We tried switching to Headscale recently...it was not a pleasant experience. I'm sure with more time in the oven, it will eventually become a comparable replacement, but I wouldn't be relying on it for anything production oriented.
Just for a counterpoint: I've been running headscale for 11 months, with just over 100 tailscale nodes, and it's been pretty good. There was one version upgrade that completely exploded memory use (it originally was running on a 1 or 2GB VM, with the upgrade I had to switch to 16GB to avoid thrashing), but that was fairly quickly resolved.
I would say it's been a pleasant experience, headscale and the headscale devs have been fantastic.
However, I would also agree with the statement that I wouldn't use it in production. In particular: I was hoping to use it as an overlay network for basically all traffic, between production machines and to user workstations. For the overlay network, my biggest fear there is that when headscale goes down, the entire network pretty much immediately stops responding. The usual case for this is when I make an ACL update and make an error, the entire overlay is down until I get the ACL fixed.
For replacing our OpenVPN, headscale+tailscale is going to be a clear win.
For the overlay network, I probably should go with Nebula. Headscale has these things over Nebula: Easier user onboarding (users can just login, no key exchange required), tailscale was able to route around some network problems we saw in Comcast (though it sounds like Nebula has experimental ability to do that now), and headscale has vastly better ACLs. Tailscale's are even better. Another downside of tailscale is that you can only connect to one tailnet at a time, so you can't have a "work" and "home" tailnet and be connected to both -- you have to switch.
Nebula has the benefit that there is no coordination server, so no worries about that going down. Even in the case of the Defined Networking SaaS, an outage of the control plane would just interfere with the ability to manage the network, until keys start expiring your network will continue to work.
ZeroTier also is very good, I'd classify it as closer to Tailscale, but it does have the ability to connect to multiple networks. ZeroTier in many ways is very slick, but I ended up removing it from my list of options because of a bad interactions with their sales team. It's ACLs are pretty obtuse though.
Oh, another slight minus of tailscale is it's manipulation of the system firewall rules, so if you have other firewall manipulation, in particular if you manage large rulesets via iptables-restore from a rules file, tailscale can lose it's rules. On the plus side "tailscale status" will report "health" issues in that case to point you in the right direction.
It was last year, so it's not in recent memory, but most of the problem was around instability. We ran into some frequent issues where we would begin troubleshooting, assuming it was something on the application end, only to find out that the issue was happening in the network. We eventually figured out that the Headscale network was randomly dropping in and out. I'm sure with a lot more time we could have identified the root cause, but unfortunately, we had a deadline and just paid Tailscale (and haven't had any issues since).
Like I said, I'm sure it's coming along fine, it's not just something that we were able to set and forget like with the Tailscale experience.
We have definitely improved a lot the stability and test coverage in the last year. Really, really a lot. Still a bit to go, but overall there have been many changes :)
But indeed we are not meant to replace the full frictionless experience of Tailscale SaaS.
