Tailscale自建DERP服务器
安装 derper
derper是基于golang开发的,安装derper之前请先安装golang。
go install tailscale.com/cmd/derper@latest
cp ~/go/bin/derper /usr/local/bin/
配置systemctl
然后编辑/etc/systemd/system/derper.service:
[Unit]
Description=My Self Derper Service
After=network.target
[Service]
ExecStart=/usr/local/bin/derper -hostname=<域名,后面还会用> -a :18001 -http-port 18001 -stun-port 3478 -verify-clients
Restart=on-failure
User=root
[Install]
WantedBy=multi-user.target
随后执行systemctl enable derper && systemctl start derper。
配置Nginx反代
增加如下Nginx配置文件:
server {
listen 80;
listen 443 ssl;
server_name <域名>;
access_log <Nginx 日志路径>;
error_log <Nginx 错误日志路径>;
ssl_certificate <Let's Encrypt 证书路径>;
ssl_certificate_key <Let's Encrypt 证书私钥路径>;
location / {
client_max_body_size 1G;
# websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
# other settings
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_pass http://127.0.0.1:18001;
}
}
- 这里 WebSocket 的配置是必须的,否则 Tailscale 无法正常工作.
配置 ACL 规则
登陆到 tailscale的管理页面,进入Access Controls,修改ACL规则,允许你的域名访问DERP服务器。
添加如下内容:
// Define private derp
"derpMap": {
// 如果设置为false,就下发所有节点(官方节点和自建节点);如果设置为true的话就只下发自建节点。
"omitDefaultRegions": false,
"regions": {
"901": {
"regionID": 900,
"regionCode": "MyHK",
"regionName": "My HongKong",
"nodes": [
{
"name": "myhk",
"regionID": 900,
"hostName": "<域名>",
"DERPPort": 443,
"IPv4": "<机器IP>",
"IPv6": "none", // 如果你的服务器没有 IPv6
//"InsecureForTests": true,
"STUNPort": 3478,
},
],
},
},
},
// 如果有多个区域、多个节点,或者使用了自定义端口,那么可以参考这部分
"901": {
"RegionID": 901,
"RegionCode": "Oracle-OSAKA",
"Nodes": [
{
"Name": "Oracle-OSAKA-1",
"RegionID": 901,
"HostName": "osaka1.derp.mydomain.com",
"DERPPort": 4443,
},
{
"Name": "Oracle-OSAKA-2",
"RegionID": 901,
"HostName": "osaka2.derp.mydomain.com",
"DERPPort": 4443,
},
]
}
},
},
}
测试
首先在tailscale的管理页面,进入到Machines,随便找一台机器点击进去,找到Latency,可以看到自建节点已经可以使用了。
登陆到已经连接到tailscal的机器上,使用tailscale netcheck命令查看,可以看到我们自建的节点已经出来。
* IPv6: no, but OS has support
* MappingVariesByDestIP: false
* PortMapping:
* Nearest DERP: San Francisco
* DERP latency:
- sfo: 2.4ms (San Francisco)
- lax: 7.9ms (Los Angeles)
- sea: 20.7ms (Seattle)
- den: 31ms (Denver)
- dfw: 40.7ms (Dallas)
- ord: 49.6ms (Chicago)
- tor: 58.3ms (Toronto)
- hnl: 60.6ms (Honolulu)
- nyc: 65.1ms (New York City)
- iad: 69.9ms (Ashburn)
- mia: 74.4ms (Miami)
- tok: 102.2ms (Tokyo)
- lhr: 133.2ms (London)
- par: 135.4ms (Paris)
- ams: 145.2ms (Amsterdam)
- mad: 145.9ms (Madrid)
- fra: 149.3ms (Frankfurt)
- hkg: 155ms (Hong Kong)
- hel: 157.4ms (Helsinki)
- nue: 161.5ms (Nuremberg)
- waw: 162.2ms (Warsaw)
- HK: 164.5ms (HK) ## 这个就是我自己的节点
- sao: 184.8ms (São Paulo)
- syd: 202ms (Sydney)
- sin: 202.7ms (Singapore)
- blr: 207.8ms (Bangalore)
- dbi: 251.9ms (Dubai)
- jnb: (Johannesburg)
- nai: (Nairobi)