commit 171dd5a07c01d1fbf1836de206c9d4b52ae7b265 Author: chunzhi Date: Sat Oct 4 06:54:30 2025 -0400 上传文件至 / diff --git a/derper_config_examples.md b/derper_config_examples.md new file mode 100644 index 0000000..94c1bd6 --- /dev/null +++ b/derper_config_examples.md @@ -0,0 +1,141 @@ +# DERP服务器配置示例 + +## 三种运行模式详解 + +### 1. 直接HTTPS模式 (推荐) +```bash +/home/derp/derper -hostname IP地址 -certmode manual -certdir /etc/derper/certs -a :443 -http-port 80 -stun-port 3478 -verify-clients +``` + +**特点:** +- 独占443端口进行HTTPS访问 +- HTTP 80端口自动跳转到HTTPS +- 使用手动管理的自签名证书 +- 验证连接的客户端 +- 直接对外提供服务,无需额外代理 + +**适用场景:** +- 专用DERP服务器 +- 不需要与其他Web服务共存 +- 简单直接的部署方式 + +### 2. Nginx反向代理模式 +```bash +/home/derp/derper -hostname IP地址 -a :8080 -stun-port 3478 -verify-clients +``` + +**特点:** +- 监听本地8080端口 +- 通过Nginx反向代理对外提供HTTPS服务 +- 证书在Nginx层面配置 +- 可以与其他Web服务共存 +- 更好的隐藏服务特征 + +**适用场景:** +- 需要与其他Web服务共存 +- 已有Nginx服务的环境 +- 需要高级的负载均衡或SSL终止 + +### 3. 自定义配置模式 +```bash +/home/derp/derper -hostname IP地址 [自定义参数] +``` + +**特点:** +- 完全自定义的配置选项 +- 可以指定任意端口和参数 +- 灵活度最高 + +**适用场景:** +- 特殊的网络环境要求 +- 需要自定义端口或其他参数 +- 高级用户定制化需求 + +## 完整命令行参数说明 + +```bash +/home/derp/derper [选项] +``` + +**常用参数:** +- `-hostname`:服务器主机名或IP地址 +- `-a`:DERP服务监听地址和端口(默认:443) +- `-http-port`:HTTP服务端口(用于重定向和健康检查) +- `-stun-port`:STUN服务端口(默认:3478) +- `-certmode`:证书模式(manual/letsencrypt) +- `-certdir`:证书目录路径 +- `-verify-clients`:验证客户端连接 +- `-c`:配置文件路径 + +**Let's Encrypt模式示例:** +```bash +/home/derp/derper -hostname my.domain.com -certmode letsencrypt -a :443 -http-port 80 -stun-port 3478 -verify-clients +``` + +**非标准端口示例:** +```bash +/home/derp/derper -hostname IP地址 -certmode manual -certdir /etc/derper/certs -a :8443 -http-port 8080 -stun-port 3478 -verify-clients +``` + +## 防火墙配置 + +根据不同的运行模式,需要开放相应的端口: + +### 直接HTTPS模式 +```bash +ufw allow 80/tcp +ufw allow 443/tcp +ufw allow 3478/udp +``` + +### Nginx反向代理模式 +```bash +ufw allow 443/tcp +ufw allow 3478/udp +``` + +### 自定义端口模式 +```bash +ufw allow [自定义端口]/tcp +ufw allow 3478/udp +``` + +## 配置文件结构 + +安装完成后,配置文件位于: +- 主配置:`/etc/derper/config` +- 证书目录:`/etc/derper/certs/` +- Tailscale ACL:`/etc/derper/tailscale_acl.json` +- systemd服务:`/etc/systemd/system/derper.service` + +## 故障排除 + +### 1. 检查服务状态 +```bash +systemctl status derper +journalctl -u derper -f +``` + +### 2. 检查端口占用 +```bash +netstat -tulpn | grep 443 +netstat -tulpn | grep 3478 +``` + +### 3. 检查证书 +```bash +openssl x509 -in /etc/derper/certs/server.crt -text -noout +``` + +### 4. 测试连接 +```bash +curl -k https://服务器IP/derp +``` + +## 性能优化建议 + +1. **启用BBR拥塞控制**(脚本自动配置) +2. **调整文件描述符限制** +3. **配置适当的防火墙规则** +4. **监控系统资源使用情况** +5. **定期更新证书** diff --git a/install_derp_server.sh b/install_derp_server.sh new file mode 100644 index 0000000..1d79574 --- /dev/null +++ b/install_derp_server.sh @@ -0,0 +1,570 @@ +#!