马春杰杰 Exit Reader Mode

Tailscale自建DERP来加速连接

马春杰杰

目前用的版本是1.92.3

目前自建DERP一般推荐是用域名,不过@Javaow大佬推荐了另一种方式,直接用IP+端口的方式,更加方便~这里两种方式都介绍下。

1、IP+端口的方式

懒人命令:

docker run -d --name tailscale-derp -p 36666:36666 -p 3478:3478/udp --restart=always javaow/tailscale-derp

如果选择直接运行上面的懒人命令,则后续直接从1.4节开始即可。

上面这个命令是大佬自己打包的容器,我们可以直接用,如果想要自己打包容器的话,可以参考下面这个步骤:

1.1 打开一个dockerfile文件

vi dockerfile

1.2 把如下内容复制到dockerfile

注意1:最好使用国外服务器,国内githubdocker连通性不是很好

注意2:此版本是Amd架构,如果要在Arm架构打包需要把 RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2 这一行注释或者删除(此行为了解决Amd架构下alpine镜像无法执行二进制问题)

注意3:随着版本更新,cert.go文件中的代码行数可能发生变化,当前版本是注释91~93行这3行即可,编译前最好去官方仓库看下,否则编译不通过

# 编译
FROM golang:alpine AS builder

# 切换模块源为中国Go模块代理服务器
# RUN go env -w GOPROXY=https://goproxy.cn,direct

# 拉取代码
RUN go install tailscale.com/cmd/derper@latest

# 去除域名验证(删除cmd/derper/cert.go文件的91~93行)
RUN find /go/pkg/mod/tailscale.com@*/cmd/derper/cert.go -type f -exec sed -i '91,93d' {} +

# 编译
RUN derper_dir=$(find /go/pkg/mod/tailscale.com@*/cmd/derper -type d) && \
	cd $derper_dir && \
    go build -o /etc/derp/derper

# 生成最终镜像
FROM alpine:latest

WORKDIR /apps

COPY --from=builder /etc/derp/derper .

RUN ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime \
    && echo 'Asia/Shanghai' > /etc/timezone

ENV LANG C.UTF-8

# 创建软链接 解决二进制无法执行问题 Amd架构必须执行,Arm不需要执行
RUN mkdir /lib64 && ln -s /lib/libc.musl-x86_64.so.1 /lib64/ld-linux-x86-64.so.2

# 添加源
RUN sed -i 's/dl-cdn.alpinelinux.org/mirrors.tuna.tsinghua.edu.cn/g' /etc/apk/repositories

# 安装openssl
RUN apk add openssl && mkdir /ssl

# 生成自签10年证书
RUN openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout /ssl/derp.javaow.com.key -out /ssl/derp.javaow.com.crt -subj "/CN=derp.javaow.com" -addext "subjectAltName=DNS:derp.javaow.com"


CMD ./derper -hostname derp.javaow.com -a :36666 -certmode manual -certdir /ssl

1.3 编译镜像

 docker build -f dockerfile -t tailscale-derp

编译完成后即可查看本地生成的镜像

docker images

启动

docker run -d --name tailscale-derp -p 36666:36666 -p 3478:3478/udp --restart=always tailscale-derp

1.4 添加节点

首先测试访问(提示不安全访问是正常现象 因为证书是自签)

https://IP:36666

显示如下即可成功

打开控制台:Access controls – Tailscale

参考下面这个替换掉你的完整JSON内容:

// Example/default ACLs for unrestricted connections.
{
	// Declare static groups of users. Use autogroups for all users or users with a specific role.
	// "groups": {
	//  	"group:example": ["alice@example.com", "bob@example.com"],
	// },

	// Define the tags which can be applied to devices and by which users.
	// "tagOwners": {
	//  	"tag:example": ["autogroup:admin"],
	// },
	"derpMap": {
		"OmitDefaultRegions": true,
		"Regions": {
			"910": {
				"RegionID":   910,
				"RegionCode": "京东云8M",
				"Nodes": [
					{
						"Name":             "910",
						"RegionID":         910,
						"HostName":         "xxx.xxx.xxx.xxx",
						"InsecureForTests": true,
						"DERPPort":         36666,
					},
				],
				"RegionName": "京东云8M",
			},
		},
	},
	// Define grants that govern access for users, groups, autogroups, tags,
	// Tailscale IP addresses, and subnet ranges.
	"grants": [
		// Allow all connections.
		// Comment this section out if you want to define specific restrictions.
		{"src": ["*"], "dst": ["*"], "ip": ["*"]},

		// Allow users in "group:example" to access "tag:example", but only from
		// devices that are running macOS and have enabled Tailscale client auto-updating.
		// {"src": ["group:example"], "dst": ["tag:example"], "ip": ["*"], "srcPosture":["posture:autoUpdateMac"]},
	],

	// Define postures that will be applied to all rules without any specific
	// srcPosture definition.
	// "defaultSrcPosture": [
	//      "posture:anyMac",
	// ],

