Headscale+Derper的最新教程
## 写在开头- **教程有点长,希望多多点赞收藏**
- 对于大部分来说,**自建一个Derper服务器,然后使用官方的Tailscale就够用了**,也就是看本教程的第二点就够用了,后面将自建Derper服务器加入Tailscale的方法请自行搜索,不难的。
- 对于愿意折腾的人来说就可以继续看下去了,建议先搞清楚第一点的内容,尤其是端口和配置文件。
- 教程写的比较仓促,若存在错误请留言指出,谢谢。
- 参考教程在文章最后面,若有什么不清楚的可以去查阅参考。
## 0. 简介
- Tailscale(Headscale)就是组建一个大的局域网,可以将你手里头的所有设备都拉到这个局域网内,进而使用局域网IP进行互联。
- 此外,Tailscale(Headscale)还有一个作用就是内网穿透,局域网内的设备之间的访问会通过穿透进行打洞(成功概率挺高),进而实现公网的点对点互联。而且就算打洞失败,也可以利用中转服务器进行互联。
- 应用场景举例:家里没有公网IP,但是可以通过Tailscale组网和穿透的方式实现在任意网络下对家里设备的访问。
## 1. 准备
### 1.1 一个域名
后文以`headscale.example.com`为例,记得改成自己的域名,并域名解析到IP上
------
### 1.2 一台带公网IP的服务器
以Debian12系统为例,后文的IP以`123.123.123.123`为例,记得改成自己的IP
------
### 1.3 一个邮箱
申请证书,后文以`example@gmail.com`为例,记得改成自己的邮箱
------
### 1.4 需要用到的端口:
- Derper端口:`13445`(自己改成喜欢的端口)
- Https端口:`13446`(自己改成喜欢的端口)
- Headscale端口:`8080`
- `80 443`端口
### 1.5 需要用到的配置文件
- Derper:`/var/www/derp.json`,`/etc/systemd/system/derp.service`
- Headscale:`/etc/headscale/config.yaml`
- Nginx: `/etc/nginx/sites-available/default`
## 2. 搭建Derper
由于官方新版本的Derp支持自签证书了,所以方法方便很多了,废话不多说,直接开始
### 2.1 安装最新版GO
- 更新软件包,安装依赖
```
apt update && apt upgrade
apt install -y wget git openssl curl
```
------
- 下载最新版GO
```
wget https://go.dev/dl/go1.23.5.linux-amd64.tar.gz
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.23.5.linux-amd64.tar.gz
```
目前最新版为1.23.5,后续若有更新则可以去 (https://forum.naixi.net/goto.php?url=https%3A%2F%2Fgo.dev%2Fdl%2F) 查看最新版并替换下载即可,记得后面的版本号都要改
------
- 配置环境变量
```
export PATH=$PATH:/usr/local/go/bin
go version
echo "export PATH=$PATH:/usr/local/go/bin" >> /etc/profile
source /etc/profile
go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.cn,direct
```
------
### 2.2 安装最新版Derper
- 安装
```
go install tailscale.com/cmd/derper@latest
```
------
- 拷贝二进制文件
```
mkdir /etc/derp/
cp ~/go/bin/derper /etc/derp/
```
------
- 查看是否拷贝成功
```
ls /etc/derp
```
------
### 2.3 生成Derper自签证书
```
DERP_IP="123.123.123.123"
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout ${DERP_IP}.key -out ${DERP_IP}.crt -subj "/CN=${DERP_IP}" -addext "subjectAltName=IP:${DERP_IP}"
```
这时候`/root`文件夹下会有两个证书文件:`/root/123.123.123.123.crt`和`/root/123.123.123.123.key`,拷贝到`/etc/derp/`:
```
mv /root/123.123.123.123.crt /etc/derp
mv /root/123.123.123.123.key /etc/derp
```
------
### 2.4 启动Derper服务器
- 写入后台
新建文件`derp.service`
```
touch /etc/systemd/system/derp.service
```
写入以下内容
```
Description=TS Derper
After=network.target
Wants=network.target
User=root
Restart=always
ExecStart=/etc/derp/derper -hostname 123.123.123.123 -a :13445 -http-port 13446 -certmode manual -certdir /etc/derp
RestartPreventExitStatus=1
WantedBy=multi-user.target
```
------
- 启动
```
systemctl enable derp
systemctl restart derp
systemctl status derp
```
------
### 2.5 验证Derper是否搭建成功
浏览器打开`https://123.123.123.123:13445`,忽略不安全,看看是不是显示下面的内容:
> DERP
> This is a Tailscale DERP server.
