Tailscale DERP Setup Without Domain
#Tailscale #RelayService #NATPiercing
Tailscale Deployment
curl -fsSL <https://tailscale.com/install.sh> | shIf Tailscale is set up via Docker, it may cause authentication errors when setting up the Docker DERP server (appears to be due to process communication conditions: insufficient communication with tailscaled).
After running the one-click script, log in:
tailscale loginDERP Deployment
Create docker-compose.yaml
services: derper: image: ghcr.io/yangchuansheng/ip_derper:latest container_name: derper restart: always ports: - "25425:25425" # Change 25425 to your desired high port above 10000 - "3478:3478/udp" # 3478 is the STUN port; do not modify if no conflict volumes: - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock # Mount local tailscale client socket for authentication, used to verify if it's being stolen environment: - DERP_ADDR=:25425 # Must be changed consistently with the above - DERP_CERTS=/app/certs - DERP_VERIFY_CLIENTS=true # Enable client verification, this is the most important parameter to prevent theftNote: In the port mapping section (12345:12345), the latter part 12344 depends on the environment variable DERP_ADDR.
For persistent data, you can locate the socket file using find / -name "tailscaled.sock".
After writing the file, run docker-compose up -d to start the container.
Note: If ghcr.io/yangchuansheng/ip_derper:latest is unavailable, you can build it yourself using the Dockerfile. (Project link)
Tailscale Console Configuration
Go to the Tailscale web console, enter the ACL editor, and insert the following text:
"derpMap": { "OmitDefaultRegions": false, // Can be set to true to not relay official DERP nodes; consider enabling for testing or production "Regions": { "900": { "RegionID": 900, // Tailscale 900-999 are reserved for custom DERP nodes "RegionCode": "abc1", "RegionName": "abcc1",// You can name these arbitrarily "Nodes": [ { "Name": "fff", "RegionID": 900, "IPv4": "1.1.1.1", // Your VPS public IP address "DERPPort": 12345, // The custom port you set above (12345) "InsecureForTests": true, // Since it's a self-signed certificate, clients skip verification }, ], }, "901": { "RegionID": 901, // Remember to modify when adding new DERP nodes "RegionCode": "abc2", "RegionName": "abcc2", "Nodes": [ { "Name": "kkk", "RegionID": 902, "IPv4": "8.8.8.8", // Your VPS public IP address "DERPPort": 4000, // The custom port above (12345) "InsecureForTests": true, // Since it's a self-signed certificate, clients skip verification }, ], }, },},Reference:
https://blog.sleepstars.net/archives/ji-yu-docker-compose