	// Define device posture rules requiring devices to meet
	// certain criteria to access parts of your system.
	// "postures": {
	//      // Require devices running macOS, a stable Tailscale
	//      // version and auto update enabled for Tailscale.
	// 	"posture:autoUpdateMac": [
	// 	    "node:os == 'macos'",
	// 	    "node:tsReleaseTrack == 'stable'",
	// 	    "node:tsAutoUpdate",
	// 	],
	//      // Require devices running macOS and a stable
	//      // Tailscale version.
	// 	"posture:anyMac": [
	// 	    "node:os == 'macos'",
	// 	    "node:tsReleaseTrack == 'stable'",
	// 	],
	// },

	// Define users and devices that can use Tailscale SSH.
	"ssh": [
		// Allow all users to SSH into their own devices in check mode.
		// Comment this section out if you want to define specific restrictions.
		{
			"action": "check",
			"src":    ["autogroup:member"],
			"dst":    ["autogroup:self"],
			"users":  ["autogroup:nonroot", "root"],
		},
	],

	// Test access rules every time they're saved.
	// "tests": [
	//  	{
	//  		"src": "alice@example.com",
	//  		"accept": ["tag:example"],
	//  		"deny": ["100.101.102.103:443"],
	//  	},
	// ],
}

注意:上面这个配置需要注意的是, "OmitDefaultRegions": true, 意思是只用我们自建的节点,官方的节点不用了,因为我这边实际测试的时候发现,只要这个是false,自建的就不显示延迟:

$ tailscale netcheck

2026/01/24 15:34:52 portmap: monitor: gateway and self IP changed: gw=10.128.0.1 self=10.128.2.89

Report:
	* Time: 2026-01-24T07:34:54.22227Z
	* UDP: true
	* IPv4: yes, 122.11.192.102:52482
	* IPv6: no, but OS has support
	* MappingVariesByDestIP: true
	* PortMapping: 
	* CaptivePortal: false
	* Nearest DERP: Hong Kong
	* DERP latency:
		- hkg: 43.1ms  (Hong Kong)
		- blr: 56.4ms  (Bengaluru)
		- tok: 73.7ms  (Tokyo)
		- sin: 74ms    (Singapore)
		- dbi: 81.8ms  (Dubai)
		- syd: 99.1ms  (Sydney)
		- fra: 160.9ms (Frankfurt)
		- sea: 161.9ms (Seattle)
		- par: 162ms   (Paris)
		- mad: 162.6ms (Madrid)
		- nue: 167.6ms (Nuremberg)
		- lhr: 170.2ms (London)
		- ams: 173.7ms (Amsterdam)
		- sfo: 179.3ms (San Francisco)
		- lax: 186.6ms (Los Angeles)
		- hel: 194.6ms (Helsinki)
		- waw: 197.8ms (Warsaw)
		- ord: 216ms   (Chicago)
		- dfw: 218.7ms (Dallas)
		- den: 226.7ms (Denver)
		- nyc: 228.1ms (New York City)
		- mia: 233.3ms (Miami)
		- hnl: 233.4ms (Honolulu)
		- tor: 241ms   (Toronto)
		- jnb: 304.8ms (Johannesburg)
		- iad: 306.3ms (Ashburn)
		- nai: 325.5ms (Nairobi)
		- sao: 363.7ms (São Paulo)
		- 京东云8M:         (京东云8M)

一旦设置为true之后,就正常了:

Report:
	* UDP: false
	* IPv4: (no addr found)
	* IPv6: no, but OS has support
	* MappingVariesByDestIP:
	* PortMapping:
	* CaptivePortal: true
	* Nearest DERP: 京东云8M
	* DERP latency:
		- 京东云8M: 24ms    (京东云8M)

不知道是不是我这里的问题,大家可以自行测试。

自己打包镜像后可以上传到DockerHub上,让其他机器直接拉取使用,不用再重新编译了

主要注意点就是,随着版本更新cert.go文件中的代码行数可能发生变化,这时就需要修改dockerfile中的91,93d删除行数,只要保证把下面红框里的3行代码删除即可,这三行就是证书验证代码

https://github.com/tailscale/tailscale/blob/v1.70.0/cmd/derper/cert.go

2、域名方式+认证

首先创建目录:

mkdir -p /opt/derper/cert

然后将SSL证书放到以上目录,命名为:

derp3.machunjie.com.key
derp3.machunjie.com.pem

别忘了把域名解析一下~

然后安装Tailscale

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up --netfilter-mode=off --accept-dns=false

最后安装一下derp容器:

docker run --restart always --net host --privileged --name derper -d  -v /opt/derper/cert/:/app/certs \
-v /run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock \
-e DERP_HOST=xxxx.xxxx.com -e DERP_VERIFY_CLIENTS=true \
chengxudong2020/ip_derper_for_synology_domain

别忘了把上面的域名改一下~