使用 Docker 部署私有 Derper

自建 Tailscale 的 Derper 节点并开启认证，需要在 Derper 节点也安装 Tailscale 客户端。

Docker Compose

version: "3"
services:
  tailscale:
    image: tailscale/tailscale
    container_name: tailscale
    privileged: true
    restart: always
    volumes:
      - "./tailscale/data:/var/lib/tailscale"
      - "./tailscale/tmp:/tmp"
      - "/dev/net/tun:/dev/net/tun"
    cap_add:
      - net_admin
      - sys_module
    environment:
      TS_AUTHKEY: "从 https://login.tailscale.com/admin/settings/keys 获取"
      TS_STATE_DIR: "/var/lib/tailscale"
      TS_USERSPACE: "false"
  derper:
    image: starudream/derper
    container_name: derper
    restart: always
    command: /tailscale/derper -a :80 -verify-clients
    depends_on:
      - tailscale
    ports:
      - "3478:3478/udp"
    volumes:
      - "./tailscale/tmp:/var/run/tailscale"

Derper 的镜像请 于此 查看。

当前版本 1.60.1 中 tailscaled.sock 在 var/run/tailscale/tailscaled.sock 只是一个指向 /tmp/tailscaled.sock 的链接。

Nginx

不使用 Derper 内置 SSL 证书，使用 nginx 反向代理，需要注意 proxy_set_header Upgrade $http_upgrade; 开启 Websocket。

server {
  # ...
  location / {
    proxy_pass http://derper:80;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Real-PORT $remote_port;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    # websocket
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $connection_upgrade;
  }
}

Access Controls

最后在 https://login.tailscale.com/admin/acls/file 修改配置文件，添加 DERPMap 配置。

OmitDefaultRegions 会忽略官方的 Derper 节点，自建建议开启以保护隐私。

下面的配置文件示例，分成内网与公网两个配置，Tailscale 客户端会通过延迟自动选择使用内网还是公网。

Nodes 内详细配置请看 DERPNode。

{
  // ... acls ssh
	"derpMap": {
		"OmitDefaultRegions": true,
		"Regions": {
			"900": {
				"RegionID":   900,
				"RegionCode": "private",
				"Nodes": [
					{
						"Name":     "private-aliyun",
						"RegionID": 900,
						"HostName": "derper.52xckl.cn",
						"IPV4":     "内网ip 172.17.0.1",
						"STUNPort": 3478,
						"DERPPort": 443
					}
				]
			},
			"901": {
				"RegionID":   901,
				"RegionCode": "public",
				"Nodes": [
					{
						"Name":     "public-aliyun",
						"RegionID": 901,
						"HostName": "derper.52xckl.cn",
						"IPV4":     "公网ip",
						"STUNPort": 3478,
						"DERPPort": 443
					}
				]
			}
		}
	}
}

Test

docker exec -it tailscale tailscale netcheck

Report:
	* UDP: true
	* IPv4: yes, 172.19.0.1:34143
	* IPv6: no, unavailable in OS
	* MappingVariesByDestIP: true
	* HairPinning: false
	* PortMapping:
	* Nearest DERP:
	* DERP latency:
		- private: 200µs   ()
		- public: 3.1ms   ()

docker exec -it tailscale tailscale ping <node name>

pong from <node name> (<node ip>) via DERP(public) in 11ms
pong from <node name> (<node ip>) via DERP(public) in 11ms
pong from <node name> (<node ip>) via DERP(public) in 11ms

Ref

• https://tailscale.com/kb/1118/custom-derp-servers