Tailscale Official Promotional Background

Introduction to Tailscale and DERP

What is Tailscale?

Tailscale is a P2P networking tool based on Wireguard that includes various network tools. Thanks to its P2P characteristics, Tailscale can also perform intranet penetration, breaking through NAT restrictions to directly reach another host.

What is DERP?

DERP is a relay service developed by Tailscale. When the network environment makes it difficult to penetrate (such as in campus networks, mobile corporate intranets, 4G, 5G, etc.), all traffic will be relayed via DERP to the target address.

By default, Tailscale officially provides official DERP services around the continent, but due to network connectivity issues in mainland China, official DERP nodes are not provided for the mainland. To ensure the success rate of connections in mainland China, we need to self-build a DERP service to help us “punch holes”.

Installing Docker and Docker Compose

1
bash <(curl -Ls https://docker.denlu.top/docker.sh)

Deploying Tailscale Client in DERP Node Service (Important)

Principle

Since we are not using a domain for deployment, we cannot use the --verify-clients parameter with a domain for client verification, making it easy for others to scan and steal it, allowing them to freeload on our valuable domestic traffic. Without verification, DERP will default to forwarding all traffic that needs to be forwarded without any checks.

Simple Installation Tutorial

Official Tutorial: Tailscale Docs

  1. First, use the one-click script for deployment: curl -fsSL https://tailscale.com/install.sh | sh
  2. Perform the login operation: tailscale login
  3. At this point, the console will pop up a login URL; access this URL with your browser and follow the instructions to complete the installation.

Docker Image

1
2
3
4
5
6
7
8
9
10
11
12
13
14
services:
  derper:
    image: ghcr.io/yangchuansheng/ip_derper:latest
    container_name: derper
    restart: always
    ports:
      - "12345:12345" # Please change 12345 here to a high port above 10000 that you want
      - "3478:3478/udp" # 3478 is the STUN port; do not modify if there are no conflicts
    volumes:
      - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock # Map the local Tailscale client verification connection to check if it has been stolen
    environment:
      - DERP_ADDR=:12345 # This needs to be synchronized with the above modification
      - DERP_CERTS=/app/certs
      - DERP_VERIFY_CLIENTS=true # Enable client verification; this is the most important parameter for anti-theft

Create a new file named: docker-compose.yml

In this folder, run docker compose up -d to start the Docker.

For servers in mainland China, you can replace the ghcr link, for example, with the one from Nanjing University (replace the third line’s image)

1
2
3
services:
  derper:
    image: ghcr.nju.edu.cn/yangchuansheng/ip_derper:latest

Modify Tailscale ACL Configuration to Enable Third-party DERP

  1. Go to the ACL editing page: Tailscale
  2. Add a new configuration file
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
"derpMap": {
	"OmitDefaultRegions": false, // You can set this to true, so official derper nodes will not be issued; consider enabling for testing or actual use
	"Regions": {
		"900": {
			"RegionID":   900, // tailscale 900-999 is reserved for custom derper
			"RegionCode": "abc1",
			"RegionName": "abcc1",// These two can be named arbitrarily
			"Nodes": [
				{
					"Name":             "fff",
					"RegionID":         900,
					"IPv4":             "1.1.1.1", // Your VPS public IP address
					"DERPPort":         12345, // The custom port you set above, 12345
					"InsecureForTests": true, // Because it is a self-signed certificate, the client will not perform verification
				},
			],
		},
		"901": {
			"RegionID":   901, // Remember to modify when adding a new DERP
			"RegionCode": "abc2",
			"RegionName": "abcc2",
			"Nodes": [
				{
					"Name":             "kkk",
					"RegionID":         902,
					"IPv4":             "8.8.8.8", // Your VPS public IP address
					"DERPPort":         4000, // The custom port you set above, 12345
					"InsecureForTests": true, // Because it is a self-signed certificate, the client will not perform verification
				},
			],
		},
	},
},

Test if Successful

Using Network Connection Test

  1. Find a client that is using Tailscale
  2. Enter the terminal
  3. Input tailscale netcheck
  4. Check if the response matches the image below

TS Network Status Monitoring

Using Ping to Test Connectivity

  1. Find a client that is using Tailscale
  2. Enter the terminal
  3. Input tailscale ping your other host address
  4. Check if it is connected (for example, if via DER (xxx) appears, it is successful)