Tailscale 安装部署教程

slug
running-tailscale-linux
tags
headscale
tailsacle
date
Aug 14, 2024
summary
Tailsacle 是一款基于 Wireguard的虚拟组网工具。
status
Published
type
Post
Tailsacle 是一款基于 Wireguard的虚拟组网工具,可以实现在公网、内网间建立基于Wireguard的 Full Mesh虚拟网络。区别于传统的 VPN, Tailscale 没有中心服务器,所有节点以全互联方式连接,在保证安全的前提下尽可能提高速度,是下一代的VPN产品。
Tailsacle 是一款收费服务,免费版受到一定限制。如果你想完全实现“自主可控”的同时还不用花费成本,可以使用开源的Headscale,它是 Tailscale 控制服务器的自托管开源替代方案。

1. 安装 Tailscale 控制服务器

1.1. 下载 headscale 二进制文件

官方文档:https://headscale.net/running-headscale-linux
最新版本:https://github.com/juanfont/headscale/releases
# 下载 wget https://packages.wangyan.cloud/headscale/v0.23/headscale_0.23.0-beta1_linux_amd64 -O /usr/local/bin/headscale # 增加可执行权限 chmod +x /usr/local/bin/headscale

1.2. 创建 headscale 用户

useradd \ --create-home \ --home-dir /var/lib/headscale/ \ --system \ --user-group \ --shell /usr/sbin/nologin \ headscale

1.3. 创建数据存储目录

# 配置文件目录 mkdir -p /etc/headscale # 数据存储与证书目录 mkdir -p /var/lib/headscale /var/run/headscale # 创建空的 SQLite 数据库文件: touch /var/lib/headscale/db.sqlite # 权限 chown -R headscale:headscale /var/lib/headscale /etc/headscale

1.4. 创建配置文件

wget https://mirror.ghproxy.com/https://github.com/juanfont/headscale/raw/main/config-example.yaml -O /etc/headscale/config.yaml chown -R headscale:headscale /var/lib/headscale /etc/headscale # 根据自身情况修改 vim /etc/headscale/config.yaml server_url: https://headscale.wangyan.cloud listen_addr: 127.0.0.1:8181 base_domain: wangyan.cloud

1.5. Nginx 反向代理配置

选做,需将上面 server_url 改成 ip+端口 的形式。
server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name headscale.wangyan.cloud; # SSL ssl_certificate /etc/nginx/ssl-certs/wangyan.cloud_ecc/fullchain.cer; ssl_certificate_key /etc/nginx/ssl-certs/wangyan.cloud_ecc/wangyan.cloud.key; # logging access_log /var/log/nginx/wangyan.cloud/headscale-access.log combined buffer=512k flush=1m; error_log /var/log/nginx/wangyan.cloud/headscale-error.log warn; # reverse proxy location / { proxy_pass <http://localhost:8181>; proxy_set_header Host $host; include nginx-config/proxy.conf; } }

1.6. 系统自启动文件

sudo sh -c "cat >/etc/systemd/system/headscale.service" <<EOF [Unit] Description=headscale controller After=syslog.target After=network.target [Service] Type=simple User=headscale Group=headscale ExecStart=/usr/local/bin/headscale serve Restart=always RestartSec=5 # Optional security enhancements NoNewPrivileges=yes PrivateTmp=yes ProtectSystem=strict ProtectHome=yes ReadWritePaths=/var/lib/headscale AmbientCapabilities=CAP_NET_BIND_SERVICE RuntimeDirectory=headscale [Install] WantedBy=multi-user.target EOF

1.7. 启动 && 卸载

# 启动 systemctl daemon-reload systemctl enable --now headscale systemctl restart headscale # 卸载 systemctl stop headscale rm -rf /var/lib/headscale /etc/headscale /var/run/headscale #查看占用端口 systemctl status headscale ss -tulnp|grep headscale

1.8. 使用 Headscale 创建用户

headscale user create admin headscale user list headscale user destroy admin

2. 安装 Tailscale 客户端

稳定版:https://pkgs.tailscale.com/stable/
最新版:https://pkgs.tailscale.com/unstable/

2.1. 安装 linux 客户端

2.1.1. 安装

wget https://packages.wangyan.cloud/tailscale/unstable/tailscale_1.71.64_amd64.tgz tar -zxf tailscale_*.tgz cd tailscale_*_amd64 cp tailscaled /usr/sbin/tailscaled cp tailscale /usr/bin/tailscale

