自建headscale与derp中继服务器

自建headscale与derp中继服务器

在nodeseek中看到用tailscale做内网穿透RDP,每次在外面访问群辉又不想把http端口直接映射出来,闲来无事搭着玩玩。Headscale是TailScale的自建版本,wiki上也有详细的教程,找了找教程,现在记录一下。

本地环境

headscale(v23.0)服务器和几台derp中继都是Debian的系统,derp中继是用docker一键搭建,也可以省去编译过程。

Headscale搭建

Official releases – Headscale,跟着官方步骤安装好,然后修改/etc/headscale/config.yaml​中的server_url(要跟ui的反代地址相同,不然API会跨域请求失败。)和其他的一些配置(监听地址和证书等)。注意url那一栏之后会添加一个远端txt文件地址(方便增减derp服务器)。

但是跟教程走用systemctl运行程序会提示失败,修改了运行用户为root/usr/lib/systemd/system/headscale.service​。

[Unit]
Description=headscale
After=network.target

[Service]
Type=simple
WorkingDirectory=/etc/headscale
ExecStart=/usr/bin/headscale serve
Restart=on-failure

[Install]
WantedBy=multi-user.target

之后headscale users create <USER>​创建用户、安装客户端curl -fsSL https://tailscale.com/install.sh | sh​、并根据提示连接自建服务器tailscale up --login-server <YOUR_HEADSCALE_URL>​后就可以开始搭建derp中继服务器了。

Derp中继服务器

curl -fsSL https://get.docker.com | bash -s docker​安装好docker之后可以编写docker-compose.yml​并运行(注意防盗用要首先在中继服务器中运行并加入自建的headscale)。

services:
  derper:
      image: 'ghcr.io/yangchuansheng/ip_derper:latest'
      network_mode: bridge
      environment:
        - DERP_VERIFY_CLIENTS=true
        - DERP_CERTS=/app/certs
        - 'DERP_ADDR=:12345'
      volumes:
        - '/var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock'
      ports:
        - '3478:3478/udp'
        - '12345:12345'
      container_name: derper
      restart: always

Derp远端配置

将以下文本添加到网页文件后加入/etc/headscale/config.yml​中重启headscale即可。

{
  "Regions": {
    "901": {
      "RegionID": 901,
      "RegionCode": "usa",
      "RegionName": "US-xxx",
      "Nodes": [
        {
          "Name": "901-US-xxx",
          "RegionID": 901,
          "DERPPort": 12345,
          "IPv4": "...",
          "IPv6": "xxxx",
          "STUNPort": 3478,
          "stunonly": false,
          "InsecureForTests": true
        }
      ]
    },
    "902": {
      "RegionID": 902,
      "RegionCode": "xxx2",
      "RegionName": "xxx2(可不同)",
      "Nodes": [
        {
          "Name": "xxxx",
          "RegionID": 902,
          "DERPPort": 12345,
          "IPv4": "xxx",
          "STUNPort": 3478,
          "stunonly": false,
          "InsecureForTests": true
        }
      ]
    },
    "903": {
      "RegionID": 903,
      "RegionCode": "xxx3",
      "RegionName": "xxx3",
      "Nodes": [
        {
          "Name": "xxx3",
          "RegionID": 903,
          "DERPPort": 12345,
          "STUNPort": 3478,
          "IPv4": "xxx",
          "stunonly": false,
          "InsecureForTests": true
        }
      ]
    }
  }
}

headscale-ui

也是docker compose搭建,如下(headscale是本地搭建所以都注释掉了,之后反代要与headscale配置文件域名相同,否则会报错)。本地运行headscale apikeys create --expiration 90d​获取api值。可以先弄这一步,添加客户端会方便一点点。

version: '3.5'
services:
#  headscale:
#    image: headscale/headscale:stable
#    container_name: headscale
#    volumes:
#      - ./container-config:/etc/headscale
#      - ./container-data/data:/var/lib/headscale
#    ports:
#      - 27896:8080
#    command: serve
#    restart: unless-stopped
  headscale-ui:
    image: ghcr.io/gurucomputing/headscale-ui:latest
    restart: unless-stopped
    container_name: headscale-ui
    ports:
    # - 8443:8443
      - 8080:8080

可以本地安装运行tailscale客户端测试一下。tailscale netcheck​会显示derp服务器的链接延迟。tailscale ping xxx​可以看是否打洞成功以及选用的哪一个derp中继服务器。(可选把官方derp中继服务器远端配置注释掉)。大功告成!

评论

发表回复

您的邮箱地址不会被公开。 必填项已用 * 标注