{"id":18747606,"url":"https://github.com/expoli/tailscale-derper","last_synced_at":"2025-04-10T15:36:17.642Z","repository":{"id":261067559,"uuid":"880179845","full_name":"expoli/tailscale-derper","owner":"expoli","description":"取消SSL 域名验证的 tailscale-derper 用于自建 derper 加速网络，支持自签IP与域名证书","archived":false,"fork":false,"pushed_at":"2024-12-07T09:27:21.000Z","size":56,"stargazers_count":5,"open_issues_count":0,"forks_count":0,"subscribers_count":1,"default_branch":"main","last_synced_at":"2025-03-24T13:21:22.353Z","etag":null,"topics":["derper","tailscale"],"latest_commit_sha":null,"homepage":"","language":"Shell","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/expoli.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2024-10-29T09:10:53.000Z","updated_at":"2025-03-02T04:48:06.000Z","dependencies_parsed_at":null,"dependency_job_id":"d73f3cac-4e31-4708-8e47-8ee8173d0b65","html_url":"https://github.com/expoli/tailscale-derper","commit_stats":null,"previous_names":["expoli/tailscale-derper"],"tags_count":3,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/expoli%2Ftailscale-derper","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/expoli%2Ftailscale-derper/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/expoli%2Ftailscale-derper/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/expoli%2Ftailscale-derper/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/expoli","download_url":"https://codeload.github.com/expoli/tailscale-derper/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248243474,"owners_count":21071054,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["derper","tailscale"],"created_at":"2024-11-07T16:30:36.274Z","updated_at":"2025-04-10T15:36:17.620Z","avatar_url":"https://github.com/expoli.png","language":"Shell","funding_links":[],"categories":[],"sub_categories":[],"readme":"# tailscale-derper\n\nThe original tailscale-derper tool added the validation mechanism of the SSL certificate, which made the self-signed certificate unusable, and the following validation mechanism was turned off to make the Derper tool run normally.\n\nhttps://github.com/tailscale/tailscale/blob/main/cmd/derper/cert.go\n\n```go\nfunc (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {\n\tif hi.ServerName != m.hostname \u0026\u0026 !m.noHostname {\n\t\treturn nil, fmt.Errorf(\"cert mismatch with hostname: %q\", hi.ServerName)\n\t}\n    ...\n```\n\nThe image integrates the automatic certificate generator and automatically generates the SSL self-signed certificate of the corresponding configured domain name according to the CMD parameters in the Dokcerfile, and the default CMD parameters are:\n\nYou can control the working behavior of the derper through environment variables.\nBy default, four environment variables are received, and the specific names and functions are as follows.\n\n1. `DOMAIN_NAME`[dafault:`derper.example.com`]\n    - You should modify this environment variable according to your own needs, notice it is a self-signed SSL certificate.\n    - The default storage location for certificates is /opt/ssl/ You can pass in the certificates you need as needed.\n    - Self-signed IP address certificates are supported.\n2. `DERPER_PORT`[default:`443`]\n    - The port that derper runs on, you can modify it according to your needs.