Tailscale DERP 服务搭建 • Memos

创建 DERP 服务器可以增强 Tailscale 组网能力和速度。

本文参考了搭建教程去 https://go.dev/dl/ 下载最新版（一定要下载版本，而非 apt-get install golang）

使用 sudo 权限，执行以下操作：

rm -rf /usr/local/go
tar -C /usr/local -xzf go*.linux-amd64.tar.gz  
export PATH=$PATH:/usr/local/go/bin
 
go env -w GOPROXY=https://goproxy.cn,direct  
go install tailscale.com/cmd/derper@latest  
 
go install tailscale.com/cmd/derpprobe@latest

vim /root/go/pkg/mod/tailscale.com@*/cmd/derper/cert.go

注释掉 getCertificate 中的前三行：

func (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {
		// 注释以下内容：
        // if hi.ServerName != m.hostname && !m.noHostname {
        //      return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
        // }
 
        // Return a shallow copy of the cert so the caller can append to its
        // Certificate field.
        certCopy := new(tls.Certificate)
        *certCopy = *m.cert
        certCopy.Certificate = certCopy.Certificate[:len(certCopy.Certificate):len(certCopy.Certificate)]
        return certCopy, nil
}

编译并创建证书：

cd /root/go/pkg/mod/tailscale.com@*/cmd/derper/
go build -o /etc/derp/derper
 
cd /etc/derp
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout /etc/derp/${DERP_DOMAIN}.key -out /etc/derp/${DERP_DOMAIN}.crt -subj "/CN=${DERP_DOMAIN}" -addext "subjectAltName=DNS:${DERP_DOMAIN}"

测试是否可以正常访问，--verify-clients 限制了只有本地 tailscale 登陆的账户可以使用本 DERP。

/etc/derp/derper -hostname ${DERP_DOMAIN} -a :${DERP_PORT} -http-port -1 -certdir /etc/derp -certmode manual -verify-clients -stun

如果验证成功，那么创建 derp.service。

cat > /etc/systemd/system/derp.service <<EOF
[Unit]
Description=TailScale Derper
After=network.target
Wants=network.target
[Service]
User=root
Restart=always
ExecStart=/etc/derp/derper -hostname ${DERP_DOMAIN} -a :${DERP_PORT} -http-port -1 -certdir /etc/derp -certmode manual -verify-clients -stun
RestartPreventExitStatus=1
[Install]
WantedBy=multi-user.target
EOF

到 Tailscale ACL 末尾添加以下配置

	// ...
	"derpMap": {
		"Regions": {
			"901": {
				"RegionID":   901,
				"RegionCode": "self-sh",
				"RegionName": "Shanghai",
				"Nodes": [
					{
						"Name":     "Aliyun-ShangHai",
						"RegionID": 901,
						"HostName": "your.domain.name",
						// IPv4 可以不填，填的话可以绕过对域名的 DNS 解析
						"IPv4":             "your.ipv4.address",
						"DERPPort":         "port",
						"InsecureForTests": true, // if use self-signed cert.
					},
				],
			},
		},
	},
// }