zixiba

zixiba

HomeArchives

Self-hosted Tailscale DERP Relay Server Overseas Edition

427
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses the process of setting up a Tailscale DERP relay server overseas. The prerequisites include having a VPS overseas, a purchased domain name, DNS resolution to Cloudflare, and basic Linux knowledge. The article provides instructions for firewall settings, SSL certificate application, Tailscale and Golang installation, and setting up the DERP server. It also explains how to add relay nodes and check the connection status.

Original Article: Intranet Strategy (6.5): Building a Tailscale DERP Relay Server Overseas Version
Intranet Strategy (6): Building a Tailscale DERP Relay Server Nanny-level Tutorial
Author: Cool Flip-Flop Pro

Prerequisites#

  • Have an overseas VPS (I used a budget version VPS purchased from RackNerd).
  • Have purchased a domain name (it is recommended to buy from namesilo as it is cheaper) and have DNS resolution set to cloudflare.
  • Domain name resolution is set to the VPS. It doesn't have to be a second-level domain (http://xxx.com), it can be a third-level domain (http://yyy.xxx.com).
  • Have basic knowledge of Linux operations.
    Note: Do not enable proxy for Cloudflare domain name resolution. See the image below:

image

Firewall Settings#

First, you need to permanently allow the following ports: TCP 56473 (you can modify it as you like) and UDP 3478 (do not modify it), and temporarily disable the firewall (enable it again after completing the acme SSL certificate application).

Commonly used Linux firewalls may include: iptables, UFW, and network security groups provided by VPS. Allow access according to your own situation, there is no tutorial here.

Apply for an SSL Certificate#

Enter the following commands step by step to apply for an SSL certificate. Choose one of the three methods to apply for the certificate. If the application fails, try another method. Replace in the command with your own domain name.

If you are running nginx or apache on your VPS, you need to change --standalone to --nginx or --apache in the command, or temporarily stop these two services.

sudo -i

curl https://get.acme.sh | sh; apt install socat -y || yum install socat -y; ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt

# Choose one of the three methods, if the application fails, try another method
# Method 1:
~/.acme.sh/acme.sh --issue -d <your domain name> --standalone -k ec-256 --force --insecure 
# Method 2:
~/.acme.sh/acme.sh --register-account -m "${RANDOM}@chacuo.net" --server buypass --force --insecure && ~/.acme.sh/acme.sh --issue -d <your domain name> --standalone -k ec-256 --force --insecure --server buypass 
# Method 3:
~/.acme.sh/acme.sh --register-account -m "${RANDOM}@chacuo.net" --server zerossl --force --insecure && ~/.acme.sh/acme.sh --issue -d <your domain name> --standalone -k ec-256 --force --insecure --server zerossl

Export the certificate:

sudo mkdir /usr/local/cert

~/.acme.sh/acme.sh --install-cert -d <your domain name> --ecc --key-file /usr/local/cert/<your domain name>.key --fullchain-file /usr/local/cert/<your domain name>.crt

Install Tailscale#

curl -fsSL https://tailscale.com/install.sh | sh

Enter tailscale up and copy the popped-up URL to your browser for authorization.

Install Golang#

Uninstall old versions#

If there are other software dependencies on the old version of go on your server, upgrading to a new version may have unexpected consequences. Please carefully evaluate and consider.

Old versions of golang are highly likely to cause the installation of derp to fail. If the output of go version shows an old version:

image
Then you need to uninstall and reinstall it; if the command does not exist or is the latest version (how to check is explained later), you can ignore this step.

Uninstall: rm -rf /usr/local/go
It is recommended to restart the server.

Check the latest version#

Open the website https://go.dev/doc/install
The screenshot below shows the latest version as 1.21.1

image

Download the latest version#

wget https://go.dev/dl/go<latest version number>.linux-amd64.tar.gz
tar -C /usr/local -xzf go<latest version number>.linux-amd64.tar.gz

Enter vim /etc/profile and enter the following commands at the end, then save and exit:

export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export GOBIN=$GOPATH/bin
export PATH=$PATH:$GOROOT/bin
export PATH=$PATH:$GOPATH/bin

Enter source /etc/profile, then enter go version to check if the go language is installed successfully.

Install derper service#

Create a directory: sudo mkdir -p /usr/local/gopath/bin

Install:

go env -w GOPROXY=https://goproxy.cn,direct
go install tailscale.com/cmd/derper@main

Enter vim /usr/local/gopath/bin/runderper and enter and save the following content: (Remember to modify the port 56473 here if you have modified it)

#!/bin/sh
cd /usr/local/gopath/bin
nohup ./derper -hostname <your domain name> -c=derper.conf -a :56473 -http-port -1 -certdir /usr/local/cert -certmode manual -verify-clients -stun > console.log 2>&1 &
echo $! > app.pid

Enter vim /usr/local/gopath/bin/stopderper.sh and enter and save the following content:

#!/bin/sh
kill `cat app.pid`
rm -rf app.pid

Grant permissions:

chmod +x /usr/local/gopath/bin/runderper
chmod +x /usr/local/gopath/bin/stopderper.sh

Enter vim /etc/systemd/system/derper.service, enter and save the following content:


Description=derper service
After=network.target
 
[Service]
Type=forking
ExecStart=/usr/local/gopath/bin/runderper
ExecStop=/usr/local/gopath/bin/stopderper.sh
 
[Install]
WantedBy=multi-user.target

Start the service#

Set it to start on boot

systemctl start derper
systemctl enable derper

Then open the URL https://<your domain name>:56473/, and if the following page appears, it means the deployment is successful.

image

Add relay nodes#

Go back to the Tailscale web console, open Access Controls, and add the following code in front of ssh:

"derpMap": {
		// OmitDefaultRegions is used to ignore official relay nodes, generally after self-building, official small pipes are not needed
		"OmitDefaultRegions": true,
		"Regions": {
			// Take any number starting from 900 here
			"901": {
				// RegionID is the same as above
				"RegionID": 901,
				// RegionCode, choose a name that is easy for you
				"RegionCode": "RackNerd",
				"Nodes": [
					{
						// Keep the Name as 1
						"Name":     "1",
						// Same as RegionID
						"RegionID": 901,
						// Domain name
						"HostName": "<your domain name>",
						// Port number
						"DERPPort": 56473,
					},
				],
			},
			// Add multiple servers below
			"902": {
				// RegionID is the same as above
				"RegionID": 902,
				// RegionCode, choose a name that is easy for you
				"RegionCode": "xxxx",
				"Nodes": [
					{
						// Name can be changed to 2, I'm not sure
						"Name":     "2",
						// Same as RegionID
						"RegionID": 902,
						// Domain name
						"HostName": "<your domain name>",
						// Port number
						"DERPPort": 56473,
					},
				],
			},
            // Add multiple servers above
		},
	},

Don't forget to save.

View connected nodes#

Enter tailscale netcheck in the CMD of the connected device to view the connected nodes and latency.
image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.