headscale 内建 DERP服务， 在配置里启用即可

但是为了更好地中继， 可以在其他节点建立DERP中继服务

0. 先安装一个 Tailscale 客户端并注册到 Headscale

这样做的目的是让搭建的 DERP Server 开启客户端认证

1. 安装DERP

#  安装 DERP Server 
go install tailscale.com/cmd/derper@main

2. 验证

# derper --hostname=your-hostname.com --verify-clients

2022/11/25 10:19:35 no config path specified; using /var/lib/derper/derper.key
2022/11/25 10:19:35 derper: serving on :443 with TLS
2022/11/25 10:19:35 running STUN server on [::]:3478

derper –hostname=域名 -c $HOME/derper.conf -http-port -1 -a :81 –verify-clients=true –stun

解释
如果不指定 -a 参数, 则默认监听 :443
如果监听 :443 并且未指定 –certmode=manual 选项，就会 自动强制使用 –hostname 指定的域名进行 ACME 申请证书
指定了 -a 为非 :443 端口, 且没有指定 –certmode=manual 则只监听 HTTP

2.

# 复制到系统可执行目录
mv ${GOPATH}/bin/derper /usr/local/bin

setcap cap_net_bind_service=+ep  /usr/local/bin/derper

# 创建用户和运行目录
useradd \
        --create-home \
        --home-dir /var/lib/derper/ \
        --system \
        --user-group \
        --shell /usr/sbin/nologin \
        derper

3. systemd配置
/lib/systemd/system/derper.service
或者 /etc/systemd/system/derper.service

[Unit]
Description=tailscale derper server
After=syslog.target
After=network.target

[Service]
Type=simple
User=derper
Group=derper
ExecStart=/usr/local/bin/derper -c=/var/lib/derper/derper.key -a=:8989 -stun-port=3456 -verify-clients
Restart=always
RestartSec=5

# Optional security enhancements
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/derper /var/run/derper
AmbientCapabilities=CAP_NET_BIND_SERVICE
RuntimeDirectory=derper

[Install]
WantedBy=multi-user.target

4. 启动

systemctl enable derper --now

5. 在headscale服务器上修改配置，以启用这个DERP

/etc/headscale/derper.yaml
内容为

regions:
  901:
    regionid: 901
    regioncode: cn
    regionname: "CUCC LTE"
    nodes:
      - name: cucc-derper
        regionid: 901
        # 自行更改为自己的域名
        hostname: derper.xxxxx.com
        # Derper 节点的 IP
        # ipv4: 123.123.123.123 可以不社会自
        # Derper 设置的 STUN 端口
        stunport: 3456
        stunonly: false  ###表示除了使用 STUN 服务，还可以使用 DERP 服务
        derpport: 23456   ## 默认是443

https://derp.XXXX.ccom:23456 应该能看到一个页面

6. 修改 /etc/headscale/config.yaml 的内容

derp:
  server:
    # 这里关闭 Headscale 内置的 Derper Server
    enabled: false

  # urls 留空, 保证不加载官方的默认 Derper
  urls: []


  # 这里填写 Derper 节点信息配置的绝对路径
  paths:
  - /etc/headscale/derper.yaml

  # If enabled, a worker will be set up to periodically
  # refresh the given sources and update the derpmap
  # will be set up.
  auto_update_enabled: true

  # How often should we check for DERP updates?
  update_frequency: 24h

重启headscale服务
重启客户端， 在客户端运行

tailscale netcheck

应该可以看到添加的DERP中继服务

参考资料：
https://mritd.com/2022/10/19/use-headscale-to-build-a-p2p-network/

参数

-a string
server HTTPS listen address, in form “:port”, “ip:port”, or for IPv6 “[ip]:port”. If the IP is omitted, it defaults to all interfaces. (default “:443”)

-c string
config file path

-certdir string
directory to store LetsEncrypt certs, if addr’s port is :443 (default “/root/.cache/tailscale/derper-certs”)

-certmode string
mode for getting a cert. possible options: manual, letsencrypt (default “letsencrypt”)

-hostname string
LetsEncrypt host name, if addr’s port is :443 (default “derp.tailscale.com”)

-http-port int
The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag. (default 80)

-stun
whether to run a STUN server. It will bind to the same IP (if any) as the –addr flag value. (default true)

-stun-port int
The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag. (default 3478)

从代码看，如果不指定config, 且以root执行， /var/lib/derper/derper.key 就是配置文件

keyname := unsafeHostnameCharacters.ReplaceAllString(hostname, “”)
crtPath := filepath.Join(certdir, keyname+”.crt”)
keyPath := filepath.Join(certdir, keyname+”.key”)