📚 Jiaqi's Knowledge Repository

Tailscale

Created: Last modified: 3 min read

Custom Derper

Tailscale derper requires recent versions of go(>=1.26), which unfortunately is not included in debian. However, we can still install it using backport.

Edit /etc/apt/sources.list and add the following line at the end of the file to enable backports:

deb http://deb.debian.org/debian bookworm-backports main

Then install the package

apt update
apt install -t bookworm-backports <package>

Set up environment variable for go by adding the following line in ~/.bashrc:

export PATH=$PATH:/usr/lib/go-1.26/bin

Don’t forget to source the file to update. Check the version to see if it is effective.

go version

Set up proxy before actually downloading any go packages.

go env -w GOPROXY=https://goproxy.cn,direct

Finally we can download Tailscale Derper. Note that if your go version is incompatible with the derper version that you are installing, it will automatically try to install the latest compatible go version before installing the package.

go install tailscale.com/cmd/derper@latest

Copy derper to user bin directory so that we can use it.

sudo cp ~/go/bin/derper /usr/bin/

Install Tailscale and enable system service:

sudo systemctl enable tailscaled
sudo systemctl start tailscaled

Start Derper with the following command. A self signed certificate will be generated under current directory. Remember to change “1.2.3.4” to the IP address of the machine. Don’t forget to open firewall for TCP port 9003 and UDP port 9004.

derper --hostname="1.2.3.4" -certmode manual -certdir ./ -http-port -1 -a :9003 -stun-port 9004 -verify-clients

To run the command in the background:

nohup derper --hostname="1.2.3.4" -certmode manual -certdir ./ -http-port -1 -a :9003 -stun-port 9004 -verify-clients &

To check if it’s running:

ps aux | grep derper

or pgrep derper to see if the process is active.

To stop the process:

  1. Find its process ID (PID) using ps aux | grep derper.
  2. Then, use kill <PID> (e.g., kill 12345). If it doesn’t stop, you might need kill -9 <PID> (force kill), but use kill -9 with caution.

Add the following at Tailscale > Admin > Access Controls:

"derpMap": {
		"OmitDefaultRegions": false, // Set it to true to test custom derper region and/or avoid using official regions
		"Regions": {
			"900": {
				"RegionID":   900, // 900-999 reserved for Derper
				"RegionCode": "foo", // name it as you like
				"RegionName": "bar", // name it as you like
				"Nodes": [
					{
						"Name":     "custom-node", // name it as you like
						"RegionID": 900,
						"HostName": "1.2.3.4", // Copied from Derper output
						"IPv4":     "1.2.3.4", // IP address of your VPS
						"DERPPort": 9003, // custom TCP port
						"STUNPort": 9004, // custom UDP port
						"CertName": "sha256-raw:***", // Copied from Derper output
					},
				],
			},
		},
	},

Use tailscale netcheck to take a look at the connection and latency of each derper region.

User tailscale ping <machine-name> to see if Tailscale is using your custom derper region for hole punching.

Reference

Graph View