>
> It provides STUN, interactive connectivity establishment, and relaying of end-to-end encrypted traffic for Tailscale clients.
>
> Documentation:
>
> About DERP
> Protocol & Go docs
> How to run a DERP server
------
## 3. 搭建Headscale和Headscale-ui
### 3.1 ACME申请证书
- 安装依赖
```
apt update -y&&apt install -y curl&&apt install -y socat
```
------
- 申请证书
```
curl https://get.acme.sh | sh -s email=example@gmail.com
~/.acme.sh/acme.sh --issue -d headscale.example.com --standalone
~/.acme.sh/acme.sh --installcert -d headscale.example.com --key-file /root/private.key --fullchain-file /root/cert.crt
```
------
### 3.2 安装最新版Headscale
- 下载
```
wget --output-document=headscale.deb \
https://github.com/juanfont/headscale/releases/download/v0.24.1/headscale_0.24.1_linux_amd64.deb
```
目前最新版为0.24.1,后续若有更新则可以去 (https://forum.naixi.net/goto.php?url=https%3A%2F%2Fgithub.com%2Fjuanfont%2Fheadscale%2Freleases) 查看最新版并替换下载即可,记得后面的版本号都要改
------
- 安装
```
mv headscale_0.24.1_linux_amd64.deb headscale.deb
dpkg --install headscale.deb
```
------
- 修改配置文件(`/etc/headscale/config.yaml`)
仅列出需要修改的地方
```
server_url: https://headscale.example.com
listen_addr: 0.0.0.0:8080
metrics_listen_addr: 0.0.0.0:9090
prefixes:
v4: 100.64.0.0/10
#v6: fd7a:115c:a1e0::/48
# List of externally available DERP maps encoded in JSON
urls:
- http://127.0.0.1/d/derp.json
base_domain: headscale.example.com
# List of DNS servers to expose to clients.(建议改成国内适合自己的DNS)
nameservers:
global:
- 114.114.114.114
```
------
- 启动
```
systemctl enable headscale
systemctl restart headscale
systemctl status headscale
```
------
### 3.3 安装最新版Headscale-ui
- 下载
```
wget https://github.com/gurucomputing/headscale-ui/releases/download/2025.01.20/headscale-ui.zip
```
目前最新版为2025.01.20,后续若有更新则可以去 (https://forum.naixi.net/goto.php?url=https%3A%2F%2Fgithub.com%2Fgurucomputing%2Fheadscale-ui) 查看最新版并替换下载即可,记得后面的版本号都要改
------
- 安装
```
apt-get install unzip
unzip -d /var/www headscale-ui.zip
```
------
### 3.4 配置Derper服务器
- 配置`/var/www/derp.json`文件
新建
```
touch /var/www/derp.json
```
写入以下内容
```
{
"Regions": {
"901": {
"RegionID": 901,
"RegionCode": "Myself",
"RegionName": "Myself Derper",
"Nodes": [
{
"Name": "901a",
"RegionID": 901,
"DERPPort": 13445,
"IPv4": "123.123.123.123",
"InsecureForTests": true
}
]
}
}
}
```
------
### 3.5 安装并配置Nginx
- 下载
```
apt install -y nginx
```
------
- 打开`/etc/nginx/sites-available/default`并添加以下内容:
```
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name headscale.example.com;
ssl_certificate /root/cert.crt;
ssl_certificate_key /root/private.key;
ssl_protocols TLSv1.2 TLSv1.3;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $server_name;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
location /web {
indexindex.html;
alias/var/www/web;
}
}
server {
listen 80;
listen [::]:80;
server_name 127.0.0.1;
root /var/www;
index index.html index.htm index.nginx-debian.html;
location /d {
alias /var/www;
autoindex on;
}
location / {
try_files $uri $uri/ =404;
}
}
```
------
- 启动
```
systemctl enable nginx
systemctl restart nginx
systemctl status nginx
```
### 3.6 验证安装
- 重启Derper,Headscale和Nginx服务
```
systemctl restart derp
systemctl status derp
systemctl restart headscale
