1. Introduction to Tailscale
In an early podcast, I heard Livid mention the clever use of Tailscale, which sparked my interest and led me to explore this product. Tailscale co-founder and CTO David Crawshaw previously worked at Google. The official introduction is quite detailed; here I summarize what Tailscale is. It is a networking tool for connecting devices across different locations, with a client and a service relay called Derper, built on WireGuard.
You can install the Tailscale daemon on mobile phones, PCs, and Linux systems, and then use the official Derper relay to connect clients within the internal network, supporting ACL configuration.
Here are a few small scenarios to help quickly understand what this tool can do.
Example 1: How can I access the test server on my company's intranet from home?
Both the home and company computers need to have the Tailscale client installed. When both ends have the tailscaled daemon running, you can directly access the target server on the company intranet from home, including all port services such as SSH and web.
Example 2: How can I access my QNAP NAS at home from the company?
The usual solution is to enable a dynamic IP from the ISP at home, then use a domain console from Alibaba Cloud/Tencent Cloud with DDNS to map the home NAS, accessing the NAS device via the public network using the domain name. But what if there is no DDNS at home?
In this case, you can use Tailscale. Before 2022, QNAP did not integrate Tailscale in its app store; you could only find Tailscale programs provided by developers in the third-party community on the QNAP Store. Early third-party Tailscale apps had a minor issue: when setting the home LAN route exit (as in the example below) 192.168.2.x, if it conflicts with the company intranet segment 192.168.2.x (same IP range), IP conflicts would occur, affecting usage.
## After installing the community plugin on the NAS, you need to manually add the exit route, otherwise it won't work. This caused irreconcilable conflicts.
./tailscale -socket var/run/tailscale/tailscaled.sock up --advertise-routes=192.168.2.0/24 --advertise-exit-nodeIn mid-2023, QNAP adapted Tailscale, and it can now be directly installed from the official store. After testing, this network conflict issue no longer exists. Therefore, as long as the tailscaled daemon on the home device is running normally and connected to the internet, and the company client (with tailscaled daemon also running normally) is active, you can directly access the home NAS from the company. It’s somewhat like IoT: as long as both devices are connected to the internet, they can communicate directly through the Derper relay.
2. Derper Relay
By default, Tailscale has its own relay servers to forward traffic within your local network, but the forwarding speed and latency of the official Derper relay nodes are not friendly to users in mainland China.
For this reason, Tailscale provides the ability to customize Derper relays, allowing smooth access between domestic devices. To set up a self-hosted relay, you can refer to official and third-party documentation. It mainly consists of two parts:
Part 1: First, set up a Derper server. You can use lightweight servers from Alibaba Cloud, Tencent Cloud, etc., or install it on a machine at home with a dynamic IP from the ISP (using DDNS).
Part 2: Add your Derper relay in the admin console’s ACL configuration file on the official website.
2.1 Self-hosted derper
Main Reference 1 Additional Reference 2 Additional Reference 3
Based on Main Reference 1, I created a derper relay server using docker-compose on a homelab x86 mini PC. The reference configuration files are as follows:
File directory
root@xx:~/tailscale_derp# tree
├── acl.json.example
├── docker-compose.yaml
└── ssl
├── axx.xx.zone.crt
└── axx.xx.zone.keyderper docker-compose.yaml
version: "3"
services:
derper:
image: ghcr.io/yangchuansheng/derper:latest
container_name: derper
ports:
- 62345:62345
- 3478:3478/udp
volumes:
- ./ssl/:/app/certs/
- /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
environment:
- DERP_CERT_MODE=manual
#- DERP_CERT_MODE=letsencrypt
- DERP_ADDR=:62345
- DERP_DOMAIN=axx.xx.zone
- DERP_VERIFY_CLIENTS=true
- TZ=Asia/Shanghai
restart: alwaysacl.json.example: Backup of the official initial acl file, copied locally to prevent misconfiguration of acl, mainly used for recovery.
ssl: Certificate file directory for your Alibaba Cloud DDNS domain.
docker-compose.yaml: The specific configuration file is as shown above. Ports 3478 and 62345 need to be exposed to the public via router firewall port forwarding for your public domain axx.xx.zone.
DERP_VERIFY_CLIENTS=true: Set to prevent your derper server from being misused. You should also protect your own derper relay.
/var/run/tailscale/tailscaled.sock: The local tailscaled process. I installed the docker derper and tailscale daemon on the same homelab.
After setting up derper, test by opening the following URL in a web browser:
https://axx.xx.zone/62345Note: axx.xx.zone is your own derper relay DDNS domain. If the webpage returns “derper server”, it indicates success.
2.2 Setting up ACL
After the derper relay is successfully created, you need to add your own derper configuration in the admin console.
ACL partial configuration
"groups": {
*******
},
// Access control lists.
"acls": [
*****
],
// ###################### New derper configuration
"derpMap": {
"OmitDefaultRegions": true,
"Regions": {"900": {
"RegionID": 900,
// Your custom derper name, for example examplecust
"RegionCode": "examplecust",
"Nodes": [{
"Name": "1",
"RegionID": 900,
"HostName": "axx.xx.zone",
"DERPPort": 62345,
}],
}},
},
// ###################### End of the cust derper configuration
"ssh": [
****After the official configuration, the local derper client can use tailscale netcheck to check latency. A relay of 800µs is acceptable.
Ping between local intranet IPs, within the same city, telecom to telecom ping latency is within 10ms; cross-province telecom to telecom ping is generally within 50ms.
This is much better than the default official derper relay, which typically has latencies of several hundred ms in China. After setting up a self-hosted relay, remote access feels noticeably smoother.
If you are using Clash on your local computer, remember to whitelist your DDNS domain in Clash, otherwise it will proxy your relay and cause lag.
root@uub:~/tailscale_derp# tailscale netcheck
*****
Report:
********
* DERP latency:
- examplecust: 800µs ()2.3 Issues with Setting Up Relay
In docker-compose, using Let’s Encrypt in China may have network issues, so this parameter is disabled by default. Without proper trick configuration, it cannot be used well. Of course, you can manually update certificates through third-party methods. When using wildcard certificates like *.xx.xx.crt/key, the docker derper may encounter TLS certificate errors internally, causing the docker derper relay to require periodic restarts to recover. This is an official bug, and you need to keep an eye on community updates and build your own updated images.
In 2022, the test issue persisted, so I switched to Alibaba Cloud’s free annual certificate, which worked stably. The only downside is the need to manually renew the free certificate every year. In the future, based on new versions, I will consider building new images to use third-party automatic certificate renewal. As for custom multi-relay issues, I haven’t configured them yet, but in principle it is possible. The official default derper relay supports switching selection.
III. Summary
In a production environment, do not use this networking program without authorization. It can be tried in homelab and limited internal devices. Although current Tailscale features and security are relatively complete, you must continue to follow process security to avoid irreversible losses to the company and yourself.
Compared to ZeroTier, my personal experience is that Tailscale completely outperforms it. I haven’t used Headscale, the open-source application based on Tailscale, yet. Currently, the free version of Tailscale is sufficient for my needs.
Comments