Headscale/Tailscale 的 中继Derper 搭建 - qNFCpの屋
qNFCpの屋

Derper 搭建

目录

[TOC]

简要介绍

Tailscale 是一个基于Wireguard的异地组网软件,可通过P2P打洞使各节点处于统一虚拟局域网当中实现互相访问。但有时遇到Hard NAT网络环境难以打洞成功。此时就需要使用Derp进行中继连接。

先决条件

  1. 准备一个域名指向Derper服务器
  2. 已安装tailscale并连接完毕
  3. 已安装docker

Docker容器运行

SSL证书

方法一:

将证书命名格式为 derper.example.com.crt 和 derper.example.com.key,放置在执行目录下的 certs 文件夹内即可。

方法二:

定时脚本定期同步证书申请脚本申请到的证书

宝塔例(要改target目录):

#!/bin/bash

source_crt="/www/server/panel/vhost/cert/derper.example.com/fullchain.pem"
target_crt="/docker/derper/certs/derper.example.com.crt"

source_key="/www/server/panel/vhost/cert/derper.example.com/privkey.pem"
target_key="/docker/derper/certs/derper.example.com.key"

# 检查文件是否相同
if diff -q "$source_crt" "$target_crt" &> /dev/null; then
    echo "文件内容相同,无需复制。"
else
    cp "$source_crt" "$target_crt"
    cp "$source_key" "$target_key"
    echo "文件已复制。"
fi

Docker

(要改DERP_DOMAIN)

docker run -dit \
--name derper \
--restart always \
-v /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock \
-v ./certs:/app/certs \
-e DERP_CERT_MODE=manual \
-e DERP_ADDR=:13477 \
-e DERP_STUN=true \
-e DERP_HTTP_PORT=-1 \
-e DERP_DOMAIN=derper.example.com \
-e DERP_VERIFY_CLIENTS=true \
-e DERP_CERT_DIR=/app/certs \
-p 13477:13477 \
-p 13478:3478/udp \
-d ghcr.io/yangchuansheng/derper:latest

如果使用 Headscale 配置

1. YAML配置文件

# /etc/headscale/derp.yaml
regions:
  900:
    regionid: 900
    regioncode: anything like us-east-1 myderp HK
    regionname: anything like Tencent Hongkong 
    nodes:
      - name: 900a
        regionid: 900
        hostname: xxxx
        ipv4: xxxx
        stunport: 13478
        stunonly: false
        derpport: 13477
      - name: 900b
        regionid: 900
        hostname: xxxx
        ipv4: xxxx
        stunport: 13478
        stunonly: false
        derpport: 13477
  901:
    regionid: 901
    regioncode: hs 
    regionname: Huawei Shanghai 
    nodes:
      - name: 901a
        regionid: 901
        hostname: xxxx
        ipv4: xxxx
        stunport: 13478
        stunonly: false
        derpport: 13477

说明:

  • regions 是 YAML 中的对象,下面的每一个对象表示一个可用区,每个可用区里面可设置多个 DERP 节点,即 nodes。
  • 每个可用区的 regionid 不能重复。
  • 每个 node 的 name 不能重复。
  • regionname 一般用来描述可用区,regioncode 一般设置成可用区的缩写。
  • ipv4 字段不是必须的,如果域名可以通过公网解析到 DERP 服务器地址,可不填。
  • stunonly: false 表示除了使用 STUN 服务,还可以使用 DERP 服务。

2. 修改Headscale配置文件。

# /etc/headscale/config.yaml
derp:
  # List of externally available DERP maps encoded in JSON
  urls:
  #  - https://controlplane.tailscale.com/derpmap/default

  # Locally available DERP map files encoded in YAML
  #
  # This option is mostly interesting for people hosting
  # their own DERP servers:
  # https://tailscale.com/kb/1118/custom-derp-servers/
  #
  # paths:
  #   - /etc/headscale/derp-example.yaml
  paths:
    - /etc/headscale/derp.yaml

  # If enabled, a worker will be set up to periodically
  # refresh the given sources and update the derpmap
  # will be set up.
  auto_update_enabled: true

  # How often should we check for DERP updates?
  update_frequency: 24h

注:可选择禁用 Tailscale 官方的 DERP ,来测试自建的 DERP 服务器是否能正常工作。

3. 重启服务

systemctl restart headscale

如果使用官方 Tailscale服务

  • 进入 Tailscale 后台,选择 Access Controls 配置。

https://login.tailscale.com/admin/acls/file

  • 在下面的配置文件中,在最后添加自己的 Derper。
// Example/default ACLs for unrestricted connections.
{
 // Declare static groups of users. Use autogroups for all users or users with a specific role.
 // "groups": {
 //   "group:example": ["[email protected]", "[email protected]"],
 // },

 // Define the tags which can be applied to devices and by which users.
 // "tagOwners": {
 //   "tag:example": ["autogroup:admin"],
 // },

 // Define access control lists for users, groups, autogroups, tags,
 // Tailscale IP addresses, and subnet ranges.
 "acls": [
  // Allow all connections.
  // Comment this section out if you want to define specific restrictions.
  {"action": "accept", "src": ["*"], "dst": ["*:*"]},

  // Allow users in "group:example" to access "tag:example", but only from
  // devices that are running macOS and have enabled Tailscale client auto-updating.
  // {"action": "accept", "src": ["group:example"], "dst": ["tag:example:*"], "srcPosture":["posture:autoUpdateMac"]},
 ],

 // Define postures that will be applied to all rules without any specific
 // srcPosture definition.
 // "defaultSrcPosture": [
 //      "posture:anyMac",
 // ],

 // Define device posture rules requiring devices to meet
 // certain criteria to access parts of your system.
 // "postures": {
 //      // Require devices running macOS, a stable Tailscale
 //      // version and auto update enabled for Tailscale.
 //  "posture:autoUpdateMac": [
 //      "node:os == 'macos'",
 //      "node:tsReleaseTrack == 'stable'",
 //      "node:tsAutoUpdate",
 //  ],
 //      // Require devices running macOS and a stable
 //      // Tailscale version.
 //  "posture:anyMac": [
 //      "node:os == 'macos'",
 //      "node:tsReleaseTrack == 'stable'",
 //  ],
 // },

 // Define users and devices that can use Tailscale SSH.
 "ssh": [
  // Allow all users to SSH into their own devices in check mode.
  // Comment this section out if you want to define specific restrictions.
  {
   "action": "check",
   "src":    ["autogroup:member"],
   "dst":    ["autogroup:self"],
   "users":  ["autogroup:nonroot", "root"],
  },
 ],

 // Test access rules every time they're saved.
 // "tests": [
 //   {
 //    "src": "[email protected]",
 //    "accept": ["tag:example"],
 //    "deny": ["100.101.102.103:443"],
 //   },
 // ],
 "derpMap": {
  "OmitDefaultRegions": false,
  "Regions": {
   "900": {
    "RegionID":   900,
    "RegionCode": "myderp",
    "RegionName": "Guangzhou",
    "Nodes": [
     {
      "Name":     "1",
      "RegionID": 900,
      "HostName": "derper.example.com",
      "DERPPort": 13477,
      "STUNPort": 13478,
      "STUNOnly": false,
     },
    ],
   },
  },
 },
}

测试用命令

tailscale netcheck # 查看目前可以使用的 DERP 服务器

tailscale status # 查看与通信对端的连接方式

参考资料

Tailscale 基础教程:部署私有 DERP 中继服务器
Tailscale 内网穿透与 Derper 中继节点搭建

暂无评论

添加新评论

Title - Artist
0:00