/bin/bash + +# Tailscale DERP 服务器一键安装脚本 (支持自签名IP证书) +# 本脚本适用于 Ubuntu/Debian 系统 + +set -e + +# 颜色定义 +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +BLUE='\033[0;34m' +NC='\033[0m' # No Color + +# 日志函数 +log_info() { + echo -e "${GREEN}[INFO]${NC} $1" +} + +log_warn() { + echo -e "${YELLOW}[WARN]${NC} $1" +} + +log_error() { + echo -e "${RED}[ERROR]${NC} $1" +} + +# 检查是否为root用户 +check_root() { + if [[ $EUID -ne 0 ]]; then + log_error "此脚本需要以root权限运行" + exit 1 + fi +} + +# 检查系统类型 +check_system() { + if [[ ! -f /etc/os-release ]]; then + log_error "无法检测系统类型" + exit 1 + fi + + source /etc/os-release + case $ID in + ubuntu|debian) + PACKAGE_MANAGER="apt" + ;; + centos|rhel|fedora) + PACKAGE_MANAGER="yum" + ;; + *) + log_error "不支持的系统类型: $ID" + exit 1 + ;; + esac + + log_info "检测到系统: $PRETTY_NAME" +} + +# 安装依赖 +install_dependencies() { + log_info "安装依赖包..." + + case $PACKAGE_MANAGER in + apt) + apt update + apt install -y curl wget git build-essential openssl nginx + ;; + yum) + yum update -y + yum install -y curl wget git gcc make openssl nginx + ;; + esac + + log_info "依赖包安装完成" +} + +# 启用BBR优化 +enable_bbr() { + log_info "启用BBR网络优化..." + + # 检查内核版本 + KERNEL_VERSION=$(uname -r | cut -d. -f1-2) + KERNEL_MAJOR=$(echo $KERNEL_VERSION | cut -d. -f1) + KERNEL_MINOR=$(echo $KERNEL_VERSION | cut -d. -f2) + + if [[ $KERNEL_MAJOR -lt 4 ]] || [[ $KERNEL_MAJOR -eq 4 && $KERNEL_MINOR -lt 9 ]]; then + log_warn "内核版本过低 ($KERNEL_VERSION),BBR需要4.9+版本" + return + fi + + # 检查BBR是否已启用 + if sysctl net.ipv4.tcp_congestion_control | grep -q bbr; then + log_info "BBR已经启用" + return + fi + + # 备份原始配置 + cp /etc/sysctl.conf /etc/sysctl.conf.backup.$(date +%Y%m%d_%H%M%S) + + # 添加BBR配置 + cat >> /etc/sysctl.conf << EOF + +# BBR网络优化配置 +net.core.default_qdisc = fq +net.ipv4.tcp_congestion_control = bbr + +# 其他网络优化参数 +net.ipv4.tcp_rmem = 8192 262144 536870912 +net.ipv4.tcp_wmem = 4096 16384 536870912 +net.core.rmem_max = 536870912 +net.core.wmem_max = 536870912 +net.core.netdev_max_backlog = 30000 +net.ipv4.tcp_slow_start_after_idle = 0 +EOF + + # 应用配置 + sysctl -p + + # 验证BBR是否启用成功 + if sysctl net.ipv4.tcp_congestion_control | grep -q bbr; then + log_info "BBR启用成功" + else + log_error "BBR启用失败" + fi + + # 显示当前拥塞控制算法 + log_info "当前拥塞控制算法: $(sysctl -n net.ipv4.tcp_congestion_control)" +} + +# 安装Go环境 +install_go() { + log_info "安装Go环境..." + + # 检查Go是否已安装 + if command -v go &> /dev/null; then + log_info "Go已经安装,版本: $(go version)" + # 设置Go代理 + export GOPROXY=https://goproxy.cn,direct + echo 'export GOPROXY=https://goproxy.cn,direct' >> /etc/profile + return + fi + + # 下载并安装Go + GO_VERSION="1.23.3" + wget https://go.dev/dl/go${GO_VERSION}.linux-amd64.tar.gz + tar -zxvf go${GO_VERSION}.linux-amd64.tar.gz + rm go${GO_VERSION}.linux-amd64.tar.gz + + # 移动到正确位置 + mv go /usr/local/ + + # 设置环境变量 + export PATH=$PATH:/usr/local/go/bin + echo 'export PATH=$PATH:/usr/local/go/bin' >> /etc/profile + + # 设置Go代理 + export GOPROXY=https://goproxy.cn,direct + echo 'export GOPROXY=https://goproxy.cn,direct' >> /etc/profile + + log_info "Go环境安装完成" +} + +# 编译DERP服务器 +compile_derp() { + log_info "编译DERP服务器..." + + # 创建工作目录 + mkdir -p /home/derp + cd /home/derp + + # 设置Go代理 + export GOPROXY=https://goproxy.cn,direct + + # 直接从源码构建derper二进制文件 + log_info "从源码构建derper二进制文件..." + /usr/local/go/bin/go install tailscale.com/cmd/derper@main + + # 查找编译后的二进制文件 + GOPATH=$(go env GOPATH) + if [[ -z "$GOPATH" ]]; then + GOPATH="$HOME/go" + fi + + # 复制到工作目录 + if [[ -f "$GOPATH/bin/derper" ]]; then + cp "$GOPATH/bin/derper" /home/derp/ + else + log_error "未找到编译后的derper二进制文件" + exit 1 + fi + + # 验证编译结果 + if [[ ! -f /home/derp/derper ]]; then + log_error "DERP服务器编译失败" + exit 1 + fi + + log_info "DERP服务器编译完成" +} + +# 配置用户提供的证书 +configure_user_cert() { + log_info "配置用户提供的证书..." + + # 获取服务器IP地址 + read -p "请输入服务器IP地址: " SERVER_IP + + if [[ -z "$SERVER_IP" ]]; then + log_error "IP地址不能为空" + exit 1 + fi + + # 获取证书文件路径 + read -p "请输入证书文件路径 (.crt/.pem文件): " CERT_PATH + + if [[ -z "$CERT_PATH" ]]; then + log_error "证书文件路径不能为空" + exit 1 + fi + + if [[ ! -f "$CERT_PATH" ]]; then + log_error "证书文件不存在: $CERT_PATH" + exit 1 + fi + + # 获取私钥文件路径 + read -p "请输入私钥文件路径 (.key文件): " KEY_PATH + + if [[ -z "$KEY_PATH" ]]; then + log_error "私钥文件路径不能为空" + exit 1 + fi + + if [[ ! -f "$KEY_PATH" ]]; then + log_error "私钥文件不存在: $KEY_PATH" + exit 1 + fi + + # 创建证书目录 + mkdir -p /etc/derper/certs + + # 复制证书文件 + cp "$CERT_PATH" /etc/derper/certs/server.crt + cp "$KEY_PATH" /etc/derper/certs/server.key + + # 设置证书权限 + chmod 600 /etc/derper/certs/server.key + chmod 644 /etc/derper/certs/server.crt + + # 验证证书 + if ! openssl x509 -in /etc/derper/certs/server.crt -noout -text > /dev/null 2>&1; then + log_error "证书文件格式无效" + exit 1 + fi + + # 验证私钥 + if ! openssl rsa -in /etc/derper/certs/server.key -check -noout > /dev/null 2>&1; then + log_error "私钥文件格式无效" + exit 1 + fi + + # 计算证书哈希 + CERT_HASH=$(openssl x509 -in /etc/derper/certs/server.crt -noout -fingerprint -sha256 | cut -d= -f2 | tr -d : | tr '[:upper:]' '[:lower:]') + + log_info "证书配置完成" + log_info "证书SHA256哈希: $CERT_HASH" + + # 保存配置信息 + echo "SERVER_IP=$SERVER_IP" > /etc/derper/config + echo "CERT_HASH=$CERT_HASH" >> /etc/derper/config + echo "CERT_PATH=$CERT_PATH" >> /etc/derper/config + echo "KEY_PATH=$KEY_PATH" >> /etc/derper/config +} + +# 安装Tailscale客户端 +install_tailscale() { + log_info "安装Tailscale客户端..." + + # 使用xEdge镜像安装Tailscale (国内优化) + log_info "使用xEdge镜像安装Tailscale..." + curl -fsSL https://ts-mirror.xedge.cc/install.sh | sh + + # 如果xEdge镜像失败,回退到官方安装 + if ! command -v tailscale &> /dev/null; then + log_warn "xEdge镜像安装失败,尝试官方镜像..." + curl -fsSL https://tailscale.com/install.sh | sh + fi + + log_info "Tailscale客户端安装完成" + log_warn "请运行 'tailscale up' 来连接到您的Tailnet网络" +} + +# 创建systemd服务 +create_systemd_service() { + log_info "创建systemd服务..." + + # 读取配置 + source /etc/derper/config + + # 显示运行模式选择 + echo "请选择DERP服务器运行模式:" + echo "1. 