1. C

   sudo apt update
   sudo apt install build-essential gcc gcc-multilib g++-multilib
   
   

2. GO

   sudo apt install wget git curl
   wget <https://go.dev/dl/go1.25.1.linux-386.tar.gz>
   sudo rm -rf /usr/local/go && sudo  tar -C /usr/local -xzf
   

   Using the latest version of Go, run:

   go install tailscale.com/cmd/derper@latest
   

   export GOPROXY=https://mirrors.aliyun.com/goproxy/,direct
   export PATH=$PATH:/usr/local/go/bin
   

   echo "export PATH=$PATH:/usr/local/go/bin" >> /etc/profile
   source /etc/profile
   

   $GOBIN 指定 Go 可执行文件的安装目录。

   GOPATH：指定 Go 工作空间（通常是代码存放位置）。如果没有显式设置，Go 会使用默认的工作空间 $HOME/go。

3. certificate

   openssl req -x509 -newkey rsa:4096 -sha256 -days 3650 -nodes -keyout /etc/derp/derp.test.com.key -out /etc/derp/derp.test.com.crt -subj "/CN=derper.hazysite.icu" -addext "subjectAltName=DNS:derper.hazysite.icu"
   

   derper servicce

   sudo nano /etc/systemd/system/derp.service
   

   [Unit]
   
   Description=TS Derper
   
   After=network.target
   
   Wants=network.target
   
   [Service]
   
   User=root
   
   Restart=always
   
   ExecStart=/etc/derp/derper -hostname derper.hazysite.icu -a :12345 -http-port 33446 -certmode manual -certdir /etc/derp --verify-clients
   
   RestartPreventExitStatus=1
   
   [Install]
   
   WantedBy=multi-user.target
   

   nginx - https

4. 防火墙

   • 系统防火墙，允许udp 端口

     sudo iptables -L -n -v
     

     sudo iptables -A INPUT -p udp --dport 41641 -j ACCEPT
     sudo iptables -A INPUT -p udp --dport 3478 -j ACCEPT
     sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT
     sudo iptables -A INPUT -p udp --dport 443 -j ACCEPT
     

     sudo ip6tables -A INPUT -p udp --dport 41641 -j ACCEPT
     sudo ip6tables -A INPUT -p udp --dport 3478 -j ACCEPT
     sudo ip6tables -A INPUT -p tcp --dport 443 -j ACCEPT
     sudo ip6tables -A INPUT -p udp --dport 443 -j ACCEPT
     
     

     sudo apt install iptables-persistent -y
     sudo netfilter-persistent save
     

   • 云服务商防火墙，注意是udp端口

     

   • nginx - https

5. 验证需要tailscaled守护程序

   Tailscale

   sudo tailscale up --accept-routes=false --advertise-exit-node=false
   

   https://gist.github.com/junaire/b66301960c622796d636612d8133124a - 有时候你需要等会 derper 才真正起作用。

在 Android 上同时使用 Clash for Android 和 Tailscale

Tailscale高级用法，route与exit-node实现局域网穿透与代理出口功能 - DongVPS

Tailscale 内网穿透与 Derper 中继节点搭建

Tailscale 基础教程：部署私有 DERP 中继服务器

Secure a Windows RDP server · Tailscale Docs

搭建derper服务实现异地组网 – geekrabbit | 个人技术博客

自建DERP服务器提升Tailscale连接速度(使用Nginx转发) - Jiajun的技术笔记

FROM golang:latest AS builder
WORKDIR /app

ARG DERP_VERSION=latest
RUN go install tailscale.com/cmd/derper@${DERP_VERSION}

FROM ubuntu
WORKDIR /app

ARG DEBIAN_FRONTEND=noninteractive

RUN apt-get update && \\
    apt-get install -y --no-install-recommends apt-utils && \\
    apt-get install -y ca-certificates && \\
    mkdir /app/certs

ENV DERP_DOMAIN your-hostname.com
ENV DERP_CERT_MODE letsencrypt
ENV DERP_CERT_DIR /app/certs
ENV DERP_ADDR :443
ENV DERP_STUN true
ENV DERP_STUN_PORT 3478
ENV DERP_HTTP_PORT 80
ENV DERP_VERIFY_CLIENTS false
ENV DERP_VERIFY_CLIENT_URL ""

COPY --from=builder /go/bin/derper .

CMD /app/derper --hostname=$DERP_DOMAIN \\
    --certmode=$DERP_CERT_MODE \\
    --certdir=$DERP_CERT_DIR \\
    --a=$DERP_ADDR \\
    --stun=$DERP_STUN  \\
    --stun-port=$DERP_STUN_PORT \\
    --http-port=$DERP_HTTP_PORT \\
    --verify-clients=$DERP_VERIFY_CLIENTS \\
    --verify-client-url=$DERP_VERIFY_CLIENT_URL

server {
    listen 80;
    listen 443 ssl;
    server_name <域名>;

    access_log <Nginx 日志路径>;
    error_log <Nginx 错误日志路径>;

    ssl_certificate <Let's Encrypt 证书路径>;
    ssl_certificate_key <Let's Encrypt 证书私钥路径>;

    location / {
        client_max_body_size 1G;

        # websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
        # other settings
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
        proxy_pass <http://127.0.0.1:30001>;
    }
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name derper.hazysite.icu;

    ssl_certificate /etc/nginx/ssl/live/derper.hazysite.icu/fullchain.pem;   # 替换成你的证书路径
    ssl_certificate_key /etc/nginx/ssl/live/derper.hazysite.icu/privkey.pem; # 替换成你的私钥路径
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers HIGH:!aNULL:!MD5;

    # 反向代理到 derper 服务
    location / {
        proxy_pass <http://10.6.0.14:12345>;   # derper -a :12345
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket 支持（如果 derper 有）
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "Upgrade";
    }
}