zixiba

zixiba

HomeArchives

Self-built Tailscale DERP Relay Server Overseas Edition

984
AI Translation
This post is translated from Chinese into English through AI.View Original
AI-generated summary
The article discusses setting up a Tailscale DERP relay server overseas, including prerequisites such as a VPS, domain name, and basic Linux knowledge. It covers firewall settings, SSL certificate application, Tailscale and Golang installation, and setting up the DERP service. It also includes instructions on adding relay nodes and checking connection status.

Original Article: Intranet Strategy (6.5): Building a Tailscale DERP Relay Server Overseas Edition
Intranet Strategy (6): Building a Tailscale DERP Relay Server Nanny-level Tutorial
Author: Cool Flip-Flop Pro

Prerequisites#

  • Have an overseas VPS (I used a budget version VPS purchased from RackNerd).
  • Have purchased a domain name (it is recommended to buy from namesilo as it is cheaper) and have DNS resolution set to cloudflare.
  • Domain name resolution is set to the VPS. It does not have to be a second-level domain (http://xxx.com), it can be a third-level domain (http://yyy.xxx.com).
  • Have basic knowledge of Linux operations.
    Note: Do not enable proxy for Cloudflare domain name resolution. See the image below:

image

Firewall Settings#

First, you need to permanently open the ports: TCP 56473 (you can modify it as you like) and UDP 3478 (do not modify it), and temporarily disable the firewall (turn it back on after completing the acme SSL certificate application).

Commonly used Linux firewalls may include: iptables, UFW, and network security groups provided by VPS. Open the ports according to your own situation, there is no tutorial here.

Apply for an SSL Certificate#

Enter the following commands step by step to apply for an SSL certificate. Choose one of the three methods to apply for the certificate. If the application fails, switch to another method. Replace in the command with your own domain name.

If you are running nginx or apache on your VPS, you need to change --standalone to --nginx or --apache in the command, or temporarily stop these two services.

sudo -i

curl https://get.acme.sh | sh; apt install socat -y || yum install socat -y; ~/.acme.sh/acme.sh --set-default-ca --server letsencrypt

#Choose one of the three methods, switch to another method if the application fails
#Method 1:
~/.acme.sh/acme.sh --issue -d <your domain name> --standalone -k ec-256 --force --insecure 
#Method 2:
~/.acme.sh/acme.sh --register-account -m "${RANDOM}@chacuo.net" --server buypass --force --insecure && ~/.acme.sh/acme.sh --issue -d <your domain name> --standalone -k ec-256 --force --insecure --server buypass 
#Method 3:
~/.acme.sh/acme.sh --register-account -m "${RANDOM}@chacuo.net" --server zerossl --force --insecure && ~/.acme.sh/acme.sh --issue -d <your domain name> --standalone -k ec-256 --force --insecure --server zerossl

Export the certificate:

sudo mkdir /usr/local/cert

~/.acme.sh/acme.sh --install-cert -d <your domain name> --ecc --key-file /usr/local/cert/<your domain name>.key --fullchain-file /usr/local/cert/<your domain name>.crt

Install Tailscale#

curl -fsSL https://tailscale.com/install.sh | sh

Enter tailscale up and copy the URL that pops up into your browser for authorization.

Install Golang#

Uninstall old versions#

If there are other software dependencies on the old version of go on your server, upgrading to a new version may have unexpected consequences. Please carefully evaluate and consider.

Old versions of golang are highly likely to cause the derp installation to fail. If the output of go version shows an old version:

image
Then you need to uninstall and reinstall; if the command does not exist or it is the latest version (how to check is explained later), you can ignore this step.

Uninstall: rm -rf /usr/local/go
It is best to restart the server.

Check the latest version#

Open the website https://go.dev/doc/install
The screenshot below shows the latest version as 1.21.1

image

Download the latest version#

wget https://go.dev/dl/go<latest version number>.linux-amd64.tar.gz
tar -C /usr/local -xzf go<latest version number>.linux-amd64.tar.gz

Enter vim /etc/profile and press Enter, enter the following commands at the end, then save and exit:

export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export GOBIN=$GOPATH/bin
export PATH=$PATH:$GOROOT/bin
export PATH=$PATH:$GOPATH/bin

Enter source /etc/profile, then enter go version to check if the go language installation was successful.

Install derper service#

Create a directory: sudo mkdir -p /usr/local/gopath/bin

Install:

go env -w GOPROXY=https://goproxy.cn,direct
go install tailscale.com/cmd/derper@main

Enter vim /usr/local/gopath/bin/runderper and enter and save the following content: (Remember to modify the port 56473 here if you modified it)

#!/bin/sh
cd /usr/local/gopath/bin
nohup ./derper -hostname <your domain name> -c=derper.conf -a :56473 -http-port -1 -certdir /usr/local/cert -certmode manual -verify-clients -stun > console.log 2>&1 &
echo $! > app.pid

Enter vim /usr/local/gopath/bin/stopderper.sh and enter and save the following content:

#!/bin/sh
kill `cat app.pid`
rm -rf app.pid

Grant permissions:

chmod +x /usr/local/gopath/bin/runderper
chmod +x /usr/local/gopath/bin/stopderper.sh

Enter vim /etc/systemd/system/derper.service, enter and save the following content:


Description=derper service
After=network.target
 
[Service]
Type=forking
ExecStart=/usr/local/gopath/bin/runderper
ExecStop=/usr/local/gopath/bin/stopderper.sh
 
[Install]
WantedBy=multi-user.target

Start the service#

Set it to start on boot

systemctl start derper
systemctl enable derper

Then open the URL https://<your domain name>:56473/, and if the following page appears, the deployment is successful.

image

Add a relay node#

Go back to the Tailscale web console, open Access Controls, and add the following code in front of ssh:

"derpMap": {
		// OmitDefaultRegions is used to ignore official relay nodes, generally after self-building, the official small pipe is not needed
		"OmitDefaultRegions": true,
		"Regions": {
			// Take any number starting from 900 here
			"901": {
				// RegionID is the same as above
				"RegionID": 901,
				// RegionCode, choose a name that is easy for you
				"RegionCode": "RackNerd",
				"Nodes": [
					{
						// Keep the name as 1
						"Name":     "1",
						// Same as RegionID
						"RegionID": 901,
						// Domain name
						"HostName": "<your domain name>",
						// Port number
						"DERPPort": 56473,
					},
				],
			},
			// Add multiple servers below
			"902": {
				// RegionID is the same as above
				"RegionID": 902,
				// RegionCode, choose a name that is easy for you
				"RegionCode": "xxxx",
				"Nodes": [
					{
						// You can change the name to 2, I'm not sure
						"Name":     "2",
						// Same as RegionID
						"RegionID": 902,
						// Domain name
						"HostName": "<your domain name>",
						// Port number
						"DERPPort": 56473,
					},
				],
			},
            // Add multiple servers above
		},
	},

Don't forget to save.

View connected nodes#

Enter tailscale netcheck in the CMD of the connected device to view the connected nodes and latency.
image

Loading...
Ownership of this post data is guaranteed by blockchain and smart contracts to the creator alone.