Headscale+derp部署终极版本

部署环境

搭建背景

最近家里云需要VPN稳定方式访问了，一直以来都是zerotier，tcp访问掉线非常严重，搭建moon没啥用，都是planet，但是仍旧很多问题，非常麻烦，需要每台服务器替换planet文件加入节点，经过一晚上的研究，搭建了tailscale的headscale版本加上derp的一个加速节点。

开始搭建

准备工作
域名 服务器
开源项目
headscale

https://github.com/juanfont/headscale

derp开源docker

https://hub.docker.com/r/fredliang/derper

webui管理开源地址

https://github.com/gurucomputing/headscale-ui

下载软件包

这是阿尔法测试安装包，修复了很多东西，也能用的。

wget https://github.com/juanfont/headscale/releases/download/v0.23.0-alpha9/headscale_0.23.0-alpha9_linux_amd64.deb

安装软件

dpkg -i headscale_0.23.0-alpha9_linux_amd64.deb

启动

systemctl enable --now headscale

修改配置

vim /etc/headscale/config.yaml

需要修改的地方

server_url: https://域名 #443 端口可以后面啥都不带，但是要配证书
listen_addr: 0.0.0.0:8080 #改成0.0.0.0监听所有地址
metrics_listen_addr: 0.0.0.0:9090 #一样
prefixes:
  #v6: fd7a:115c:a1e0::/48
  v4: 10.10.0.0/24   #这边我是自定义地址，但是systmd会报警告，不用管，能用

derp:
  server:
    # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config
    # The Headscale server_url defined above MUST be using https, DERP requires TLS to bplace
    enabled: false  #禁用官方的服务器，建议禁用，延迟高。
    paths:
       - /etc/headscale/derp.yaml #在这里创建一个文件后面要自行搭建这个
         #paths: []
dns_config:
  # Whether to prefer using Headscale provided DNS or use local.
  magic_dns: false 关闭
randomize_client_port: true #随机端口打开

顺便在同一台服务器上把ui搭建了吧，非常简单，但是我研究了很久，整合了网上很多方案，docker虽然方便但是，不方便管理以及修改配置文件,其实也可以docker搭建出来，然后nginx返向代理。

webui搭建

下载静态文件

wget https://github.com/gurucomputing/headscale-ui/releases/download/2024.02.24-beta1/headscale-ui.zip

解压

unzip headscale-ui.zip -d /var/

nginx

apt install nginx

配置

vim /etc/nginx/conf.d/hs.conf

写入

map $http_upgrade $connection_upgrade {
    default      keep-alive;
    'websocket'  upgrade;
    ''           close;
}


server {
        server_name hs.7boe.top;

        # Security / XSS Mitigation Headers
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
        location /admin {
        alias /var/www/admin;
        try_files $uri $uri/ /index.html;
    }
                location / {
            proxy_pass http://127.0.0.1:8080;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            proxy_set_header Host $host;
            proxy_redirect http:// https://;
            proxy_buffering off;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
            add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
        }

        listen 443 ssl;
        listen [::]:443 ssl;
        ssl_certificate /ssl/hs.7boe.top.pem;
        ssl_certificate_key /ssl/hs.7boe.top.key;
}

在web下面看见ui

如果上不了网要设置iptable
iptables -D ts-input -s 100.64.0.0/10 ! -i tailscale0 -j DROP
iptables -D ts-forward -s 100.64.0.0/10 -o tailscale0 -j DROP

搭建DERP中转服务器

必须域名
创建/ssl文件夹然后放进证书，以自己域名为文件名需要crt文件，例如 hs.7boe.top.crt xxxx.key

docker 一条命令

docker run --restart always \
  -p 443:443 -p 3478:3478/udp \
  -e DERP_CERT_MODE=manual \
  -v /ssl:/app/certs \
  -e DERP_ADDR=:443 \
  -e DERP_DOMAIN=derp.7boe.top \
  -e DERP_VERIFY_CLIENTS=true \
  -v /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock \
  fredliang/derper

docker compose

version: '3'

services:
  derper:
    container_name: derper
    image: fredliang/derper
    restart: always
    ports:
      - 3478:3478/udp
      - 443:443
    environment:
      - DERP_DOMAIN=derp.7boe.top
      - DERP_CERT_MODE=manual
      - DERP_ADDR=:443
      - DERP_VERIFY_CLIENTS=true
    volumes:
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
      - /ssl:/app/certs/

如果想443端口使用nginx反代

server {
  listen 443 ssl http2;
  listen [::]:443 ssl http2;
  ssl_certificate     /data/ssls/derper.example.com/derper.example.com.pem;
  ssl_certificate_key /data/ssls/derper.example.com/derper.example.com.key;

  server_name derper.example.com;
  client_max_body_size 500M;

  location / {
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $host;
    proxy_pass http://127.0.0.1:19850; #改成暴露的derp端口不是stun
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
  }
}

写入headscale的/etc/headscale/derp.yaml文件内

regions:
  901:
    regionid: 901
    regioncode: shanghai 
    regionname: huawei cloud 
    nodes:
      - name: 901
        regionid: 901
        ipv4: '60.204.186.134'
        hostname: 'derp.7boe.top'
        stunport: 3478
        stunonly: false
        derpport: 19850
  902:
    regionid: 902
    regioncode: hangzhou
    regionname: aliyun cloud
    nodes:
      - name: 902
        regionid: 902
        ipv4: '121.40.147.166'
        hostname: 'derp.7boe.top'
        stunport: 3478
        stunonly: false
        derpport: 443

tailscale安装

官网

https://tailscale.com/

windows

https://pkgs.tailscale.com/stable/tailscale-setup-latest.exe

LINUX

curl -fsSL https://tailscale.com/install.sh | sh

全部都是使用命令行就行了

tailscale up --login-server=https://hs.7boe.top --accept-dns --accept-routes=true
tailscale down
tailscale logout
tailscale ping ip
tailscale netcheck
tailscale up --advertise-routes=10.0.0.0/24,192.168.1.0/24 --netfilter-mode=off

headscale命令

headscale routes enable 
headscale apikey create -e 9999d
headscale node ls
headscale user ls
headscale routes list