目录
DERP 介绍
DERP (Designated Encrypted Relay for Packets) servers manage device connections and NAT traversal. They serve two primary purposes: negotiating direct connections between tailnet devices and serving as a relay server when a direct connection isn’t possible. Most connections between tailnet devices only use DERP servers to establish a direct connection to another tailnet device. But as a last resort, when a direct connection isn’t possible due to hard NAT, firewalls, or another reason, devices can communicate using a DERP server as a relay. DERP servers are dual-stack, meaning they support IPv4 and IPv6. As a result, they can facilitate connections between IPv4-only and IPv6-only devices. Data sent between devices using a DERP relayed connection is encrypted using WireGuard. Because Tailscale private keys never leave the device where they were generated, it’s impossible for a DERP server to decrypt your traffic. A DERP server blindly forwards already-encrypted traffic from one device to another.
Some especially cruel networks block UDP entirely, or are otherwise so strict that they simply cannot be traversed using STUN and ICE. For those situations, Tailscale provides a network of so-called DERP (Designated Encrypted Relay for Packets) servers. These fill the same role as TURN servers in the ICE standard, except they use HTTPS streams and WireGuard keys instead of the obsolete TURN recommendations.
简而言之呢就是为 Tailscale 设计的 TCP 中继服务。
服务架构
graph TD
subgraph Server
TailscaleClient(Tailscale Client)
Docker(Docker)
subgraph Docker
DERPServer(DERP Server)
end
Nginx("Nginx
reverse proxy")
end
subgraph Tailnet
Client1(Client 1)
Client2(Client 2)
ClientN(Client n)
end
TailscaleClient <-- tailscale.sock --> DERPServer
TailscaleClient <-- Tailscale --> Tailnet
DERPServer <-- 8443:8443/tcp --> Nginx
DERPServer <-- 3478:3478/udp --> Tailnet
Nginx <-- 443/tcp --> Tailnet
部署
Tailscale
使用以下命令安装 Tailscale:
curl -fsSL https://tailscale.com/install.sh | sh
然后使用 tailscale up 命令启动并登录账号。
Docker
创建上述内容的 docker-compose.yml,把 example.com 替换成你的域名,然后使用 docker compose up -d 启动服务。
services:
derp:
image: fredliang/derper:latest
container_name: derp
restart: always
ports:
- "8443:8443"
- "3478:3478/udp"
environment:
DERP_DOMAIN: example.com
DERP_ADDR: :8443
DERP_VERIFY_CLIENTS: true
DERP_CERT_MODE: letsencrypt
DERP_CERT_DIR: /app/certs
DERP_STUN: true
volumes:
- /usr/share/zoneinfo/Asia/Shanghai:/etc/localtime:ro
- /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
Nginx
使用 Nginx 反向代理 derp 的 http 端口,域名和证书自己准备。
server {
listen 443 ssl http2;
server_name example.com;
ssl_certificate /etc/letsencrypt/live/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/example.com/privkey.pem;
location / {
proxy_redirect off;
proxy_pass http://127.0.0.1:8443;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
}
访问控制
访问 Tailscale 管理面板的 Access Control 页面,编辑以下内容:
{
"derpMap": {
"OmitDefaultRegions": true,
"Regions": {
"114": {
"RegionID": 114,
"RegionCode": "exp",
"RegionName": "Example",
"Nodes": [
{
"Name": "example",
"RegionID": 114,
"HostName": "example.com",
"DERPPort": 443,
},
],
},
},
},
"acls": [
......
],
... 其他原有内容 ...
}
-
"OmitDefaultRegions": true意为不使用官方提供的公共 DERP 服务器,因为都在境外,一般延迟较高,但也可以选择选择false来保留备用。 - 编号、名称自己随便取,域名和端口和上面的 Nginx 配置一致。如果保留了公共 derp 服务器,注意自己服务器的各项信息不要和原有的冲突。
使用
在客户端安装并登录 Tailscale,在客户端的命令行输入 tailscale netcheck,如果能看到 DERP 服务器的信息,说明部署成功。
学长写的博客真好真简洁,Tailscale 竟然还能通过访问控制指定自己的 DERP 服务器,这样是不是 iOS 和 iPadOS 也能使用自己的中继服务器了? 之前一直想搭一个 Zerotier Moon 服务器,但是苹果设备的 Zerotier App 一直没法选择自己的中继服务器,看来是时候转到 Tailscale 了wwwwww
是的,所有客户端都可以使用