参照 906051999大佬的原贴【最好的虚拟组网】为Tailscale部署使用IP的Derp节点
在leaflow上部署了自己的tailscale drep节点,水一贴,赚点积分
- 镜像选择:选用这个镜像
(https://hub.docker.com/r/yangchuansheng/ip_derper)
只使用TCP和UDP两个端口 - leaflow部署
在leaflow上新建应用
名称随便起,镜像使用上述镜像
因为只是中继节点,打洞成功后所有流量不需要经过中继节点,内存分配128M、CPU200毫核就够了
正常使用情况下其实开销很小
暴露端口
然后就可以启动应用了
开通外网服务:
直接选择目标工作负载,会自动帮你设置好映射端口
选择好会话保持和外部流量策略,开通服务即可
可以看到公网IP地址
3. tailscale设置
直接拷贝大佬的原文了
接下来去tailscale控制台配置derp服务地址:
- Tailscale
具体参数含义参考官方文档: - tailcfg package - tailscale.com/tailcfg - Go Packages
- tailcfg package - tailscale.com/tailcfg - Go Packages
根据官方的derp清单可以知道不同ID对应的derp区域,然后通过配置文件覆盖,优选延迟低的区域: - https://controlplane.tailscale.com/derpmap/default
我的配置参考:
// Example/default ACLs for unrestricted connections.
{
// Declare static groups of users. Use autogroups for all users or users with a specific role.
// "groups": {
// "group:example": ["[email protected]", "[email protected]"],
// },
// Define the tags which can be applied to devices and by which users.
// "tagOwners": {
// "tag:example": ["autogroup:admin"],
// },
// Define grants that govern access for users, groups, autogroups, tags,
// Tailscale IP addresses, and subnet ranges.
"grants": [
// Allow all connections.
// Comment this section out if you want to define specific restrictions.
{"src": ["*"], "dst": ["*"], "ip": ["*"]},
// Allow users in "group:example" to access "tag:example", but only from
// devices that are running macOS and have enabled Tailscale client auto-updating.
// {"src": ["group:example"], "dst": ["tag:example"], "ip": ["*"], "srcPosture":["posture:autoUpdateMac"]},
],
// Define postures that will be applied to all rules without any specific
// srcPosture definition.
// "defaultSrcPosture": [
// "posture:anyMac",
// ],
// Define device posture rules requiring devices to meet
// certain criteria to access parts of your system.
// "postures": {
// // Require devices running macOS, a stable Tailscale
// // version and auto update enabled for Tailscale.
// "posture:autoUpdateMac": [
// "node:os == 'macos'",
// "node:tsReleaseTrack == 'stable'",
// "node:tsAutoUpdate",
// ],
// // Require devices running macOS and a stable
// // Tailscale version.
// "posture:anyMac": [
// "node:os == 'macos'",
// "node:tsReleaseTrack == 'stable'",
// ],
// },
// Define users and devices that can use Tailscale SSH.
"ssh": [
// Allow all users to SSH into their own devices in check mode.
// Comment this section out if you want to define specific restrictions.
{
"action": "check",
"src": ["autogroup:member"],
"dst": ["autogroup:self"],
"users": ["autogroup:nonroot", "root"],
},
],
// 自定义derpMap
"randomizeClientPort": false, // 随机端口, 防止被NAT或防火墙限制
"derpMap": {
"OmitDefaultRegions": false, // 只用自己的节点不用官方节点。
"Regions": {
"900": {
"RegionID": 900, // tailscale 900-999 是保留给自定义 derper 的
"RegionCode": "alicloud", // 随便命名
"RegionName": "leaflow shenzhen", // 随便命名
"Nodes": [
{
"Name": "900", //复制自derper的输出信息
"RegionID": 900, //复制自derper的输出信息
"HostName": "【IP】", // 改成服务器公网IP
"DERPPort": 10042, // Derp 服务端口
"STUNPort": 10046, // STUN 端口
"InsecureForTests": true,
"IPv4": "【IP】", // 改成服务器公网IP
},
],
},
"1": null,
"2": null,
// "3": null, // Singapore
"4": null,
// "5": null, // Sydney
"6": null,
// "7": null, // Tokyo
"8": null,
"9": null,
"10": null,
"11": null,
"12": null,
"13": null,
"14": null,
"15": null,
"16": null,
"17": null,
"18": null,
"19": null,
// "20": null, // Hong Kong
"21": null,
"22": null,
"23": null,
"24": null,
"25": null,
},
},
// Test access rules every time they're saved.
// "tests": [
// {
// "src": "[email protected]",
// "accept": ["tag:example"],
// "deny": ["100.101.102.103:443"],
// },
// ],
}
- tailscale测试
更换derp节点需要客户端重启tailscale才能生效,不然使用的时候还是会用之前的derp节点。群晖就直接在套件中心停用再启用tailscale就行。
我们来测试一下节点情况,在Windows的tailscale路径下cmd执行即可(群晖ssh也行)
首先关闭ipv6,避免直接公网直连,然后找到一台用流量的手机,连入tailscale:
- 查询集群状态
tailscale status
100.64.205.77 officenas-1 zbigbird@ linux -
100.77.234.40 huawei-icl-al10 zbigbird@ android offline
# Health check:
# - Tailscale could not connect to the 'leaflow shenzhen' relay server. Your Internet connection might be down, or the server might be temporarily unavailable.
- 查询网络状态
tailscale netcheck
Report:
* Time: 2025-09-19T10:28:43.058020358Z
* UDP: true
* IPv4: yes, 10.0.1.51:36297
* IPv6: no, but OS has support
* MappingVariesByDestIP: true
* PortMapping: UPnP
* CaptivePortal: false
* Nearest DERP: leaflow shenzhen
* DERP latency:
- alicloud: 8.5ms (leaflow shenzhen)
- hkg: 153.3ms (Hong Kong)
- nue: 186.3ms (Nuremberg)
- iad: 215.2ms (Ashburn)
- hel: 217.2ms (Helsinki)
- sin: 237.5ms (Singapore)
- tok: 240.2ms (Tokyo)
- syd: 303.5ms (Sydney)
- ping一下使用流量上网的手机
tailscale ping 100.77.234.40
pong from huawei-icl-al10 (100.77.234.40) via 192.168.123.70:33247 in 36ms
ipv4 STUN打洞成功,延迟36ms!
