diff --git a/internal-headscale/.helmignore b/internal-headscale/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/internal-headscale/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/internal-headscale/Chart.lock b/internal-headscale/Chart.lock
new file mode 100644
index 0000000..bbd074b
--- /dev/null
+++ b/internal-headscale/Chart.lock
@@ -0,0 +1,6 @@
+dependencies:
+- name: common
+  repository: file://../common/
+  version: 0.1.0
+digest: sha256:32af153d0dda4cde05d135c6a839d2c49c8a2e65b8ecf7b819f24e5c3fbf6721
+generated: "2025-10-12T22:46:29.173735278+02:00"
diff --git a/internal-headscale/Chart.yaml b/internal-headscale/Chart.yaml
new file mode 100644
index 0000000..f2ba569
--- /dev/null
+++ b/internal-headscale/Chart.yaml
@@ -0,0 +1,10 @@
+apiVersion: v2
+name: internal-headscale
+description: An internal entry-point for Tailscale to access internal services
+type: application
+version: 0.1.0
+appVersion: "1.16.0"
+dependencies:
+  - name: common
+    version: 0.1.0
+    repository: file://../common/
\ No newline at end of file
diff --git a/internal-headscale/templates/deployment.yaml b/internal-headscale/templates/deployment.yaml
new file mode 100644
index 0000000..c81f49f
--- /dev/null
+++ b/internal-headscale/templates/deployment.yaml
@@ -0,0 +1,83 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ .Release.Name }}
+  labels: {{- include "common.app.labels" . | nindent 4 }}
+spec:
+  replicas: 1
+  selector:
+    matchLabels: {{- include "common.app.labels" . | nindent 6 }}
+  template:
+    metadata:
+      labels: {{- include "common.app.labels" . | nindent 8 }}
+    spec:
+      containers:
+        {{- range $forward := .Values.socat.config.forwards }}
+        - name: {{ $forward.name }}
+          image: "{{ $.Values.socat.image }}:{{ $.Values.socat.imageVersion }}"
+          command:
+            - socat
+            - TCP-LISTEN:{{ $forward.port }},fork,reuseaddr
+            - TCP:{{ $forward.target }}:{{ $forward.targetPort }}
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+              {{- if or (eq (int $forward.port) 80) (eq (int $forward.port) 443) }}
+              add:
+                {{/*Allow binding to :80 and :443 in the container*/}}
+                - NET_BIND_SERVICE
+              {{- end }}
+            runAsUser: 10001
+            runAsGroup: 10001
+            readOnlyRootFilesystem: true
+        {{- end }}
+        - name: tailscale
+          image: "{{ .Values.tailscale.image }}:{{ .Values.tailscale.imageVersion }}"
+          env:
+            - name: TS_USERSPACE
+              value: "true"
+            - name: TS_STATE_DIR
+              value: /var/lib/tailscale
+            - name: TS_AUTH_KEY
+              valueFrom:
+                secretKeyRef:
+                  key: token
+                  name: {{ .Values.tailscale.config.secret.secretName }}
+            - name: TS_NO_LOGS_NO_SUPPORT
+              value: "true"
+            {{/*Don't try to reauth all the time*/}}
+            - name: TS_AUTH_ONCE
+              value: "true"
+            {{/*Prevent tailscale from connecting to the cluster*/}}
+            - name: KUBERNETES_SERVICE_HOST
+              value: ""
+            - name: TS_EXTRA_ARGS
+              value: "--advertise-tags={{ .Values.tailscale.config.tag }} --login-server {{ .Values.tailscale.config.loginServer }} --hostname {{ .Values.tailscale.config.hostname }}"
+            - name: TS_HEALTHCHECK_ADDR_PORT
+              value: "0.0.0.0:9999"
+          readinessProbe:
+            httpGet:
+              port: 9999
+              path: /healthz
+              scheme: HTTP
+            initialDelaySeconds: 5
+            failureThreshold: 5
+          livenessProbe:
+            httpGet:
+              port: 9999
+              path: /healthz
+              scheme: HTTP
+            failureThreshold: 5
+          volumeMounts:
+            - mountPath: /var/lib/tailscale
+              name: state
+          securityContext:
+            capabilities:
+              drop:
+                - ALL
+      volumes:
+        - name: state
+          {{- .Values.tailscale.mounts.state | toYaml | nindent 10 }}
\ No newline at end of file
diff --git a/internal-headscale/values.yaml b/internal-headscale/values.yaml
new file mode 100644
index 0000000..c4297f4
--- /dev/null
+++ b/internal-headscale/values.yaml
@@ -0,0 +1,21 @@
+namespace: default
+socat:
+  image: git.polynom.me/papatutuwawa/socat
+  imageVersion: 3.21-20250917
+  config:
+    forwards:
+      - name: test
+        port: 6443
+        target: cluster
+        targetPort: 1234
+tailscale:
+  image: docker.io/tailscale/tailscale@sha256
+  imageVersion: d26fc9bb035b0559900cc6f23506f6b1ddab61a690ffab4f5d84feceb3de811e
+  mounts:
+  config:
+    loginServer: "https://example.org"
+    hostname: example-host
+    secret:
+      # Secret containing the login token
+      secretName: internal-headscale
+    tag: "tag:k8s"
\ No newline at end of file