[TOC]
Tailscale 是一个基于Wireguard的异地组网软件,可通过P2P打洞使各节点处于统一虚拟局域网当中实现互相访问。但有时遇到Hard NAT网络环境难以打洞成功。此时就需要使用Derp进行中继连接。
将证书命名格式为 derper.example.com.crt 和 derper.example.com.key,放置在执行目录下的 certs 文件夹内即可。
定时脚本定期同步证书申请脚本申请到的证书
宝塔例(要改target目录):
#!/bin/bash
source_crt="/www/server/panel/vhost/cert/derper.example.com/fullchain.pem"
target_crt="/docker/derper/certs/derper.example.com.crt"
source_key="/www/server/panel/vhost/cert/derper.example.com/privkey.pem"
target_key="/docker/derper/certs/derper.example.com.key"
# 检查文件是否相同
if diff -q "$source_crt" "$target_crt" &> /dev/null; then
echo "文件内容相同,无需复制。"
else
cp "$source_crt" "$target_crt"
cp "$source_key" "$target_key"
echo "文件已复制。"
fi
(要改DERP_DOMAIN)
docker run -dit \
--name derper \
--restart always \
-v /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock \
-v ./certs:/app/certs \
-e DERP_CERT_MODE=manual \
-e DERP_ADDR=:13477 \
-e DERP_STUN=true \
-e DERP_HTTP_PORT=-1 \
-e DERP_DOMAIN=derper.example.com \
-e DERP_VERIFY_CLIENTS=true \
-e DERP_CERT_DIR=/app/certs \
-p 13477:13477 \
-p 13478:3478/udp \
-d ghcr.io/yangchuansheng/derper:latest
# /etc/headscale/derp.yaml
regions:
900:
regionid: 900
regioncode: anything like us-east-1 myderp HK
regionname: anything like Tencent Hongkong
nodes:
- name: 900a
regionid: 900
hostname: xxxx
ipv4: xxxx
stunport: 13478
stunonly: false
derpport: 13477
- name: 900b
regionid: 900
hostname: xxxx
ipv4: xxxx
stunport: 13478
stunonly: false
derpport: 13477
901:
regionid: 901
regioncode: hs
regionname: Huawei Shanghai
nodes:
- name: 901a
regionid: 901
hostname: xxxx
ipv4: xxxx
stunport: 13478
stunonly: false
derpport: 13477
说明:
# /etc/headscale/config.yaml
derp:
# List of externally available DERP maps encoded in JSON
urls:
# - https://controlplane.tailscale.com/derpmap/default
# Locally available DERP map files encoded in YAML
#
# This option is mostly interesting for people hosting
# their own DERP servers:
# https://tailscale.com/kb/1118/custom-derp-servers/
#
# paths:
# - /etc/headscale/derp-example.yaml
paths:
- /etc/headscale/derp.yaml
# If enabled, a worker will be set up to periodically
# refresh the given sources and update the derpmap
# will be set up.
auto_update_enabled: true
# How often should we check for DERP updates?
update_frequency: 24h
注:可选择禁用 Tailscale 官方的 DERP ,来测试自建的 DERP 服务器是否能正常工作。
systemctl restart headscale
https://login.tailscale.com/admin/acls/file
// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
// "groups": {
// "group:example": ["[email protected]", "[email protected]"],
// },
// Define the tags which can be applied to devices and by which users.
// "tagOwners": {
// "tag:example": ["autogroup:admin"],
// },
// Define access control lists for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"acls": [
// Allow all connections.
// Comment this section out if you want to define specific restrictions.
{"action": "accept", "src": ["*"], "dst": ["*:*"]},
// Allow users in "group:example" to access "tag:example", but only from
// devices that are running macOS and have enabled Tailscale client auto-updating.
// {"action": "accept", "src": ["group:example"], "dst": ["tag:example:*"], "srcPosture":["posture:autoUpdateMac"]},
],
// Define postures that will be applied to all rules without any specific
// srcPosture definition.
// "defaultSrcPosture": [
// "posture:anyMac",
// ],
// Define device posture rules requiring devices to meet
// certain criteria to access parts of your system.
// "postures": {
// // Require devices running macOS, a stable Tailscale
// // version and auto update enabled for Tailscale.
// "posture:autoUpdateMac": [
// "node:os == 'macos'",
// "node:tsReleaseTrack == 'stable'",
// "node:tsAutoUpdate",
// ],
// // Require devices running macOS and a stable
// // Tailscale version.
// "posture:anyMac": [
// "node:os == 'macos'",
// "node:tsReleaseTrack == 'stable'",
// ],
// },
// Define users and devices that can use Tailscale SSH.
"ssh": [
// Allow all users to SSH into their own devices in check mode.
// Comment this section out if you want to define specific restrictions.
{
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot", "root"],
},
],
// Test access rules every time they're saved.
// "tests": [
// {
// "src": "[email protected]",
// "accept": ["tag:example"],
// "deny": ["100.101.102.103:443"],
// },
// ],
"derpMap": {
"OmitDefaultRegions": false,
"Regions": {
"900": {
"RegionID": 900,
"RegionCode": "myderp",
"RegionName": "Guangzhou",
"Nodes": [
{
"Name": "1",
"RegionID": 900,
"HostName": "derper.example.com",
"DERPPort": 13477,
"STUNPort": 13478,
"STUNOnly": false,
},
],
},
},
},
}
tailscale netcheck # 查看目前可以使用的 DERP 服务器
tailscale status # 查看与通信对端的连接方式