搭建tailscale derper

发布于 4 天前  51 次阅读

搭建Derper

由于官方新版本的Derp支持自签证书了,所以方法方便很多了,废话不多说,直接开始

2.1 安装最新版GO

  • 更新软件包,安装依赖
apt update && apt upgrade
apt install -y wget git openssl curl
  • 下载最新版GO
wget https://go.dev/dl/go1.23.5.linux-amd64.tar.gz
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.23.5.linux-amd64.tar.gz

目前最新版为1.23.5,后续若有更新则可以去 https://go.dev/dl/ 查看最新版并替换下载即可,记得后面的版本号都要改

  • 配置环境变量
export PATH=$PATH:/usr/local/go/bin
go version

echo "export PATH=$PATH:/usr/local/go/bin" >> /etc/profile
source /etc/profile

go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.cn,direct

2.2 安装最新版Derper

  • 安装
go install tailscale.com/cmd/derper@latest
  • 拷贝二进制文件
mkdir /etc/derp/
cp ~/go/bin/derper /etc/derp/
  • 查看是否拷贝成功
ls /etc/derp

2.3 生成Derper自签证书

DERP_IP="123.123.123.123"

openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout ${DERP_IP}.key -out ${DERP_IP}.crt -subj "/CN=${DERP_IP}" -addext "subjectAltName=IP:${DERP_IP}"

这时候/root文件夹下会有两个证书文件:/root/123.123.123.123.crt/root/123.123.123.123.key,拷贝到/etc/derp/:

mv /root/123.123.123.123.crt /etc/derp
mv /root/123.123.123.123.key /etc/derp

2.4 启动Derper服务器

  • 写入后台

新建文件derp.service

touch /etc/systemd/system/derp.service

写入以下内容

[Unit]
Description=TS Derper
After=network.target
Wants=network.target
[Service]
User=root
Restart=always
ExecStart=/etc/derp/derper -hostname 123.123.123.123 -a :13445 -http-port 13446 -certmode  manual -certdir /etc/derp --verify-clients
RestartPreventExitStatus=1
[Install]
WantedBy=multi-user.target
  • 启动
systemctl enable derp
systemctl restart derp
systemctl status derp

2.5 验证Derper是否搭建成功

浏览器打开https://123.123.123.123:13445,忽略不安全,看看是不是显示下面的内容:

DERP
This is a Tailscale DERP server.

It provides STUN, interactive connectivity establishment, and relaying of end-to-end encrypted traffic for Tailscale clients.

Documentation:

About DERP
Protocol & Go docs
How to run a DERP server

在tailscale后台access controls添加:

"derpMap": {
    // OmitDefaultRegions 用来忽略官方的中继节点,一般自建后就看不上官方小水管了,false为启用官方节点,true为不启用官方节点
    "OmitDefaultRegions": true,
    "Regions": {
        // 这里的 901 从 900 开始随便取数字
        "901": {
            // RegionID 和上面的相等
            "RegionID": 901,
            // RegionCode 自己取个易于自己名字
            "RegionCode": "腾讯云-南京",
            "Nodes": [
                {
                    // Name 保持 1不动
                    "Name": "1",
                    // 这个也和 RegionID 一样
                    "RegionID": 901,
                    // 域名
                    "IPv4": "x.x.x.x",
                    // 端口号
                    "DERPPort": 13445,
                    "InsecureForTests": true,
                },
            ],
        },
    },
},