (Linux, macOS, Windows, iOS, Android):
# Linux (Debian/Ubuntu and derivatives)
curl -fsSL https://tailscale.com/install.sh | sh
3. Join your network
Point the client at your Bunker coordination server:
sudo tailscale up \
--login-server=https://managed-yourslug-headscale-yourproject.apps.france-nuage.fr:443 \
--accept-routes
The --accept-routes flag is not required, but it is often very useful: the machine then accepts every route published on the VPN network (the subnets advertised by other nodes), not just the addresses of the enrolled machines.
Follow the enrolment URL shown, then approve the machine from the console. Repeat on every machine you want to connect.
4. Verify the connection
# List the machines on the network and their addresses
tailscale status
# Test an encrypted tunnel to another machine
tailscale ping your-server
Once two machines are enrolled, they reach each other directly over their private network address, with no port open to the public Internet.
SSH access without exposing your VMs
The most common use case: reaching your VMs over SSH with no port open to the Internet. Your machines are reachable only from the WireGuard network; there's no exposed bastion and no public IP to defend.
# The VM is reached over its private network address, not a public IP
ssh admin@vm-prod
The First login tutorial walks through bringing up your first machine on Bunker.
Use cases
- SSH access to your VMs: your servers are reachable only from the WireGuard network, with no SSH port open to the Internet.
- Replace a legacy VPN or bastion: a peer-to-peer WireGuard mesh instead of a VPN concentrator or an exposed bastion to maintain.
- Connect multiple sites: offices, datacenters, dev machines in a single encrypted private network, coordinated from Europe.
- Grant temporary access: a contractor joins the network for as long as needed, without opening anything publicly.
Reversibility
It's all open source. You could stand up this coordination server yourself: that's exactly what Headscale is for. Bunker runs it for you (updates, availability, backups) without locking you in. Because the building block is open source, you keep the right to take it all back onto your own hardware whenever you decide.
References
- Headscale documentation to go further on the coordination server
- WireGuard documentation on the encryption protocol
- Network and infrastructure to understand where your machines run
WireGuard is a registered trademark of Jason A. Donenfeld. Tailscale is a trademark of Tailscale Inc. Linux is a registered trademark of Linus Torvalds. Bunker is not affiliated with or endorsed by these companies; these names are used descriptively, to refer to the technologies in use.