2.1.2. 启动

cp systemd/tailscaled.service /lib/systemd/system/tailscaled.service cp systemd/tailscaled.defaults /etc/default/tailscaled systemctl enable --now tailscaled systemctl status tailscaled systemctl restart tailscaled

2.1.3. 卸载

systemctl stop tailscaled rm -rf /var/lib/tailscale/ # 彻底删除 systemctl disable tailscaled rm -rf /usr/sbin/tailscaled /usr/bin/tailscale rm -rf /lib/systemd/system/tailscaled.service rm -rf /etc/default/tailscaled

2.2. 安装 windows 客户端

按照提示下载 注册表文件 ,最后再登陆。
# 下载 wget https://packages.wangyan.cloud/tailscale/unstable/tailscale-setup-full-1.71.74.exe # 登陆 tailscale login --login-server <https://headscale.wangyan.cloud> # 进阶设置 tailscale up --login-server=https://headscale.wangyan.cloud --advertise-routes=192.168.57.0/24 --accept-dns=false --accept-routes

2.3. 注册 tailscale 节点

2.3.1. 方法1:正常登录

在客户端机上,运行 tailscale 登录命令:
# 无需开启子网路由 tailscale up --login-server <https://headscale.wangyan.cloud> # 需要开启子网路由的情况 tailscale up \ --accept-routes \ --advertise-routes=192.168.10.0/24 \ --login-server=https://headscale.wangyan.cloud
会生成如下链接:https://headscale.wangyan.cloud:443/register/mkey:xxx ,复制到浏览器。
然后,在 Tailscale 控制服务器上注册节点
headscale nodes register --user admin --key mkey:xxx headscale nodes list #列出节点 headscale nodes delete -i 1 #删除指定节点 headscale nodes rename android -i 3 # 重命名

2.3.2. 方法2:使用预认证密钥注册机器

适用于移动客户端,不方便登录等情形。
# 生成密钥 headscale --user admin preauthkeys create --reusable --expiration 24h # 注册 tailscale up --login-server=https://headscale.wangyan.cloud --authkey <YOUR_AUTH_KEY>

2.4. 客户端开启子网路由

  • Install the Tailscale client.
  • Connect to Tailscale as a subnet router.
  • Enable subnet routes from the admin console.
  • Add access rules for advertised subnet routes.
  • Verify your connection.
  • Use your subnet routes from other devices.

2.4.1. 开启 IP 转发

echo 'net.ipv4.ip_forward = 1' | tee -a /etc/sysctl.d/ipforwarding.conf echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.d/ipforwarding.conf sysctl -p /etc/sysctl.d/ipforwarding.conf
使用 firewalld 防火墙的系统,需打开 masquerade
firewall-cmd --permanent --add-masquerade
使用 iptables 系统,可以查看路由情况
iptables -S iptables -S -t nat

2.4.2. 指定子网地址

tailscale up --advertise-routes=192.168.0.0/24,192.168.1.0/24 #设置 tailscale set --advertise-routes "192.168.10.0/24" #修改

2.4.3. 批准子网路由

# 在控制服务器查看子网路由开启情况 headscale routes list # 删除路由 headscale routes delete -r 1 #批准指定网段 headscale routes enable -r 1

2.4.4. 测试

tailscale status tailscale netcheck tailscale ping 192.168.10.100

3. 部署私有 DERP 中继服务器

3.1. 中继服务器配置

vim docker-compose.yml 不需要特殊权限,可以直接 docker compose up -d 启动
services: derp: image: sparanoid/derp:edge container_name: derp hostname: derp volumes: - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock ports: - "8282:80" - "3478:3478/udp" command: derper -a :80 -verify-clients true
然后,配置Ngixn反向代理vim derp.wangyan.cloud.conf
server { listen 443 ssl; listen [::]:443 ssl; http2 on; server_name derp.wangyan.cloud; # SSL ssl_certificate /etc/nginx/ssl-certs/wangyan.cloud_ecc/fullchain.cer; ssl_certificate_key /etc/nginx/ssl-certs/wangyan.cloud_ecc/wangyan.cloud.key; # logging access_log /var/log/nginx/wangyan.cloud/derp-access.log combined buffer=512k flush=1m; error_log /var/log/nginx/wangyan.cloud/derp-error.log warn; # reverse proxy location / { proxy_pass <http://localhost:8282>; proxy_set_header Host $host; include nginx-config/proxy.conf; } }

