Logo Neurocoda

Tailscale DERP Setup Without Domain

Neurocoda
Neurocoda

#Tailscale #RelayService #NATPiercing

Tailscale Deployment

Terminal window
curl -fsSL <https://tailscale.com/install.sh> | sh

If Tailscale is set up via Docker, it may cause authentication errors when setting up the Docker DERP server (appears to be due to process communication conditions: insufficient communication with tailscaled).

After running the one-click script, log in:

Terminal window
tailscale login

DERP Deployment

Create docker-compose.yaml

services:
derper:
image: ghcr.io/yangchuansheng/ip_derper:latest
container_name: derper
restart: always
ports:
- "25425:25425" # Change 25425 to your desired high port above 10000
- "3478:3478/udp" # 3478 is the STUN port; do not modify if no conflict
volumes:
- /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock # Mount local tailscale client socket for authentication, used to verify if it's being stolen
environment:
- DERP_ADDR=:25425 # Must be changed consistently with the above
- DERP_CERTS=/app/certs
- DERP_VERIFY_CLIENTS=true # Enable client verification, this is the most important parameter to prevent theft

Note: In the port mapping section (12345:12345), the latter part 12344 depends on the environment variable DERP_ADDR.

For persistent data, you can locate the socket file using find / -name "tailscaled.sock".

After writing the file, run docker-compose up -d to start the container.

Note: If ghcr.io/yangchuansheng/ip_derper:latest is unavailable, you can build it yourself using the Dockerfile. (Project link)

Tailscale Console Configuration

Go to the Tailscale web console, enter the ACL editor, and insert the following text:

"derpMap": {
"OmitDefaultRegions": false, // Can be set to true to not relay official DERP nodes; consider enabling for testing or production
"Regions": {
"900": {
"RegionID": 900, // Tailscale 900-999 are reserved for custom DERP nodes
"RegionCode": "abc1",
"RegionName": "abcc1",// You can name these arbitrarily
"Nodes": [
{
"Name": "fff",
"RegionID": 900,
"IPv4": "1.1.1.1", // Your VPS public IP address
"DERPPort": 12345, // The custom port you set above (12345)
"InsecureForTests": true, // Since it's a self-signed certificate, clients skip verification
},
],
},
"901": {
"RegionID": 901, // Remember to modify when adding new DERP nodes
"RegionCode": "abc2",
"RegionName": "abcc2",
"Nodes": [
{
"Name": "kkk",
"RegionID": 902,
"IPv4": "8.8.8.8", // Your VPS public IP address
"DERPPort": 4000, // The custom port above (12345)
"InsecureForTests": true, // Since it's a self-signed certificate, clients skip verification
},
],
},
},
},

Reference:
https://blog.sleepstars.net/archives/ji-yu-docker-compose

Title: Tailscale DERP Setup Without Domain Author: Neurocoda Created at: 2026-07-03 12:46:15 Link: https://neurocoda.com/zh-TW/posts/tailscale-derp-setup-without-domain-en/ License: This work is licensed under CC BY-ND 4.0.

Comments