这是一个创建于 971 天前的主题,其中的信息可能已经有所发展或是发生改变。
Abstract
https://tailscale.com/kb/118/custom-derp-servers/
derp server has derp service(基于 http(s) 的流量转发 tcp/443) + STUN service(udp/3478)
众所周知,搭建一个 derp server 需要配置 https 证书等繁琐的流程,因此希望能通过 tcp 流量转发实现加速。
Route:
derpMap
在 tailscale web admin UI 中可以配置 ACL ,其中包括 derpMap
默认的 derpMap: https://login.tailscale.com/derpmap/default
(并不会一直请求,而是被 embed 在 golang binary 中)
配置
添加一个新的 region ,其 Nodes 参数包含我们想要添加的转发代理节点
{ "derpMap": { "OmitDefaultRegions": true, "Regions": { "900": { "RegionID": 900, "RegionCode": "hkg2", "RegionName": "Tencent HK->Hongkong", "Nodes": [ { "Name": "derp Tencent hk", "RegionID": 900, "HostName": "derp20b.tailscale.com", "DERPPort": xxxx, "STUNPort": -1, "IPv4": "xx.xx.xx.xx", }, { "Name": "stun", "RegionID": 900, "HostName": "derp20b.tailscale.com", "STUNOnly": true, }, ], }, }, } 显而易见,如果我们用 UDP 转发来代理 STUN 服务,STUN 获取到的 external ip address 是 UDP 代理的 IP ,而不是 local agent ip ,其会直接导致服务连接失败。
好在 DERPNode 中的配置选项还算丰富,可以 somehow 绕过这个麻烦
https://pkg.go.dev/tailscale.com/tailcfg#DERPNode
HostName 必须是 default derpMap 中几个服务器之一(本人选择香港 derp20b ),否则 tls 报错 internal tls cert error ( journalctl -u tailscaled )
但是为此的代价是必须手动指定 IPv4 field ,设置为 vx.link tcp proxy’s IP addr ,如果 vx.link 更换了新的代理服务器,我们可能需要手动修改这个 field
DERPPort 为 vx.link tcp proxy’s port
STUNPort 为 -1:To disable STUN on this node, use -1.
之后,再添加一个 STUNOnly 为 true 的节点,HostName 最好是和上边一样
效果
Routes(one way):
China Mobile FTTH → vx.link Tencent HK →derp20b.tailscale.com → vx.link Tencent HK → China Unicom 4g
mtr -z derp20b.tailscale.com
勉强能在高峰期获得一个能用的延迟。
不足之处
流量转发与 STUN 服务的强耦合,导致 tcp udp 流量走的是两条不同的 network path ,即 tailscale netcheck 通过 STUN 服务检测到的 UDP 直连 RTT 并不等同于经过 tcp 转发后 path 的 rtt ,导致我们的最优 path 选择出错。
所以无奈之举是 OmitDefaultRegions 为 true ,disable 所有默认节点,只保留我们在 acl 中添加的转发节点。
结尾
注:文章内容从 notion 笔记中 CTRL-V ,文法及格式过于随意。
真不是广告,流量都是自费充值。
第 1 条附言 2023-02-14 20:51:01 +08:00
忘了发一个 before/after 对比:
 | 1 Cyshall 2023-02-14 20:20:35 +08:00  2 docker 一行命令启动一个 drep ,不需要域名部署证书的:docker run --restart always --net host --name derper -d yangchuansheng/ip_derper |
 | 3 hanguofu 2023-02-15 04:19:14 +08:00 谢谢分享。问一个小白级别的问题: 关于 Tailscale 的应用,有没有一个开源的账号管理系统呢?我想让一群人通过这个账号管理系统登陆,并连接在同一个网络中。 |
 | 4 zckevin OP |
 | 5 neroxps 2023-02-15 08:51:18 +08:00 headscale 是挺好的,唯一缺点就是 ios 还没客户端。 |
 | 7 MikuM97 2023-02-15 09:34:31 +08:00 derper 我尝试在腾讯轻量上搭建过,可以绑定域名,证书用腾讯云的免费证书即可,主要是端口,别用 443 端口,用 1w 以上的高端口,我这边测是不会拦截未备案的域名 |
 | 9 blessedbin 2023-02-15 09:47:26 +08:00 @Actrace headscale 服务器除了 IOS 的,都能用,README 中也明确说了这个点 |
 | 11 4Ej4z9XsfMCW4b4O 2023-02-15 17:59:59 +08:00 via iPhone Feb 15 17:58:42 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:42 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Scheduled restart job, restart counter is at 852. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: Stopped headscale controller. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: Started headscale controller. Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: An updated version of Headscale has been found (0.20.0 vs. your current v0.17.0-alpha4). Check it out https://github.com/juanfont/headscale/releases Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: 2023-02-15T17:58:47+08:00 INF No private key file at path, creating... path=/etc/headscale/private.key Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: 2023-02-15T17:58:47+08:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key" Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: headscale.service: Scheduled restart job, restart counter is at 853. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: Stopped headscale controller. