下载Go

wget https://go.dev/dl/go1.24.2.linux-amd64.tar.gz

解压Go

rm -rf /usr/local/go && tar -C /usr/local -xzf go1.24.2.linux-amd64.tar.gz

将Go添加到环境变量中，开启Go安装加速

echo "export PATH=$PATH:/usr/local/go/bin" >> /etc/profile
echo "export GO111MODULE=on" >> /etc/profile
echo "export GOPROXY=https://goproxy.cn" >> /etc/profile
source /etc/profile

从源运行 DERP 服务器

go install tailscale.com/cmd/derper@latest

复制DERP文件到root目录

mkdir /root/derper
cp /root/go/bin/derper /root/derper/

上传SSL证书

SSL证书上传到 /root/derper/ 文件夹证书命名格式为 <DOMAIN>.<SUFFIX>将证书文件后缀改为 crt 密钥文件后缀改为 key

设置DERP开机启动

cat > /etc/systemd/system/derper.service << EOF
[Unit]
Description = derper
After = network.target syslog.target
Wants = network.target

[Service]
Type = simple
ExecStart = /root/derper/derper --hostname t.wzh.kim -a :12345 --http-port -1 --certdir /root/derper --certmode manual --stun-port 13478

[Install]
WantedBy = multi-user.target
EOF

启用 IP 转发

echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.conf
echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.conf
sudo sysctl -p /etc/sysctl.conf

设置DERP开机自启并启动

systemctl enable derper
systemctl start derper

防止被滥用，客户端注册完成后添加

--verify-clients

自定义DERP服务器添加到Tailscale

在Tailscale管理界面找到 Access Controls https://login.tailscale.com/admin/acls/file
插入代码

{
    "derpMap": {
        "OmitDefaultRegions": true,
        "Regions": {
            "900": {
                "RegionID":   900,
                "RegionCode": "cni",
                "RegionName": "Nanjing",
                "Nodes": [
                    {
                        "Name":     "900a",
                        "RegionID": 900,
                        "HostName": "t.wzh.kim",
                        "DERPPort": 12345,
                        "STUNPort": 13478,
                    },
                ],
            },
        },
    },
}

重新编译

//进入目录

/root/go/pkg/mod/tailscale/cmd/derper

//重新编译

go build -o /root/derper/derper

//删掉验证证书相关内容

nano cert.go
if hi.ServerName != m.hostname {
   return nil, fmt.Errorf("cert mismatch with hostname: %q", hi.ServerName)
}

//删除443端口验证 (报错control: controlhttp: forcing port 443 dial due to recent noise dial)

tailscale/control/controlhttp/client.go
if d.HealthTracker.LastNoiseDialWasRecent() {
    // If we dialed recently, assume there was a recent failure and fall
    // back to HTTPS dials for the subsequent retries.
    //
    // This heuristic works around networks where port 80 is MITMed and
    // appears to work for a bit post-Upgrade but then gets closed,
    // such as seen in https://github.com/tailscale/tailscale/issues/13597.
    d.logf("controlhttp: forcing port 443 dial due to recent noise dial") 
    return true
}

设置开机启动

systemctl enable derper

启动

systemctl start derper

停止

systemctl stop derper

重启

systemctl restart derper

查看状态

systemctl status derper