准备
准备虚拟机
1~3个人,需要1C2G10GB的云主机。
加入堡垒机
安装docker
yum install -y docker-ce
echo 'alias docker-compose="docker compose"' >> ~/.bashrc
. ~/.bashrc
申请证书
export Ali_Key="xxx"
export Ali_Secret="xxx"
/root/.acme.sh/acme.sh --issue -d derp.sddts.cn --challenge-alias xxx.cn --dns dns_ali --force
证书手动申请,然后放在/opt/derp/certs路径下
部署
创建目录
mkdir -p /opt/headscale
mkdir -p /opt/derp
准备.env文件
TAILSCALE_DERP_HOSTNAME=derp.sddts.cn
TAILSCALE_DERP_VERIFY_CLIENTS=true
#TAILSCALE_DERP_CERTMODE=letsencrypt
TAILSCALE_DERP_CERTMODE=manual
TAILSCALE_AUTH_KEY="tskey-auth-123-123"
准备docker-compose文件
version: '3'
services:
headscale:
image: dockerproxy.com/juanfont/headscale:sha-b01f1f1
container_name: headscale
volumes:
- /opt/headscale/config:/etc/headscale
- /opt/headscale/data:/var/lib/headscale
environment:
- "TZ=Asia/Shanghai"
ports:
- 51110:51110
- 51111:51111
restart: unless-stopped
entrypoint:
- sh
- -euc
- |
cat <<'EOF'>/etc/headscale/config.yaml
---
server_url: http://derp.sddts.cn:51110
listen_addr: 0.0.0.0:51110
metrics_listen_addr: 127.0.0.1:51111
grpc_listen_addr: 0.0.0.0:50443
grpc_allow_insecure: false
private_key_path: /var/lib/headscale/private.key
noise:
private_key_path: /var/lib/headscale/noise_private.key
ip_prefixes:
#- fd7a:115c:a1e0::/48
- 100.64.0.0/10
derp:
paths:
- /etc/headscale/derp.yaml
auto_update_enabled: true
update_frequency: 24h
disable_check_updates: false
ephemeral_node_inactivity_timeout: 30m
node_update_check_interval: 10s
db_type: sqlite3
db_path: /var/lib/headscale/db.sqlite
acme_url: https://acme-v02.api.letsencrypt.org/directory
acme_email: ""
tls_letsencrypt_hostname: ""
tls_letsencrypt_cache_dir: /var/lib/headscale/cache
tls_letsencrypt_challenge_type: HTTP-01
tls_letsencrypt_listen: ":http"
tls_cert_path: ""
tls_key_path: ""
log:
format: text
level: info
acl_policy_path: ""
dns_config:
override_local_dns: true
nameservers:
- 223.5.5.5
domains: []
magic_dns: true
base_domain: example.com
unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"
logtail:
enabled: false
randomize_client_port: false
EOF
cat <<'EOF'>/etc/headscale/derp.yaml
regions:
900:
regionid: 900
regioncode: thk
regionname: office
nodes:
- name: office-A
regionid: 900
hostname: derp.sddts.cn
stunport: 51113
stunonly: false
derpport: 51112
EOF
headscale serve
derp:
image: dockerproxy.com/yangchuansheng/derper:latest
container_name: derp
restart: always
init: true
ports:
- 80:80
- 443:443
- 51112:51112
- 51113:51113/udp
cap_add:
- NET_RAW
- NET_ADMIN
volumes:
- /opt/derp/certs:/app/certs/
- /etc/localtime:/etc/localtime:ro
environment:
- "DERP_CERT_MODE=manual"
- "DERP_ADDR=:51112"
- "DERP_DOMAIN=derp.sddts.cn"
- "TZ=Asia/Shanghai"
客户端连接
启动客户端
客户端测
tailscale up --login-server=https://derp.sddts.cn:51820 --accept-routes=true --accept-dns=false --force-reauth --advertise-routes=192.168.105.0/24
--advertise-routes=192.168.105.0/24 # 当前客户端可以通往192.168.105.0/24
服务端测
dockerid=`docker ps | grep headscale | awk '{print $1}'`
docker exec -it /bin/bash $dockerid
headscale -n default nodes register --key xxx
客户端常用命令
# 启动客户端tailscaled服务
注意,tailscaled和tailscale不一样。前者是后台服务,后者是可以操作服务的程序。
# 连接headscale网络
tailscale up
# 断开连接
tailscale down
# 查看连接状态
tailscale status
# 查看接入headscale网络后分配给当前客户端的ip地址
tailscale ip
# 查看当前客户端与derp中继服务的延迟信息
tailscale netcheck
服务端常用命令
# 查看当前客户端列表
headscale nodes list
# 查看当前headscale网络路由(主要是客户端通告的可达路由)
headscale routes list
# 允许/删除/禁用客户端通告的路由
headscale routes enable|delete|disable $routeid
参考
https://hub.docker.com/r/sparanoid/derp
https://tailscale.com/kb/manage-devices/
https://www.linshenkx.cn/archives/tailscale-derper-docker
https://github.com/tijjjy/Tailscale-DERP-Docker