dawnwisp's site


还没想好写什么呢

DERP 私有中继搭建!

  • ~5.75K 字
  1. 1. 1、开启 headscale 内置 derp
  2. 2. 2、在节点上开启 derp

1、开启 headscale 内置 derp

headscale 中内置了 derp,启动时需要 headscale 配置的协议必须为 https,省略后的配置如下:

  • headscale.yaml 配置:

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    # 必须为 https
    server_url: https://myheadscale.example.com:443

    # ...

    derp:
        server:
            # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
            # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place
            enabled: true

            # Region ID to use for the embedded DERP server.
            # The local DERP prevails if the region ID collides with other region ID coming from
            # the regular DERP config.
            region_id: 999

            # Region code and name are displayed in the Tailscale UI to identify a DERP region
            region_code: "headscale"
            region_name: "Headscale Embedded DERP"

            # Listens over UDP at the configured address for STUN connections - to help with NAT traversal.
            # When the embedded DERP server is enabled stun_listen_addr MUST be defined.
            #
            # For more details on how this works, check this great article: https://tailscale.com/blog/how-tailscale-works/
            stun_listen_addr: "0.0.0.0:3478"

            # Private key used to encrypt the traffic between headscale DERP
            # and Tailscale clients.
            # The private key file will be autogenerated if it's missing.
            #
            private_key_path: /var/lib/headscale/derp_server_private.key

            # This flag can be used, so the DERP map entry for the embedded DERP server is not written automatically,
            # it enables the creation of your very own DERP map entry using a locally available file with the parameter DERP.paths
            # If you enable the DERP server and set this to false, it is required to add the DERP server to the DERP map using DERP.paths
            automatically_add_embedded_derp_region: true

            # For better connection stability (especially when using an Exit-Node and DNS is not working),
            # it is possible to optionally add the public IPv4 and IPv6 address to the Derp-Map using:
            ipv4: [机器 ipv4 地址]
            ipv6: [机器 ipv6 地址]

        # List of externally available DERP maps encoded in JSON
        urls:
            - https://controlplane.tailscale.com/derpmap/default

        # Locally available DERP map files encoded in YAML
        #
        # This option is mostly interesting for people hosting
        # their own DERP servers:
        # https://tailscale.com/kb/1118/custom-derp-servers/
        #
        # paths:
        #   - /etc/headscale/derp-example.yaml
        paths: 
            #- /etc/headscale/derp.yaml

        # If enabled, a worker will be set up to periodically
        # refresh the given sources and update the derpmap
        # will be set up.
        auto_update_enabled: true

        # How often should we check for DERP updates?
        update_frequency: 24h

  • docker-compose.yaml

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    services:
    headscale:
    image: headscale/headscale:0.23
    container_name: headscale
    volumes:
        - ./config:/etc/headscale
        - ./data:/var/lib/headscale
    ports:
        - "127.0.0.1:[port]:[port]"
        - "3478:3478"
        - "3478:3478/udp"
    command: serve
    restart: unless-stopped

  • caddy

    1
    2
    3
    4
    5
    6
    7
    8
    myheadscale.example.com {
            handle_path /web* {
                    root * /usr/share/caddy/headscale-ui/web
                    try_files {path} /index.html
                    file_server
            }
            reverse_proxy http://127.0.0.1:[port]
    }

2、在节点上开启 derp

这里强制开启了节点认证防止被白嫖,需要该机器上安装并接入了 tailscale 网络。

对于证书,derp 强制要求公钥为 [sitename].crt ; 私钥为 [sitename].key。

  • docker-compose.yaml

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    service:
        caddy:
            image:  epaunonen/caddy-cloudflare
            container_name: caddy
            hostname: caddy
            restart: always
            ports:
            - "443:443/udp"
            - "443:443"
            networks:
            - internal_network
            - external_network
            volumes:
            - ./config/Caddyfile:/etc/caddy/Caddyfile
            - ./ssl:/ssl:ro
            - ./data/caddy/data:/data
            - ./data/caddy/config:/config

        derper:
            restart: always
            container_name: derper
            ports:
            - "3478:3478/udp"
            - "3478:3478"
            volumes:
            - ./ssl/[sitename]/:/app/certs:ro
            - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
            command: "/app/derper --hostname=[sitename] --certmode=manual --certdir=/app/certs --stun=true  --a=:443 --http-port=-1 --verify-clients=true"
            image: yangchuansheng/ip_derper:latest
            networks:
            - internal_network
            depends_on:
            - caddy

    networks:
        internal_network:
            internal: true
        external_network:

  • caddy

    1
    2
    3
    4
    5
    6
    7
    8
    [sitename] {
        reverse_proxy https://derper:443 {
            transport http {
                tls_trusted_ca_certs /ssl/[sitename]/[sitename].crt
                tls_server_name [sitename]
            }
        }
    }

  • headscale.yaml 配置:

    1
    2
    3
    4
    derp:
      urls:
           - https://controlplane.tailscale.com/derpmap/default
           - http://demo/derper.json

  • derper.json 配置: 注意由于使用了不安全的证书,需要 "InsecureForTests": true

    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    {
    "Regions": {
        "901": {
        "RegionID": 901,
        "RegionCode": "ali-sh",
        "RegionName": "Aliyun Shanghai",
        "Nodes": [
            {
            "Name": "901a",
            "RegionID": 901,
            "DERPPort": 443,
            "HostName": "xxxx",
            "IPv4": "xxxx",
            "InsecureForTests": true
            }
        ]
        }
    }
    }
本作品采用 知识共享署名-相同方式共享 4.0 国际许可协议 进行许可
分享这一刻
让朋友们也来瞅瞅!