Because Tailscale does not have an official relay server in China (you know why), although it can still be used (using foreign relays), the latency is very high, and from the bottom of my heart, public relay servers are not pleasant (do you wear underwear together?). What if you want low latency and a dedicated relay server? You can only build it yourself. If your home broadband has a public IP address, or there is a ready-made cloud host, then you can have your own DERP server.
1. Install the latest version of go
Because DERP is developed in go, you need to install the go environment first.
First download the corresponding download package according to your system. The official website link of go is:https://go.dev/dl/
The official website has different system installation packages, because my lightweight server is Debian 11:
So download the go1.21.2.linux-amd64.tar.gz package in the red box and upload it to the root directory, enter the root directory, and then run the following command (you need to log in as root or run the command through sudo):
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.21.2.linux-amd64.tar.gz
userm -rf /usr/local/goThis is to delete the previous version of go. If you have not installed go before, you don't need to use the rm command. Then use the tar command to unzip the go1.21.2.linux-amd64.tar.gz package to the /usr/local/go directory, as follows:
Add the go path to the PATH environment variable
/usr/local/go/bin , so that you can run the go command:
export PATH=$PATH:/usr/local/go/bin
Note: This method only temporarily adds environment variables to the current environment. If you want to add them automatically when the computer starts, you need to edit~/.bashrcFile and add the above environment variables to the last line of the file and save and exit.
Confirm that Go is installed by opening a command prompt and typing:
go version
Confirm that the command correctly prints the installed version of Go:
2. Install DERP server
Run the following command to install the latest DERP server to $HOME/go/bin:
go install tailscale.com/cmd/derper@main
But I got an error:
Directly access the URL in the figure above and get the following results:
172.217.160.113 should be the IP address of Google CDN, which means it is inaccessible (you know the reason). At this time, you need to temporarily add a goproxy:
export GOPROXY=https://goproxy.io
or:
export GOPROXY=https://goproxy.cn
Run the command again, success:
Before running the binary, you need a domain name pointing to the server. With the domain name and the binary, you can run the DERP server on your domain.
At this time, if you have a cloud server with unused ports 443 and 80, you can directly run the following command to start derper:
sudo /root/go/bin/derper -c=/root/derper.conf -hostname=ab.cd.ef -a=:443 -stun
-hostname: a valid public domain name. Derper will automatically apply for a Let's Encrypt certificate for this domain name.
-a: specifies the TCP port that derper listens on. The default is 443 (if you want to use port 443, the domain name needs to be registered). You can specify other non-443 ports (the domain name does not need to be registered)
-stun: UDP port of stun protocol, used during health check, default is 3478
This will start the DERP server, listening on port 443 (or the port you specified), and you can then follow the steps in step 3 to add the DERP server to your tailsacle network.
Regarding the issue of port 443: If you want to use port 443, the domain name must be registered, otherwise the cloud provider will obtain your domain name based on the SNI information in the TLS handshake and compare it with the registered database. If it is not in its database, it will reset your TLS handshake, so I recommend not using port 443. I have also deployed a DERP at home, which works just as well without ports 80 and 443, but this method cannot use Let's Encrypt to automatically update the certificate (port 443 is required), and the certificate folder must be manually specified (in fact, this is not a big deal, Alibaba Cloud and Tencent Cloud both provide free 1-year certificates, and it is acceptable to do it once a year, which is a matter of minutes).
Having port 443 and having the domain name registered is just a prerequisite. If the cloud host has deployed a site using nginx (or Apache, which is more troublesome) and occupied port 443, you need to use steam on nginx for layer 4 reverse proxy (TLS works at the transport layer), so that DERP's 443 can coexist with other sites. If nginx does not load steam-related modules when it is installed, it needs to be recompiled. Anyway, it's a hassle. I'm lazy, so I think it's better to forget it. If it's a brand new cloud server, it can be planned from the beginning, but now there are a lot of applications running on the cloud host, so I'm too lazy to do it. If there is a need (mainly using let's encrypt to automatically update the certificate time, so there is no need to manually update the free certificate with a validity period of only 1 year every year), you can study it yourself. In this article, I will deploy it with a non-443 port.
This method is also suitable for home broadband with public IP addresses. Of course, it is best to have both public IPv4 and IPv6, which is more applicable (it can be used for single v4, single v6 and dual stack clients). If you have both v4 and v6 public IPs and want to make full use of them, you need to add A records and AAAA records to the domain name used by DERP in the domain name provider.
