https://tailscale.com/kb/1118/custom-derp-servers/
derp server has derp service(基于 http(s) 的流量转发 tcp/443) + STUN service(udp/3478)
众所周知,搭建一个 derp server 需要配置 https 证书等繁琐的流程,因此希望能通过 tcp 流量转发实现加速。
Route:
在 tailscale web admin UI 中可以配置 ACL ,其中包括 derpMap
默认的 derpMap: https://login.tailscale.com/derpmap/default
(并不会一直请求,而是被 embed 在 golang binary 中)
添加一个新的 region ,其 Nodes
参数包含我们想要添加的转发代理节点
{
"derpMap": {
"OmitDefaultRegions": true,
"Regions": {
"900": {
"RegionID": 900,
"RegionCode": "hkg2",
"RegionName": "Tencent HK->Hongkong",
"Nodes": [
{
"Name": "derp Tencent hk",
"RegionID": 900,
"HostName": "derp20b.tailscale.com",
"DERPPort": xxxx,
"STUNPort": -1,
"IPv4": "xx.xx.xx.xx",
},
{
"Name": "stun",
"RegionID": 900,
"HostName": "derp20b.tailscale.com",
"STUNOnly": true,
},
],
},
},
}
显而易见,如果我们用 UDP 转发来代理 STUN 服务,STUN 获取到的 external ip address 是 UDP 代理的 IP ,而不是 local agent ip ,其会直接导致服务连接失败。
好在 DERPNode
中的配置选项还算丰富,可以 somehow 绕过这个麻烦
https://pkg.go.dev/tailscale.com/tailcfg#DERPNode
HostName
必须是 default derpMap 中几个服务器之一(本人选择香港 derp20b ),否则 tls 报错 internal tls cert error ( journalctl -u tailscaled )
但是为此的代价是必须手动指定 IPv4
field ,设置为 vx.link tcp proxy’s IP addr ,如果 vx.link 更换了新的代理服务器,我们可能需要手动修改这个 field
DERPPort
为 vx.link tcp proxy’s port
STUNPort
为 -1:To disable STUN on this node, use -1.
之后,再添加一个 STUNOnly
为 true 的节点,HostName
最好是和上边一样
Routes(one way):
China Mobile FTTH → vx.link Tencent HK →derp20b.tailscale.com → vx.link Tencent HK → China Unicom 4g
mtr -z derp20b.tailscale.com
勉强能在高峰期获得一个能用的延迟。
流量转发与 STUN 服务的强耦合,导致 tcp udp 流量走的是两条不同的 network path ,即 tailscale netcheck
通过 STUN 服务检测到的 UDP 直连 RTT 并不等同于经过 tcp 转发后 path 的 rtt ,导致我们的最优 path 选择出错。
所以无奈之举是 OmitDefaultRegions
为 true ,disable 所有默认节点,只保留我们在 acl 中添加的转发节点。
注:文章内容从 notion 笔记中 CTRL-V ,文法及格式过于随意。
真不是广告,流量都是自费充值。
忘了发一个 before/after 对比:
1
Cyshall 2023-02-14 20:20:35 +08:00 2
docker 一行命令启动一个 drep ,不需要域名部署证书的:docker run --restart always --net host --name derper -d yangchuansheng/ip_derper
|
3
hanguofu 2023-02-15 04:19:14 +08:00
谢谢分享。问一个小白级别的问题: 关于 Tailscale 的应用,有没有一个开源的账号管理系统呢?我想让一群人通过这个账号管理系统登陆,并连接在同一个网络中。
|
4
zckevin OP |
5
neroxps 2023-02-15 08:51:18 +08:00
headscale 是挺好的,唯一缺点就是 ios 还没客户端。
|
7
MikuM97 2023-02-15 09:34:31 +08:00
derper 我尝试在腾讯轻量上搭建过,可以绑定域名,证书用腾讯云的免费证书即可,主要是端口,别用 443 端口,用 1w 以上的高端口,我这边测是不会拦截未备案的域名
|
9
blessedbin 2023-02-15 09:47:26 +08:00
@Actrace headscale 服务器除了 IOS 的,都能用,README 中也明确说了这个点
|
11
4Ej4z9XsfMCW4b4O 2023-02-15 17:59:59 +08:00 via iPhone
Feb 15 17:58:42 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE
Feb 15 17:58:42 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Scheduled restart job, restart counter is at 852. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: Stopped headscale controller. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: Started headscale controller. Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: An updated version of Headscale has been found (0.20.0 vs. your current v0.17.0-alpha4). Check it out https://github.com/juanfont/headscale/releases Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: 2023-02-15T17:58:47+08:00 INF No private key file at path, creating... path=/etc/headscale/private.key Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: 2023-02-15T17:58:47+08:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key" Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: headscale.service: Scheduled restart job, restart counter is at 853. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: Stopped headscale controller. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: Started headscale controller. Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: An updated version of Headscale has been found (0.20.0 vs. your current v0.17.0-alpha4). Check it out https://github.com/juanfont/headscale/releases Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: 2023-02-15T17:58:53+08:00 INF No private key file at path, creating... path=/etc/headscale/private.key Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: 2023-02-15T17:58:53+08:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key" Feb 15 17:58:53 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:53 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. Feb 15 17:58:42 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:42 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Scheduled restart job, restart counter is at 852. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: Stopped headscale controller. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: Started headscale controller. Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: An updated version of Headscale has been found (0.20.0 vs. your current v0.17.0-alpha4). Check it out https://github.com/juanfont/headscale/releases Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: 2023-02-15T17:58:47+08:00 INF No private key file at path, creating... path=/etc/headscale/private.key Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: 2023-02-15T17:58:47+08:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key" Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: headscale.service: Scheduled restart job, restart counter is at 853. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: Stopped headscale controller. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: Started headscale controller. Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: An updated version of Headscale has been found (0.20.0 vs. your current v0.17.0-alpha4). Check it out https://github.com/juanfont/headscale/releases Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: 2023-02-15T17:58:53+08:00 INF No private key file at path, creating... path=/etc/headscale/private.key Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: 2023-02-15T17:58:53+08:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key" Feb 15 17:58:53 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:53 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. |
12
4Ej4z9XsfMCW4b4O 2023-02-15 18:00:37 +08:00 via iPhone
headscale 安装后出现这个是咋回事?
|
14
zzl22100048 2023-02-16 10:01:20 +08:00
@ninq
home/runner/work/headscale/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key" 无法创建私钥 |
15
SeaSaltPepper 2023-02-16 11:23:00 +08:00
@ninq headscale 没有 /etc 的权限,建议修改配置文件中 private_key_path 和 db_path 的路径,修改内容配置文件中已经给出建议了,照着改就行(以上建议建立在你是照着官方仓库教程操作下)。
|
16
standin000 2023-03-12 13:35:49 +08:00
请教一个问题,我的服务器有公网 ip ,端口都开了,别的电脑通过 tailscale 连接它还是需要官方中继服务器,请问这是为啥。
|
17
Kilerd 2023-03-21 15:50:25 +08:00
@standin000 我现在也是碰到这个问题,我在有公网 IP 的路由器上部署了 tailscale ,其他客户端访问上去都是需要走 DERP 的,里面的道理我不是很懂。
|
18
zckevin OP |
20
Actrace 290 天前
挖一下坟,,,前几天看到微林出了 derp 的服务,就想到这个帖子。
现在可以直接用了,不需要绕弯路了。 |
22
Drbo 207 天前 via Android
mark 微林 derp
|