直接使用自签名证书的HTTPS模式 (推荐)" + echo "2. Nginx反向代理模式" + echo "3. 自定义配置" + read -p "请输入选择 (1-3): " DERP_MODE + + case $DERP_MODE in + 1) + # 直接HTTPS模式,使用自签名证书 + DERP_CMD="/home/derp/derper -hostname $SERVER_IP -certmode manual -certdir /etc/derper/certs -a :443 -http-port 80 -stun-port 3478 -verify-clients" + ;; + 2) + # Nginx反向代理模式 + DERP_CMD="/home/derp/derper -hostname $SERVER_IP -a :8080 -stun-port 3478 -verify-clients" + ;; + 3) + # 自定义配置 + read -p "请输入自定义命令参数: " CUSTOM_ARGS + DERP_CMD="/home/derp/derper -hostname $SERVER_IP $CUSTOM_ARGS" + ;; + *) + log_warn "无效选择,使用默认配置" + DERP_CMD="/home/derp/derper -hostname $SERVER_IP -a :8080 -stun-port 3478 -verify-clients" + ;; + esac + + cat > /etc/systemd/system/derper.service << EOF +[Unit] +Description=Tailscale DERP Server +After=network.target + +[Service] +Type=simple +User=root +WorkingDirectory=/home/derp +ExecStart=$DERP_CMD +Restart=always +RestartSec=5 + +[Install] +WantedBy=multi-user.target +EOF + + # 保存运行模式到配置文件 + echo "DERP_MODE=$DERP_MODE" >> /etc/derper/config + echo "DERP_CMD='$DERP_CMD'" >> /etc/derper/config + + # 重载systemd并启动服务 + systemctl daemon-reload + systemctl enable derper + + log_info "systemd服务创建完成" +} + +# 配置Nginx反向代理 +configure_nginx() { + # 读取配置 + source /etc/derper/config + + # 只有在Nginx反向代理模式下才配置Nginx + if [[ "$DERP_MODE" != "2" ]]; then + log_info "跳过Nginx配置(不需要反向代理)" + return + fi + + log_info "配置Nginx反向代理..." + + # 创建Nginx配置 + cat > /etc/nginx/sites-available/derper << EOF +server { + listen 80; + server_name $SERVER_IP; + + location /derp { + proxy_pass http://127.0.0.1:8080; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + + # WebSocket支持 + proxy_http_version 1.1; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "upgrade"; + } +} + +server { + listen 443 ssl; + server_name $SERVER_IP; + + ssl_certificate /etc/derper/certs/server.crt; + ssl_certificate_key /etc/derper/certs/server.key; + + location /derp { + proxy_pass http://127.0.0.1:8080; + proxy_set_header Host \$host; + proxy_set_header X-Real-IP \$remote_addr; + proxy_set_header X-Forwarded-For \$proxy_add_x_forwarded_for; + proxy_set_header X-Forwarded-Proto \$scheme; + + # WebSocket支持 + proxy_http_version 1.1; + proxy_set_header Upgrade \$http_upgrade; + proxy_set_header Connection "upgrade"; + } +} +EOF + + # 启用站点 + ln -sf /etc/nginx/sites-available/derper /etc/nginx/sites-enabled/ + + # 测试配置并重启Nginx + nginx -t && systemctl restart nginx + + log_info "Nginx配置完成" +} + +# 生成官方Tailscale配置信息 +generate_tailscale_config() { + log_info "生成官方Tailscale配置信息..." + + # 读取配置 + source /etc/derper/config + + # 创建配置信息文件 + mkdir -p /etc/derper + + # 生成官方Tailscale ACL配置示例 + # 读取运行模式 + DERP_PORT=443 + if [[ "$DERP_MODE" == "2" ]]; then + DERP_PORT=443 # Nginx反向代理会处理HTTPS + fi + cat > /etc/derper/tailscale_acl.json << EOF +{ + "derpMap": { + "Regions": { + "900": { + "RegionID": 900, + "RegionCode": "custom", + "RegionName": "Custom DERP Server", + "Nodes": [ + { + "Name": "derp-$SERVER_IP", + "RegionID": 900, + "HostName": "$SERVER_IP", + "IPv4": "$SERVER_IP", + "CertName": "sha256:$CERT_HASH", + "DERPPort": $DERP_PORT, + "STUNPort": 3478 + } + ] + } + } + } +} +EOF + + log_info "官方Tailscale配置信息已生成: /etc/derper/tailscale_acl.json" +} + +# 启动服务 +start_services() { + log_info "启动服务..." + + # 启动DERP服务 + systemctl start derper + + # 检查服务状态 + if systemctl is-active --quiet derper; then + log_info "DERP服务启动成功" + else + log_error "DERP服务启动失败" + systemctl status derper + exit 1 + fi + + # 只有在Nginx反向代理模式下才启动Nginx + if [[ "$DERP_MODE" == "2" ]]; then + systemctl enable nginx + systemctl start nginx + log_info "Nginx服务启动完成" + fi + + log_info "所有服务启动完成" +} + +# 显示配置信息 +show_config_info() { + log_info "安装完成!" + + # 读取配置 + source /etc/derper/config + + echo + echo "=================================" + echo "DERP服务器配置信息" + echo "=================================" + echo "服务器IP: $SERVER_IP" + echo "证书SHA256: $CERT_HASH" + echo "运行模式: $DERP_MODE" + + case $DERP_MODE in + 1) + echo "访问方式: 直接HTTPS访问" + echo "DERP端口: 443 (HTTPS)" + echo "HTTP端口: 80 (自动跳转到HTTPS)" + echo "STUN端口: 3478" + ;; + 2) + echo "访问方式: Nginx反向代理" + echo "DERP端口: 443 (HTTPS, 通过Nginx)" + echo "内部端口: 8080 (HTTP)" + echo "STUN端口: 3478" + ;; + 3) + echo "访问方式: 自定义配置" + echo "命令参数: $DERP_CMD" + ;; + esac + + echo "配置文件: /etc/derper/tailscale_acl.json" + echo + echo "服务管理命令:" + echo " 启动: systemctl start derper" + echo " 停止: systemctl stop derper" + echo " 重启: systemctl restart derper" + echo " 状态: systemctl status derper" + echo + echo "测试连接:" + echo " curl https://$SERVER_IP/derp" + echo + echo "官方Tailscale配置:" + echo " 配置文件: /etc/derper/tailscale_acl.json" + echo " 在Tailscale Admin Console中添加自定DERP服务器" + echo " 访问: https://login.tailscale.com/admin/dns" + echo + echo "重要提示:" + echo " 1. 请确保防火墙开放443端口" + echo " 2. 运行 'tailscale up' 连接到Tailnet" + echo " 3. 在Tailscale Admin Console中添加DERP服务器" + echo " 4. 使用自签名证书需要在ACL中指定证书哈希" + echo "=================================" +} + +# 主函数 +main() { + log_info "开始安装Tailscale DERP服务器..." + + check_root + check_system + install_dependencies + enable_bbr + install_go + compile_derp + configure_user_cert + install_tailscale + create_systemd_service + configure_nginx + generate_tailscale_config + start_services + show_config_info + + log_info "安装完成!" +} + +# 运行主函数 +main "$@"