Self-built tailscale derp relay server

Article Repost#

Exploring Tailscale DERP Relay Service | Kiprey's Blog
This article mainly records the process of configuring DERP, and almost all of the content comes from the above article. If you need it, you can directly refer to the above article. It is well written and the process analysis is very accurate. A great example!

Configuration Requirements#

Public IP
Allow TCP/UDP inbound traffic

Configuring DERP Server#

Install golang#

# Requires the latest version of golang
$ wget https://go.dev/dl/go1.21.6.linux-amd64.tar.gz
$ sudo rm -rf /usr/local/go && sudo tar -C /usr/local -xzf go1.21.6.linux-amd64.tar.gz
$ export PATH=$PATH:/usr/local/go/bin

# Verify the installation version
$ go version
# Configure the proxy for downloading VPS in China, no need to configure for VPS outside China
$ go env -w GOPROXY=https://goproxy.cn,direct

# Install tailscale-dreper
$ go install tailscale.com/cmd/derper@latest

Configure DERP Service and Manage with systemd#

# Configure environment variables
$ DERP_HOST="dawnz-derp" # This name can be arbitrary, but remember to use it for self-signed certificates and drepMap later
$ DERP_PORT=8888  
$ STUN_PORT=8889

# Self-signed certificate
$ mkdir ~/.certdir && cd ~/.certdir
$ openssl genpkey -algorithm RSA -out ${DERP_HOST}.key     
$ openssl req -new -key ${DERP_HOST}.key -out ${DERP_HOST}.csr  
$ openssl x509 -req \  
		-days 36500 \  
		-in ${DERP_HOST}.csr \  
		-signkey ${DERP_HOST}.key \  
		-out ${DERP_HOST}.crt \  
		-extfile <(printf "subjectAltName=DNS:${DERP_HOST}")

# Start drep service with systemd
## 1. If drep is public, you can directly start the drep service. However, if others know your IP and port, they can also connect and use your relay server's traffic.
## 2. If configuring drep as a private server, you need to add the relay server as a node, install tailscaled for login authentication, and use --verify-clients when enabling the drep service.

# Install tailscaled and perform login authentication
$ curl -fsSL https://tailscale.com/install.sh | sh
$ sudo tailscale up

# Create tailscale-derp.service
$ sudo systemctl edit -f tailscale-derp.service
# Paste the following content
-----------
[Unit]  
Description=Tailscale derp service  
After=network.target  
  
[Service]  
ExecStart=/home/${USER}/go/bin/derper \  
    -c /home/${USER}/.derper.key \  
    -a :${DERP_PORT} -http-port -1 \  
    -stun-port ${STUN_PORT} \  
    -hostname ${DERP_HOST} \  
    --certmode manual \  
    -certdir /home/${USER}/.certdir \  
    --verify-clients  
Restart=always  
User=${USER}  
  
[Install]  
WantedBy=multi-user.target" 
------------

# Start the service
$ sudo systemctl start tailscale-derp.service
# Check the status
$ sudo systemctl status tailscale-derp.service
# Enable auto-start on boot
$ sudo systemctl enable tailscale-derp.service

Configure iptables to allow inbound traffic on specific ports and configure security groups#

# Configure iptables to allow inbound traffic on port 8888/tcp and 8889/udp
$ sudo iptables -A INPUT -p tcp --dport 8888 -j ACCEPT
$ sudo iptables -A INPUT -p udp --dport 8888 -j ACCEPT

# Some cloud service providers may require configuring security groups. Configure these two inbound ports in the web console security group settings.

Configure ACL#

Add a single relay server
Note: The HostName configuration should be the same as the DERP_HOST configured above

...  
{  
	...  
	"acls": [...],  
	...  
	"ssh": [...],  
  ...  
	"derpMap": {  
		"Regions": {  
			"900": {  
				"RegionID":   900,  
				"RegionCode": "Dawnz1",  
				"Nodes": [  
					{  
						"Name":             "dawnz-derp1",  
						"RegionID":         900,  
						"HostName":         "dawnz-derp",  
						"IPv4":             "xx.xx.xx.xx",  
						"DERPPort":         8888,  
						"STUNPort":         8889,  
						"InsecureForTests": true,  
					},  
				],  
			},  
		},  
	},  
  ...  
}

Add multiple relay servers

...  
{  
	...  
	"acls": [...],  
	...  
	"ssh": [...],  
  ...  
	"derpMap": {  
		"OmitDefaultRegions": false,
		"Regions": {  
			"900": {  
				"RegionID":   900,  
				"RegionCode": "Dawnz1",  
				"Nodes": [  
					{  
						"Name":             "dawnz-derp1",  
						"RegionID":         900,  
						"HostName":         "dawnz-derp",  
						"IPv4":             "xx.xx.xx.xx",  
						"DERPPort":         8888,  
						"STUNPort":         8889,  
						"InsecureForTests": true,  
					},  
				],  
			},  
			"901": {
				"RegionID":   901,
				"RegionCode": "Dawnz2",
				"Nodes": [
					{
						"Name":             "Dawnz-derp2",
						"RegionID":         901,
						"HostName":         "danwz-derp2",
						"IPv4":             "xx.xx.xx.xx",
						"DERPPort":         8888,
						"STUNPort":         8889,
						"InsecureForTests": true,
					},
				],
			},
		},  
	},  
  ...  
}

Check the Status of the Relay Server#

Use the $ tailscale netcheck command on any node to view the online status of DERP. If you see latency, the configuration is complete.
Because the public server has high latency and I don't want to use a public server, you can configure "OmitDefaultRegions": true, as mentioned in the previous section for multiple DERP configurations.

Enjoy!#

Tailscale's networking capabilities are really amazing, and it is very complete and robust in all aspects. The free version is basically enough for personal use, which is great! The only problem is that when I use my 5G phone from China Telecom to connect to my 600Mbps China Unicom broadband at home, the maximum speed I can achieve is 50Mbps. I don't know if UDP is limiting it, but it is still sufficient for use.