\n3. `COMMAND_LINE`\n    - For additional derper argument commands, you should enter the derper command arguments as they are, and multiple arguments should be included in double quotes.\n4. `ADVANCED_MODE`[default:false]\n    - SSL certificates are not automatically generated in advanced mode, and you need to manually specify all the Derper run parameters explicitly in command_line\n\nexample docker run command⌘\n\n```bash\ndocker run -it --rm -e DOMAIN_NAME=test.com -e DERPER_PORT=2333 -p 2333:2333 ghcr.io/expoli/tailscale-derper:main\n```\n\n## tailscale ACL config example\n\n```json\n\t// ... other parts of ACL/Policy JSON\n\t\"derpMap\": {\n\t\t// \"OmitDefaultRegions\": true,\n\t\t\"Regions\": {\n\t\t\t\"900\": {\n\t\t\t\t\"RegionID\":   900,\n\t\t\t\t\"RegionCode\": \"cn\",\n\t\t\t\t\"RegionName\": \"my-cn-derps\",\n\t\t\t\t\"Nodes\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"Name\":             \"Tencent Beijing 1\",\n\t\t\t\t\t\t\"RegionID\":         900,\n\t\t\t\t\t\t\"HostName\":         \"xxx.xxx.xxx.xxx\",\n\t\t\t\t\t\t\"IPv4\":             \"xxx.xxx.xxx.xxx\",\n\t\t\t\t\t\t\"DERPPort\":         443,\n\t\t\t\t\t\t\"STUNPort\":         3478,\n\t\t\t\t\t\t\"InsecureForTests\": true,\n\t\t\t\t\t\t\"CanPort80\":        false,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t},\n\t\t},\n\t},\n```\n\n---\n\ntailscale-derper 原始工具添加了 ssl 证书的验查机制，导致自签名证书无法使用，通过关闭下面的验查机制让 derper 工具能够正常运行。\n\nhttps://github.com/tailscale/tailscale/blob/main/cmd/derper/cert.go\n\n```go\nfunc (m *manualCertManager) getCertificate(hi *tls.ClientHelloInfo) (*tls.Certificate, error) {\n\tif hi.ServerName != m.hostname \u0026\u0026 !m.noHostname {\n\t\treturn nil, fmt.Errorf(\"cert mismatch with hostname: %q\", hi.ServerName)\n\t}\n    ...\n```\n\n该镜像集成了证书自动生成程序，并根据所传入的环境变量自动生成对应配置域名的 ssl 自签证书，你可以通过环境变量来控制 derper 的工作行为。\n默认接收四个环境变量具体的名称与作用如下\n\n1. `DOMAIN_NAME`[默认值:derper.example.com]\n    - 第一个参数为自签证书的域名，你应该根据自己的需求去修改它，注意这是自签名证书。\n    - 证书默认存储位置 `/opt/ssl/` 你可以根据需要自己传入自己需要的证书\n    - 支持自签 IP 地址证书\n2. `DERPER_PORT`[默认值:443]\n    - 第二个参数为 derper 程序运行的端口，根据自己的需求去修改定制\n3. `COMMAND_LINE`[默认为空]\n    - 其他额外的 derper 参数命令，你应该原样输入 derper 命令参数，多个参数应该使用双引号包括起来\n4. `ADVANCED_MODE`[默认值:false]\n    - 高级模式，高级模式下，derper 所有的参数都从 COMMAND_LINE 环境变量中读取，不再自动自签证书。\n\ndocker 运行命令示例⌘\n\n```bash\ndocker run -it --rm -e DOMAIN_NAME=test.com -e DERPER_PORT=2333 -p 2333:2333 ghcr.io/expoli/tailscale-derper:main\n```\n\n## tailscale ACL 配置示例\n\n```json\n\t// ... other parts of ACL/Policy JSON\n\t\"derpMap\": {\n\t\t// \"OmitDefaultRegions\": true,\n\t\t\"Regions\": {\n\t\t\t\"900\": {\n\t\t\t\t\"RegionID\":   900,\n\t\t\t\t\"RegionCode\": \"cn\",\n\t\t\t\t\"RegionName\": \"my-cn-derps\",\n\t\t\t\t\"Nodes\": [\n\t\t\t\t\t{\n\t\t\t\t\t\t\"Name\":             \"Tencent Beijing 1\",\n\t\t\t\t\t\t\"RegionID\":         900,\n\t\t\t\t\t\t\"HostName\":         \"xxx.xxx.xxx.xxx\",\n\t\t\t\t\t\t\"IPv4\":             \"xxx.xxx.xxx.xxx\",\n\t\t\t\t\t\t\"DERPPort\":         443,\n\t\t\t\t\t\t\"STUNPort\":         3478,\n\t\t\t\t\t\t\"InsecureForTests\": true,\n\t\t\t\t\t\t\"CanPort80\":        false,\n\t\t\t\t\t},\n\t\t\t\t],\n\t\t\t},\n\t\t},\n\t},\n```\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexpoli%2Ftailscale-derper","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fexpoli%2Ftailscale-derper","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fexpoli%2Ftailscale-derper/lists"}