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: Started headscale controller. Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: An updated version of Headscale has been found (0.20.0 vs. your current v0.17.0-alpha4). Check it out https://github.com/juanfont/headscale/releases Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: 2023-02-15T17:58:53+08:00 INF No private key file at path, creating... path=/etc/headscale/private.key Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: 2023-02-15T17:58:53+08:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key" Feb 15 17:58:53 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:53 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. Feb 15 17:58:42 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:42 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Scheduled restart job, restart counter is at 852. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: Stopped headscale controller. Feb 15 17:58:47 instance-20221104-0025 systemd[1]: Started headscale controller. Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: An updated version of Headscale has been found (0.20.0 vs. your current v0.17.0-alpha4). Check it out https://github.com/juanfont/headscale/releases Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: 2023-02-15T17:58:47+08:00 INF No private key file at path, creating... path=/etc/headscale/private.key Feb 15 17:58:47 instance-20221104-0025 headscale[19004]: 2023-02-15T17:58:47+08:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key" Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:47 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: headscale.service: Scheduled restart job, restart counter is at 853. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: Stopped headscale controller. Feb 15 17:58:52 instance-20221104-0025 systemd[1]: Started headscale controller. Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: An updated version of Headscale has been found (0.20.0 vs. your current v0.17.0-alpha4). Check it out https://github.com/juanfont/headscale/releases Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: 2023-02-15T17:58:53+08:00 INF No private key file at path, creating... path=/etc/headscale/private.key Feb 15 17:58:53 instance-20221104-0025 headscale[19013]: 2023-02-15T17:58:53+08:00 FTL home/runner/work/headscale/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key" Feb 15 17:58:53 instance-20221104-0025 systemd[1]: headscale.service: Main process exited, code=exited, status=1/FAILURE Feb 15 17:58:53 instance-20221104-0025 systemd[1]: headscale.service: Failed with result 'exit-code'. |
| 12 4Ej4z9XsfMCW4b4O 2023-02-15 18:00:37 +08:00 via iPhone headscale 安装后出现这个是咋回事? |
 | 14 zzl22100048 2023-02-16 10:01:20 +08:00 @ninq home/runner/work/headscale/headscale/cmd/headscale/cli/server.go:21 > Error initializing error="failed to read or create private key" 无法创建私钥 |
 | 15 SeaSaltPepper 2023-02-16 11:23:00 +08:00 @ninq headscale 没有 /etc 的权限,建议修改配置文件中 private_key_path 和 db_path 的路径,修改内容配置文件中已经给出建议了,照着改就行(以上建议建立在你是照着官方仓库教程操作下)。 |
 | 16 standin000 2023-03-12 13:35:49 +08:00 请教一个问题,我的服务器有公网 ip ,端口都开了,别的电脑通过 tailscale 连接它还是需要官方中继服务器,请问这是为啥。 |
 | 17 Kilerd 2023-03-21 15:50:25 +08:00 @standin000 我现在也是碰到这个问题,我在有公网 IP 的路由器上部署了 tailscale ,其他客户端访问上去都是需要走 DERP 的,里面的道理我不是很懂。 |
| 18 zckevin OP |
 | 20 Actrace 2024-03-12 02:05:33 +08:00 挖一下坟,,,前几天看到微林出了 derp 的服务,就想到这个帖子。 现在可以直接用了,不需要绕弯路了。 |
 | 22 Drbo 2024-06-03 11:18:51 +08:00 via Android mark 微林 derp |
Select Language