莱云nat小鸡上部署derper

前提

• headscale/tailscale
• derper二进制
• 已备案域名且申请证书

构建derper

需要构建amd64架构的Linux二进制

安装go可以参考官方文档 Download and install

构建derper也比较简单

export GO111MODULE=on
export GOPROXY=https://goproxy.cn
export GOPATH="/root/go"
export GOBIN="$GOPATH/bin"
export PATH=$PATH:$GOBIN:/usr/local/go/bin

go install tailscale.com/cmd/derper@latest

mv /root/go/bin/derper /usr/local/bin/derper

同步证书

假设你的域名是 www.nodeseek.com， 需要保证证书和私钥都是www.nodeseek.com开头

mkdir -p /etc/derper/www.nodeseek.com
# 将证书copy到这个目录下/etc/derper/www.nodeseek.com
ls /etc/derper/www.nodeseek.com
www.nodeseek.com.key
www.nodeseek.com.crt

systemd

没啥好说的

# /etc/systemd/system/derper.service
[Unit]
Description=derper

[Service]
StartLimitInterval=5
StartLimitBurst=10
ExecStart=/usr/local/bin/derper -hostname www.nodeseek.com  -a :7777 -verify-clients -certmode manual -http-port -1 -certdir /etc/derper/www.nodeseek.com
Restart=always
RestartSec=15

[Install]
WantedBy=multi-user.target

开机并启动

systemctl enable derper --now

配置小鸡开启映射

7777
3478

配置headscale

www.nodeseek.com 是cname到小鸡的nat出口ip的域名

# /etc/headscale/derp.yaml 新增如下
  907:
    regionid: 907
    regioncode: dx-nat
    regionname: dx-nat
    nodes:
      - name: dx
        regionid: 907
        hostname: www.nodeseek.com
        stunport: 10112
        stunonly: false
        derpport: 10100

更新完重启headscale

测试

tailscale netcheck
	* DERP latency:
		- lt-nat: 39.9ms  (lt-nat)
		- dx-nat: 49.1ms  (dx-nat)