环境

Debian 12.7.0

我全程以root用户演示

su -
apt-get install libpcre3 libpcre3-dev libssl-dev zlib1g-dev make unzip

关闭防火墙

iptables -F
iptables -X
iptables -P INPUT ACCEPT
iptables -P FORWARD ACCEPT
iptables -P OUTPUT ACCEPT

我这是为了方便演示啊~
实际打开headscale的tcp端口和derper的udp和tcp即可

安装go

版本按你自己需求的来

apt update
apt upgrade

apt install wget git openssl curl
wget https://go.dev/dl/go1.23.1.linux-amd64.tar.gz
rm -rf /usr/local/go && tar -C /usr/local -xzf go1.23.1.linux-amd64.tar.gz

# 环境变量，profile最后加一句
vim /etc/profile
export PATH=$PATH:/usr/local/go/bin

source /etc/profile

#验证
go version

安装derper

国内的话需要配置一下代理

go env -w GO111MODULE=on
go env -w GOPROXY=https://goproxy.cn,direct

go install tailscale.com/cmd/derper@main

cd ~/go/pkg/mod/tailscale.com*/cmd/derper/

vim cert.go #注释掉3行
    //if hi.ServerName != m.hostname {
    //        return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
    //}

go build -o /etc/derp/derper

#derp.myself.com部分没有用，可以不改
openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout /etc/derp/derp.myself.com.key -out /etc/derp/derp.myself.com.crt -subj "/CN=derp.myself.com" -addext "subjectAltName=DNS:derp.myself.com"

#把derper做成服务, -a是https端口，http-port是http的
vim /etc/systemd/system/derp.service

[Unit]
Description=TS Derper
After=network.target
Wants=network.target
[Service]
User=root
Restart=always
ExecStart=/etc/derp/derper -hostname derp.myself.com -a :33445 -http-port 33446 -stun-port 3478 -certmode manual -certdir /etc/derp
RestartPreventExitStatus=1
[Install]
WantedBy=multi-user.target

systemctl enable derp
systemctl start derp

访问 https://【你的IP】:33445/ ，验证一下

如果你不搭建headscale的话，到tailscale官网去授权你的derper就行了

防止derper被白嫖

先将derper的服务器注册到你自己的tailscale下

vim /etc/systemd/system/derp.service
#在ExecStart后面加上--verify-clients，这个参数

systemctl daemon-reload
systemctl restart derp

安装headscale

版本按你自己需求的来

wget --output-document=headscale.deb "https://github.com/juanfont/headscale/releases/download/v0.23.0/headscale_0.23.0_linux_amd64.deb"
dpkg --install headscale.deb

vim /etc/headscale/config.yaml
    server_url: http://【你的IP】:3355  #这是tcp端口
    prefixes:
        #v6: fd7a:115c:a1e0::/48       #注释掉这行

systemctl enable headscale
systemctl start headscale

安装headscale-ui

版本按你自己需求的来

cd ~
wget --output-document=headscale-ui.zip "https://github.com/gurucomputing/headscale-ui/releases/download/2024.02.24-beta1/headscale-ui.zip"
unzip -d /var/www headscale-ui.zip

安装一个nginx，这个我就不写了
版本按你自己需求的来
http下加一个

    map $http_upgrade $connection_upgrade {
        default upgrade;
        '' close;
    }

配一个server

server {
    listen 3355;
    listen [::]:3355;
    server_name 【你的IP】;

    location / {
        proxy_pass http://127.0.0.1:8080;  # 对应你headscale配置里的/etc/headscale/config.yaml
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $server_name;
        proxy_buffering off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
    }

    location /web/ {
        index index.html;
        alias /var/www/web/;
    }
}

别忘了启nginx

headscale apikeys create --expiration 9999d

复制返回值（api key）

浏览器访问
http://【你的IP和端口】/web/
点击settings
把刚才复制的api key粘贴到对应位置

关联headscale和自建derper

vim /var/www/derp.json

{
  "Regions": {
    "901": {
      "RegionID":901,
      "RegionCode":"Myself",
      "RegionName":"Myself Derper",
      "Nodes": [
        {
          "Name": "901a",
          "RegionID": 901,
          "DERPPort": 33445,
          "STUNPort": 3478,
          "IPv4": "【你的IP】",
          "HostName": "derp.myself.com",
          "InsecureForTests":true
        }
      ]
    }
  }
}

nginx里加一个server

server {
    listen 80;
    listen [::]:80;

    server_name 127.0.0.1;

    location /d/ {
        alias /var/www/;
    }

}

vim /etc/headscale/config.yaml

在 - https://controlplane.tailscale.com/derpmap/default 上面把加一行
- http://127.0.0.1/d/derp.json
再把 #- https://controlplane.tailscale.com/derpmap/default 注释掉

重启 nginx 和 headscale

如果前面derper开启了放白嫖，别忘了把derper服务器，用tailscale加入自己的headscale里

添加客户端

复制返回值 mkey 以及后面的字符串

到headscale-ui中添加新设备绑定用户即可

各个客户端如何加入headscale，请自行去headscale官网查询
https://headscale.net/android-client/
https://headscale.net/apple-client/
https://headscale.net/windows-client/

设置路由

要转发的tailscale节点

echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.d/99-tailscale.conf
sysctl -p /etc/sysctl.d/99-tailscale.conf

启动tailscale时加一个参数即可，--advertise-routes=192.168.1.0/24

tailscale down
tailscale up --login-server=http://【你的IP】:3355  --advertise-routes=192.168.0.0/24,192.168.1.0/24

需要在headscale-ui授权一下才可以生效

其它linux节点 启动时需要增加 --accept-routes=true 选项来声明 “我接受外部其他节点发布的路由”

参考

https://www.youtube.com/watch?v=mgDpJX3oNvI
https://phyng.com/2023/04/06/headscale.html