创建 Tailscale derper

[Bpazy]

使用 ngc7331/derper 镜像

详情看官方仓库地址: https://github.com/ngc7331/docker-derper

version: '3'
services:
  derper:
    image: ngc7331/derper:latest
    restart: unless-stopped
    ports:
      - 31001:443
      - 3478:3478/udp
    volumes:
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
    environment:
      - DERP_HOSTNAME=derper.xxx.host
      - DERP_VERIFY_CLIENTS=true
      - ACME_SH_EMAIL=xxx@outlook.com
      - ACME_SH_DNSAPI=dns_ali
      - Ali_Key=xxx
      - Ali_Secret=xxx

优点是继承了 acme.sh 可以自动申请证书，非常方便

（不推荐）使用 fredliang/derper 镜像

version: '3'
services:
  derper:
    image: fredliang/derper:latest
    restart: unless-stopped
    ports:
      - 31001:443
      - 3478:3478/udp
    volumes:
      # 适配 DERP_VERIFY_CLIENTS 配置
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
      - /etc/nginx/ssl:/app/certs
    environment:
      - DERP_CERT_MODE=manual
      - DERP_DOMAIN=example.com
      - DERP_ADDR=:443
      # 只允许当前 tailscale 账号登录的设备连接
      - DERP_VERIFY_CLIENTS=true

ls /etc/nginx/ssl

example.com.crt  example.com.key

为什么直接用 nginx 下的 ssl 证书呢？因为懒得再用 acme.sh 多申请一个子域名证书了。

同时 DERP 默认读取的证书文件名是定死的格式: 域名.cert

启动 derper: sudo docker-compose up -d

配置 Tailscale Access Controls，形如:

// Example/default ACLs for unrestricted connections.
{
  // Declare static groups of users beyond those in the identity service.
  "groups": {
    "group:example": [ "user1@example.com", "user2@example.com" ],
  },
  // Declare convenient hostname aliases to use in place of IP addresses.
  "hosts": {
    "example-host-1": "100.100.100.100",
  },
  // Access control lists.
  "acls": [
    // Match absolutely everything. Comment out this section if you want
    // to define specific ACL restrictions.
    { "action": "accept", "users": ["*"], "ports": ["*:*"] },
  ],
  "derpMap": {
    "OmitDefaultRegions": true,
    "Regions": { "900": {
      "RegionID": 900,
      "RegionCode": "myderp",
      "Nodes": [{
          "Name": "1",
          "RegionID": 900,
          "HostName": "example.com",
          "DERPPort": 31001
      }]
    }}
  }
}

[Bpazy]

SSL 证书更新后自动重启 derper

注意此文背景是基于 fredliang/derper 镜像，由容器外部维护 SSL 证书。

我使用的是 acme.sh 作为证书申请和自动续期的，其提供了更新证书时 hook 的功能，名为: reloadcmd，所以只需要在 reloadcmd 中添加重启 derper 的命令即可。

如我原来的 reloadcmd 为:

--reloadcmd "systemctl restart nginx"

现在改为:

--reloadcmd "systemctl restart nginx && docker-compose -f /home/ubuntu/derper-docker/docker-compose.yaml up -d --force-recreate"

1. 关于证书生成后如何修改 reloadcmd，最好通过 acme.sh --installcert 命令来修改，参考: 生成证书之后，还能怎样修改 reloadcmd 的命令? acmesh-official/acme.sh#2029
2. 关于我的详细 acme.sh 配置，可以参考这里: acme.sh 使用记录 #138

容器管理工具从 docker compose 切换为 portainer 之后，无法通过命令重新创建 derper 容器了，先改为通过 docker 命令指定 container name 的方式重启对应容器:

--reloadcmd "systemctl restart nginx && docker restart derper-derper-1"

container name 从 Portainer 平台中获取。

[Bpazy]

从 docker 迁移到 k8s

吃了个教训: k3s 是基于 tailscale 网络的，tailscale 又依赖自部署的 derper 来做转发，最后 acme.sh 更新证书后会重启 derper，又进而导致 k3s 网络瘫痪，也无法恢复 k3s。

最终是通过配置 tailscale 使用其他 derper 来恢复 k3s 的，用 k3s 的朋友们注意这一点。

apiVersion: v1
kind: PersistentVolume
metadata:
  name: derper-ssl-local-pv
spec:
  capacity:
    storage: 1Gi
  volumeMode: Filesystem
  accessModes:
  - ReadWriteOnce
  persistentVolumeReclaimPolicy: Retain
  storageClassName: derper-ssl-local-storage
  local:
    path: /etc/nginx/ssl
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - shan-tencent

---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
  name: derper-ssl-local-storage
provisioner: kubernetes.io/no-provisioner
volumeBindingMode: WaitForFirstConsumer

---
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
  name: derper-ssl-pvc-local
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 100Mi
  storageClassName: derper-ssl-local-storage

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: derper
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      name: derper
  template:
    metadata:
      labels:
        name: derper
    spec:
      containers:
      - name: derper
        image: fredliang/derper:latest
        ports:
        - containerPort: 3478
          protocol: UDP
        - containerPort: 80
        - containerPort: 443
        volumeMounts:
        - name: ssl
          mountPath: /app/certs
        env:
        - name: DERP_CERT_MODE
          value: "manual"
        - name: DERP_DOMAIN
          value: "example.com"
      volumes:
      - name: ssl
        persistentVolumeClaim:
          claimName: derper-ssl-pvc-local

---
apiVersion: v1
kind: Service
metadata:
  name: derper
spec:
  type: NodePort
  selector:
    name: derper
  ports:
  - name: p1
    port: 31002
    targetPort: 3478
    nodePort: 31002
    protocol: UDP
  - name: p2
    port: 31000
    targetPort: 80
    nodePort: 31000
  - name: p3
    port: 31001
    targetPort: 443
    nodePort: 31001

注意，重启容器的指令同样要做变更：

acme.sh --installcert -d example.com \
  --key-file /etc/nginx/ssl/example.com.key \
  --fullchain-file /etc/nginx/ssl/fullchain.cer \
  --reloadcmd "kubectl scale deployment derper --replicas=0 && kubectl scale deployment derper --replicas=1"