Ecosyste.ms: Awesome

An open API service indexing awesome lists of open source software.

Awesome Lists | Featured Topics | Projects

https://github.com/takase1121/superderper

Derper with multiple account verifications
https://github.com/takase1121/superderper

Last synced: 4 days ago
JSON representation

Derper with multiple account verifications

Host: GitHub
URL: https://github.com/takase1121/superderper
Owner: takase1121
License: mit
Created: 2024-03-28T01:13:10.000Z (10 months ago)
Default Branch: master
Last Pushed: 2024-04-06T03:18:02.000Z (10 months ago)
Last Synced: 2024-11-26T12:16:33.506Z (2 months ago)
Language: Go
Size: 48.8 KB
Stars: 0
Watchers: 1
Forks: 1
Open Issues: 0
Metadata Files:
- Readme: README.md
- License: LICENSE

Awesome Lists containing this project

README

> [!WARNING]
> This is not tested in production environments; **Use it at your own risk.**

# superderper

There's [derper](https://tailscale.com/kb/1232/derp-servers), and then there's superderper.
This is my attempt to make a derper server serve multiple tailnets with verification.
This idea has been around for a [long](https://github.com/tailscale/tailscale/issues/4197) [time](https://github.com/tailscale/tailscale/issues/10359),
but seem to have low interest.

derper provides `-verify-clients` to verify clients based on a Tailscaled instance.
A downside of this approach is that it only supports a single tailnet, as tailscaled
instances can only be logged into one at a time.
You can use containers to run multiple tailscaled and derper instances and reverse-proxy them,
but I'd like to avoid that.

Instead, we run a single derper instance with multiple tailscaled instances with different control sockets.
By using derper's `-verify-clients-url`, we can create an HTTP server that checks if the request matches an instance.
This means you don't even need configure reverse proxies, etc.
It should just work as you add more tailscaled instances.
This repo contains a bunch of files that helps you achieve this setup.

![How it works](https://github.com/takase1121/superderper/blob/master/diagram.png)

## Instructions

> [!NOTE]
> This is only tested on Arch Linux.

Build the superderper program. This is the HTTP server that communicates with tailscaled instances and derper.

```
$ go build
```

Copy the files to appropriate places.

```
# cp superderper.conf /etc/default/superderper
# cp tailscaled-derper.conf /etc/default/tailscaled-derper
# cp superderper.service [email protected] /usr/lib/systemd/system
```

Set up tailscaled instances for superderper.

```
# systemctl start [email protected]
# systemctl start [email protected]

# tailscale --socket /run/superderper/tailscaled-first.sock login
# tailscale --socket /run/superderper/tailscaled-second.sock login
```

Start superderper.

```
# systemctl start superderper
```

Configure derper to use superderper to verify clients.

```
derper -a :9600 -hostname=example.com -verify-client-url=http://127.0.0.1:15300/validate -verify-client-url-fail-open=false
```