systemctl status headscale
systemctl restart nginx
systemctl status nginx
```
------
- 打开网站
```
https://headscale.example.com/web
```
如无意外应该是三个服务的状态应该是全绿的,网页也能正常打开,有报错的话建议按教程自查或在帖子底下留言
### 3.7 配置Headscale-ui
- 生成API Key
```
headscale apikeys create --expiration 9999d
```
并将其写入到`https://headscale.example.com/web/settings.html`的`Headscale API Key`里面,点击`Save API Key`提交,见到右侧有小对勾即可
------
- 新建用户`Default`
打开`https://headscale.example.com/web/users.html`,点击`New User`,输入`Default`并提交
## 4. 将设备添加到Headscale局域网中
### 4.1 下载最新客户端
(https://forum.naixi.net/goto.php?url=https%3A%2F%2Ftailscale.com%2Fdownload)
------
### 4.2 启动指令解析
> --login-server: 指定使用的Headscale服务器地址,即`https://headscale.example.com`
> --advertise-routes: 向Headscale服务器报告当前客户端处于哪个内网网段下, 便于Headscale服务器让同内网设备直接内网直连(可选的)或者将其他设备指定流量路由到当前内网(可选),多条路由英文逗号隔开
> --accept-routes: 是否接受Headscale服务器下发的用于路由到其他客户端内网的路由规则(可选)
> --accept-dns: 是否使用Headscale服务器下发的 DNS 相关配置(可选, 推荐关闭)
> --force-reauth:强制重新认证
> --advertise-exit-node:作为出口节点
------
### 4.3 不同客户端的启动方法
- Windows
以管理员身份启动PowerShell,输入以下代码:
```
tailscale login --login-server https://headscale.example.com
```
------
- iOS
用非国区Apple ID下载,配置V P N文件
点击`右上角头像`,点击`Log In...`,点击`右上角三个点`,点击`Use a custom coordination server`,输入`https://headscale.example.com`,点击`Login in`
------
- Linux
安装
```
curl -fsSL https://tailscale.com/install.sh | sh
```
运行
```
tailscale up --reset --advertise-routes=192.168.x.0/24 --accept-routes=true --login-server=https://headscale.example.com
```
------
### 4.4 到Headscale-ui中允许设备加入局域网
上面在客户端执行了`tailscale up`之后,在客户都会显示一个带Device Key的代码,格式类似于:
```
headscale nodes register --user USERNAME --key mkey:ed8f19e22f51c9c231c8bc8ccbxxxxxxxxxxxxxxf86c8211e4ad32b6c6e
```
拷贝`mkey:ed8f19e22f51c9c231c8bc8ccbxxxxxxxxxxxxxxf86c8211e4ad32b6c6e`,去 `https://headscale.example.com/web/devices.html`中导入Device Key
------
### 4.5 开启Derper防白嫖功能
- 将Derper服务器加入到Headscale局域网中
------
- 修改`/etc/systemd/system/derp.service`文件
在`ExecStart=/etc/derp/derper -hostname 123.123.123.123 -a :13445 -http-port 13446 -certmode manual -certdir /etc/derp`的后面加入` --verify-clients`(注意空格)
------
- 重启Derper,Headscale和Nginx服务
```
systemctl restart derp
systemctl status derp
systemctl restart headscale
systemctl status headscale
systemctl restart nginx
systemctl status nginx
```
## 5. 参考教程
- (https://forum.naixi.net/goto.php?url=https%3A%2F%2Fwww.cnblogs.com%2Fyafengabc%2Fp%2F18591222)
- (https://forum.naixi.net/goto.php?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DgEmmhOdtLbA%26t%3D188s)
- [域名搭建Tailscale开源版本Headscale,配合headscale-ui使用,全方面提升使用体验,实现内网穿透、远程访问,点对点传输,轻松打通内外网!更适合国内的方案](https://forum.naixi.net/goto.php?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D6K0QOo3owkE)
- [自建Headscale后windows登录login无反应的问题解决方法](https://forum.naixi.net/goto.php?url=https%3A%2F%2Fblog.csdn.net%2Fweixin_36114752%2Farticle%2Fdetails%2F144129664)
- (https://forum.naixi.net/goto.php?url=https%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3DmgDpJX3oNvI)
- (https://forum.naixi.net/goto.php?url=https%3A%2F%2Flinux.do%2Ft%2Ftopic%2F171651)
- (https://forum.naixi.net/goto.php?url=https%3A%2F%2Fgithub.com%2Ftailscale%2Ftailscale%2Fissues%2F13906%23issuecomment-2542665704)
页:
[1]