Please prepare the domain name resolution used by DERP and the certificate corresponding to the domain name in advance (if you have purchased a domain name from Alibaba Cloud or Tencent Cloud, you can easily get a one-year free certificate).
So the command format is as follows when not using port 443 and port 80:
sudo /root/go/bin/derper -c=/root/derper.conf -hostname=ab.cd.ef -a=:45678 -http-port -1 -stun -certmode=manual -certdir=xxx
-a=:45678 Change the listening port to 45678 (you can modify it according to your environment)
-http-port -1 Do not use http port 80
-certmode manual means manually specify the certificate
-certdir yourcertpath specifies the path to the directory where your certificate is stored, and the certificate name must be correct. If your domain name is example.com, the certificate name must be example.com.crt and the private key name must be example.com.key
-verify-clients If you want to ensure that only you can access this DERP server, and the tailscale client is installed on the cloud host where the DERP server is installed and your account is logged in normally, then just add this parameter. If you want to give it to other friends besides yourself, you cannot add this parameter. However, if it is a cloud host with a fixed public IP, you still need to be careful.
After the command runs successfully, you can use https://ab.cd.ef:45678 to access it. If successful, it will be displayed as follows:
If you want to set DERP to start at boot, please refer to another article for details:3 common ways to set up commands or scripts for Debian series to start at boot
NOTE: To maintain compatibility with Tailscale client updates, it is best to update the DERP server regularly by re-running the previous installation command: go install tailscale.com/cmd/derper@main.
3. Add DERP server to your tailscale network
Each region has a unique region ID. Region ID values 900-999 are reserved for user-specified custom regions and are not used by Tailscale itself.
For example, the following configuration will enable the domain name example.com Custom DERP Server:
{ // ... other parts of ACL/Policy JSON "derpMap": { "Regions": { "900": { "RegionID": 900, "RegionCode": "myderp", "Nodes": [ { "Name ": "1", "RegionID": 900, "HostName": "example.com", "DERPPort": 45678, } ] } } } }
In the above code, the main content is the red box in the figure below, which is copied to the Access Controls of the official website tailscale admin. Note that it is before the last "}":
When modifying, pay attention to the format, especially the "," at the end of the line.
In the above configuration, the only things that really need to be modified are "HostName" and "DERPPort" (if there is only one RegionID). The former is your domain name, and the latter is the listening port specified by the derp server above. There is also a default stun udp 3478. Both ports need to be opened on the firewall of your cloud server.
Run the command on the terminal where tailscale is installed (Linux or Win) to view the derp used:
tailscale netcheck
The display is as follows:
What is displayed here is the "RegionCode" name you defined in the above code. I have two DERP servers here, one is a lightweight server on Tencent Cloud, and the other is a macmini in my home broadband. However, the detection here is actually just to detect udp port 3478. This display is available but it may not be really available. In the end, the https port that DERP listens on must be available (the browser mentioned earlier can be opened normally).https://domain name:custom port).
You can also check in the Machine Details of tailscale's official website, as follows, you can see the Region ID used (defined in the above code):
If there are multiple DERP servers, you can add multiple Regions for backup. For example, I added two regions with IDs 900 and 901:
The following is displayed in Machine Details:
In addition, here are some commonly used tailsacle terminal commands:
tailscale status # View the connection status between TailScale terminals: online or offline, directly connected or through relay and through which relay
tailscale ping # can directly see whether it is connected through DERP and which DERP server it is connected through
In fact, we can expand on this issue. How to monitor the health of the DERP server? The simplest way is to monitorhttps://DERP domain name: specified portFor details, please refer to my other article:Docker series builds a real-time health monitoring and alarm system for applications based on uptime and bark
In addition: The DERP I use at home is built on macos, and the configuration process is similar to that of debian, and the mapping is done after the soft router, so DERP can also be built on the intranet through the public IP mapping on the export device (map udp 3748 and the specified TCP listening port in, and the mapped internal and external network ports must be consistent). It does not necessarily have to be built directly on a cloud host with a public IP. It is best for the dynamic domain name to support API updates. After all, the free one-year certificates of Tencent Cloud and Alibaba Cloud are still very attractive.
