自建headscale与derp中继服务器
在nodeseek中看到用tailscale做内网穿透RDP,每次在外面访问群辉又不想把http端口直接映射出来,闲来无事搭着玩玩。Headscale是TailScale的自建版本,wiki上也有详细的教程,找了找教程,现在记录一下。
本地环境
headscale(v23.0)服务器和几台derp中继都是Debian的系统,derp中继是用docker一键搭建,也可以省去编译过程。
Headscale搭建
Official releases – Headscale,跟着官方步骤安装好,然后修改/etc/headscale/config.yaml
中的server_url(要跟ui的反代地址相同,不然API会跨域请求失败。)和其他的一些配置(监听地址和证书等)。注意url那一栏之后会添加一个远端txt文件地址(方便增减derp服务器)。
但是跟教程走用systemctl运行程序会提示失败,修改了运行用户为root/usr/lib/systemd/system/headscale.service
。
[Unit]
Description=headscale
After=network.target
[Service]
Type=simple
WorkingDirectory=/etc/headscale
ExecStart=/usr/bin/headscale serve
Restart=on-failure
[Install]
WantedBy=multi-user.target
之后headscale users create <USER>
创建用户、安装客户端curl -fsSL https://tailscale.com/install.sh | sh
、并根据提示连接自建服务器tailscale up --login-server <YOUR_HEADSCALE_URL>
后就可以开始搭建derp中继服务器了。
Derp中继服务器
curl -fsSL https://get.docker.com | bash -s docker
安装好docker之后可以编写docker-compose.yml
并运行(注意防盗用要首先在中继服务器中运行并加入自建的headscale)。
services:
derper:
image: 'ghcr.io/yangchuansheng/ip_derper:latest'
network_mode: bridge
environment:
- DERP_VERIFY_CLIENTS=true
- DERP_CERTS=/app/certs
- 'DERP_ADDR=:12345'
volumes:
- '/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock'
ports:
- '3478:3478/udp'
- '12345:12345'
container_name: derper
restart: always
Derp远端配置
将以下文本添加到网页文件后加入/etc/headscale/config.yml
中重启headscale即可。
{
"Regions": {
"901": {
"RegionID": 901,
"RegionCode": "usa",
"RegionName": "US-xxx",
"Nodes": [
{
"Name": "901-US-xxx",
"RegionID": 901,
"DERPPort": 12345,
"IPv4": "...",
"IPv6": "xxxx",
"STUNPort": 3478,
"stunonly": false,
"InsecureForTests": true
}
]
},
"902": {
"RegionID": 902,
"RegionCode": "xxx2",
"RegionName": "xxx2(可不同)",
"Nodes": [
{
"Name": "xxxx",
"RegionID": 902,
"DERPPort": 12345,
"IPv4": "xxx",
"STUNPort": 3478,
"stunonly": false,
"InsecureForTests": true
}
]
},
"903": {
"RegionID": 903,
"RegionCode": "xxx3",
"RegionName": "xxx3",
"Nodes": [
{
"Name": "xxx3",
"RegionID": 903,
"DERPPort": 12345,
"STUNPort": 3478,
"IPv4": "xxx",
"stunonly": false,
"InsecureForTests": true
}
]
}
}
}
headscale-ui
也是docker compose搭建,如下(headscale是本地搭建所以都注释掉了,之后反代要与headscale配置文件域名相同,否则会报错)。本地运行headscale apikeys create --expiration 90d
获取api值。可以先弄这一步,添加客户端会方便一点点。
version: '3.5'
services:
# headscale:
# image: headscale/headscale:stable
# container_name: headscale
# volumes:
# - ./container-config:/etc/headscale
# - ./container-data/data:/var/lib/headscale
# ports:
# - 27896:8080
# command: serve
# restart: unless-stopped
headscale-ui:
image: ghcr.io/gurucomputing/headscale-ui:latest
restart: unless-stopped
container_name: headscale-ui
ports:
# - 8443:8443
- 8080:8080
可以本地安装运行tailscale客户端测试一下。tailscale netcheck
会显示derp服务器的链接延迟。tailscale ping xxx
可以看是否打洞成功以及选用的哪一个derp中继服务器。(可选把官方derp中继服务器远端配置注释掉)。大功告成!