3.2. 控制服务器配置

vim /etc/headscale/derp.yaml
regions: 901: regionid: 901 regioncode: DERP regionname: "Custom DERP" nodes: - name: vps-tc-gz regionid: 901 hostname: derp.wangyan.cloud stunport: 3478 stunonly: false derpport: 443
vim /etc/headscale/config.yaml
# 删除掉官方derp服务器 urls: [] # 自定义配置文件 paths: - /etc/headscale/derp.yaml
启动 && 检查
systemctl restart headscale tailscale netcheck

3.3. DERP 启用 TLS 支持

3.3.1. 修改 DERP 配置

开启 verify-clients true 客户端验证,需要确保 tailscale 已经正常启动。
这里有个巨坑:请务必确保先启动 headscaletailscale 后,再启动 derp 容器
# /docker-compose.yml services: derp: image: sparanoid/derp:edge restart: always init: true container_name: derp hostname: derp ports: - "8383:80" - "8443:443" - "3478:3478/udp" volumes: - /etc/nginx/ssl-certs/wangyan.cloud_ecc/fullchain.cer:/app/certs/derp.wangyan.cloud.crt - /etc/nginx/ssl-certs/wangyan.cloud_ecc/wangyan.cloud.key:/app/certs/derp.wangyan.cloud.key - /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock command: sh -c " derper \\ -hostname derp.wangyan.cloud \\ -certdir /app/certs \\ -certmode manual \\ -verify-clients true"
tailscaled 没启动是很多错误出现的原因,可通过下面命令验证:
curl --unix-socket /var/run/tailscale/tailscaled.sock "<http://local-tailscaled.sock/localapi/v0/whois?addr=nodekey%3Axxx>"

3.3.2. 修改 Nginx 配置

location / { proxy_pass <https://127.0.0.1:8443>; proxy_set_header Host $host; }

4. 开启 headscale 远程控制

远程控制需要开启 remote CLI 功能,这里面有个坑是必须开启 headscale 服务器内置的 tls 支持,通过 nginx 反代实现的 ssl 是不行的。

4.1. 通过 Remote CLI 远控

4.1.1. 启用 TLS

vim /etc/headscale/config.yaml
要使用自定义证书,只填写以下两个选项,其他勿填。
tls_cert_path: "/etc/nginx/ssl-certs/wangyan.cloud_ecc/fullchain.cer" tls_key_path: "/etc/nginx/ssl-certs/wangyan.cloud_ecc/wangyan.cloud.key"
需要ACME申请证书,可以填写以下选项:
tls_letsencrypt_hostname: "" tls_letsencrypt_listen: ":http" tls_letsencrypt_cache_dir: ".cache" tls_letsencrypt_challenge_type: HTTP-01

4.1.2. 启用 gRPC

# 不要使用 127.0.0.1 grpc_listen_addr: 0.0.0.0:50443 # 可以保持 false 不变 grpc_allow_insecure: false

4.1.3. 创建 API key

# 创建 headscale apikeys create --expiration 180d # 列表 headscale apikeys list # 吊销 headscale apikeys expire --prefix "<PREFIX>"

4.1.4. 设置环境变量

# 执行权限 chmod +x /usr/local/bin/headscale # 设置环境变量 # 特别注意:这里没有 https:// export HEADSCALE_CLI_ADDRESS="headscale.wangyan.cloud:50443" export HEADSCALE_CLI_API_KEY="<API KEY FROM PREVIOUS STAGE>" # 测试 headscale nodes list

4.2. 通过 UI 面板远控

4.2.1. docker-compose.yml

services: headscale-admin: image: goodieshq/headscale-admin:dev container_name: headscale-admin ports: - "0.0.0.0:8282:80" restart: always

4.2.2. Nginx

这里有一个坑,api url 不是填写上面的gRPC API地址,而是带 httpsserver_url
请先确保访问 https://headscale.wangyan.cloud/api/api/v1/apikey 不会报错
location / { proxy_pass <https://127.0.0.1:8181>; proxy_set_header Host $host; include nginx-config/proxy.conf; } location /admin { proxy_pass <http://127.0.0.1:8282>; proxy_set_header Host $host; include nginx-config/proxy.conf; }
参考文档:
If you have any questions, please contact me.