Read the docs more closely.

- TCP/80 is only required to answer let’s encrypt challenges for certificate issuance

- UDP is only required to enable DERP.

These are both optional.

It’s not surprising that there are additional ports required on top of Wireguard. 443 is likely for key distribution and management. If you don’t want PKI then you don’t need headscale; you can always distribute the keys yourself and just run plain wireguard

>If you don’t want PKI then you don’t need headscale; you can always distribute the keys yourself and just run plain wireguard

It makes more sense to me, WireGuard + SPA (fkwnop aka replacement of port knocking that requires pre-shared key to even talk with, only that IP can access to it (IP Table), any scan tool seems it as closed)

Headscale/Tailscale only has value if you are behind a CGNAT, otherwise, it just adds extra management and complexities.

Well, it also lets you federate access and manages the keys for you. But yeah, if it’s a personal setup and you have good key rotation hygiene, I agree with you: it doesn’t add much value on top of wireguard. I’ll hazard a guess that you can just run your own DERP relay too for the CGNAT case.

80/443 is all that's necessary for Headscale as a control server.

UDP/3478 is STUN for the embedded DERP. I recommend hosting a distinct DERP server, thus decoupling the control and data planes. DERPer is open source from Tailscale.

50443 is for GRPC. I'd not expose that, even if it is protected by authentication (and tested).