Headscale 之部署私有 DERP 中继服务器:自定义域名

发表于   |  

自定义域名文件在certs目录下,Dockerfile 如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
# 使用官方Golang镜像
FROM swr.cn-north-4.myhuaweicloud.com/xxx/golang:latest
# 配置国内Go代理
ENV GOPROXY=https://goproxy.cn,https://mirrors.aliyun.com/goproxy/,direct
ENV GO111MODULE=on
ENV CGO_ENABLED=0
LABEL org.opencontainers.image.source=https://github.com/yangchuansheng/docker-image
WORKDIR /app
# 检查基础镜像类型并选择合适的包管理器
# 创建证书目录
RUN mkdir -p /home/derp/certs && \
    chmod -R 777 /home/derp/certs
# 安装derper
RUN go install tailscale.com/cmd/derper@main
# 环境变量
ENV DERP_DOMAIN=me.peterfei.vip
ENV DERP_CERT_MODE=letsencrypt
ENV DERP_CERT_DIR=/home/derp/certs
ENV DERP_ADDR=:443
ENV DERP_STUN=true
ENV DERP_HTTP_PORT=80
ENV DERP_VERIFY_CLIENTS=false
# 暴露端口
EXPOSE 80 443 3478/udp
# 健康检查
#HEALTHCHECK --interval=30s --timeout=10s --start-period=5s --retries=3 \
#    CMD curl -f http://localhost:80/ || exit 1
# 启动命令
CMD ["/bin/sh", "-c", \
    "/go/bin/derper --hostname=${DERP_DOMAIN} \
    --certmode=${DERP_CERT_MODE} \
    --certdir=${DERP_CERT_DIR} \
    --a=${DERP_ADDR} \
    --stun=${DERP_STUN} \
    --http-port=${DERP_HTTP_PORT} \
    --verify-clients=${DERP_VERIFY_CLIENTS}"]

编译dockerfile:

docker build -t derp .

运行docker run -d --restart always --name derper --user root -p 8443:12345 -p 3478:3478/udp -e DERP_ADDR=:12345 -e DERP_DOMAIN=YOURDOMAIN.SIMPLE -e DERP_CERT_MODE=manual -v /home/derp/certs/:/home/derp/certs derp

Headsale Config 如下:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
server_url: http://YOURDOMAIN.SIMPLE:18090
base_domain: http://YOURDOMAIN.SIMPLE  # 这里填写你的实际外网地址,域名或ip都可以
listen_addr: 0.0.0.0:8090
metrics_listen_addr: 0.0.0.0:9090
grpc_listen_addr: 0.0.0.0:50443
#randomize_client_port: true
noise:
  # The Noise private key is used to encrypt the
  # traffic between headscale and Tailscale clients when
  # using the new Noise-based protocol.
  private_key_path: /var/lib/headscale/noise_private.key
prefixes:
  v4: 100.64.0.0/10
  v6: fd7a:115c:a1e0::/48
  allocation: sequential
database:
  # Database type. Available options: sqlite, postgres
  # Please note that using Postgres is highly discouraged as it is only supported for legacy reasons.
  # All new development, testing and optimisations are done with SQLite in mind.
  type: sqlite
  sqlite:
    path: /var/lib/headscale/db.sqlite
dns:
  # Whether to use [MagicDNS](https://tailscale.com/kb/1081/magicdns/).
  magic_dns: false
  base_domain: example.com
  # List of DNS servers to expose to clients.
  nameservers:
    global:
      - 1.1.1.1
      - 1.0.0.1
      - 2606:4700:4700::1111
      - 2606:4700:4700::1001
unix_socket: /var/run/headscale/headscale.sock
unix_socket_permission: "0770"
derp:
  server:
    # 关闭内嵌的derper中继服务
    enabled: false
    region_id: 999
    region_code: "headscale"
    region_name: "Headscale Embedded DERP"
    stun_listen_addr: "0.0.0.0:3478"
    ipv4: 1.2.3.4
    ipv6: 2001:db8::1
  # 下发给客户端的中继服务器列表
  urls:
    - https://YOURDOMAIN.SIMPLE:18080/derp.json
  # 可以在本地通过yaml配置定义自己的中继接待
  paths:
    - /etc/headscale/derp.yaml
  auto_update_enabled: true
  update_frequency: 24h
tls_letsencrypt_hostname: ""
# 使用自定义证书时的证书路径
tls_cert_path: ""
tls_key_path: ""
# 是否让客户端使用随机端口(默认使用41641/UDP)
randomize_client_port: false
grpc_allow_insecure: false

cat derp.json

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
{
  "Regions": {
    "901": {
      "RegionID": 901,
      "RegionCode": "HomeNas",
      "RegionName": "Xian",
      "Nodes": [
        {
          "Name": "901a",
          "RegionID": 901,
          "DERPPort": 8443,
          "StunPort": 3478,
          "HostName": "YOURDOMAIN.SIMPLE",
          "InsecureForTests": true
        }
      ]
    }
  }
}