forked from Youngv/tailscale-derp
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathstart-derper.sh
More file actions
126 lines (118 loc) · 4.67 KB
/
start-derper.sh
File metadata and controls
126 lines (118 loc) · 4.67 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
#!/bin/sh
# 检查客户端验证
if [ "$VERIFY_CLIENTS" = "true" ]; then
# 检查socket文件是否存在
if [ -S "/var/run/tailscale/tailscaled.sock" ]; then
echo "启用客户端验证 (找到tailscaled.sock)"
VERIFY_FLAG="--verify-clients"
else
echo "警告: 找不到tailscaled.sock,客户端验证已禁用"
VERIFY_FLAG=""
fi
fi
if [ -n "$VERIFY_CLIENTS_URL" ]; then
# https://github.com/juanfont/headscale/issues/1953
# https://github.com/juanfont/headscale/pull/2046
# api spec: https://github.com/juanfont/headscale/blob/121be57b2d42332ae25f4a4dee48a8d2e1e61cad/hscontrol/app.go#L460
# derp: https://github.com/tailscale/tailscale/blob/main/derp/derpserver/derpserver.go#L1395
echo "启用客户端验证URL (使用VERIFY_CLIENTS_URL: ${VERIFY_CLIENTS_URL})"
VERIFY_FLAG="--verify-client-url ${VERIFY_CLIENTS_URL}"
if [ "$VERIFY_CLIENTS_URL_FAIL_OPEN" = "true" ]; then
echo "启用客户端验证URL失败开放模式"
VERIFY_FLAG="${VERIFY_FLAG} --verify-client-url-fail-open=true"
elif [ "$VERIFY_CLIENTS_URL_FAIL_OPEN" = "false" ]; then
echo "禁用客户端验证URL失败开放模式"
VERIFY_FLAG="${VERIFY_FLAG} --verify-client-url-fail-open=false"
else
echo "客户端验证URL失败开放模式未设置,使用默认值(true)" # https://github.com/tailscale/tailscale/blob/main/cmd/derper/derper.go#L80
fi
fi
if [ -z "$VERIFY_FLAG" ]; then
echo "客户端验证已禁用"
VERIFY_FLAG=""
fi
# 设置DERP Map配置参数
REGION_ID=${REGION_ID:-"999"}
REGION_CODE=${REGION_CODE:-"SELFHOST"}
DERP_NAME=${DERP_NAME:-"${DERP_HOST}"}
SERVER_IPV4=${SERVER_IPV4:-"127.0.0.1"}
DERP_MAP_PATH=${DERP_MAP_PATH:-"/etc/derper/derp-map.json"}
# 生成DERP Map配置文件
cat > ${DERP_MAP_PATH} << EOF
{
"Regions": {
"${REGION_ID}": {
"RegionID": ${REGION_ID},
"RegionCode": "${REGION_CODE}",
"Nodes": [
{
"Name": "${DERP_NAME}",
"RegionID": ${REGION_ID},
"HostName": "${DERP_HOST}",
"IPv4": "${SERVER_IPV4}",
"DERPPort": ${DERP_PORT},
"STUNPort": ${STUN_PORT},
"InsecureForTests": true
}
]
}
}
}
EOF
echo "已生成DERP Map配置文件: ${DERP_MAP_PATH}, 请在 Tailscale ACL 中使用此配置"
# 如果证书文件不存在,尝试生成并复制到 /etc/derper/certs
# 优先使用仓库中的 ./certs/${DERP_HOST}.crt/.key,如果不存在则调用 ./gen-certs.sh
CERT_NAME="${DERP_HOST:-derp.selfhost}"
REPO_CERT_DIR="./certs"
REPO_CERT="${REPO_CERT_DIR}/${CERT_NAME}.crt"
REPO_KEY="${REPO_CERT_DIR}/${CERT_NAME}.key"
SYSTEM_CERT_DIR="/etc/derper/certs"
SYSTEM_CERT="${SYSTEM_CERT_DIR}/${CERT_NAME}.crt"
SYSTEM_KEY="${SYSTEM_CERT_DIR}/${CERT_NAME}.key"
if [ ! -f "${SYSTEM_CERT}" ] || [ ! -f "${SYSTEM_KEY}" ]; then
echo "证书或私钥未找到: ${SYSTEM_CERT} 或 ${SYSTEM_KEY}"
# 如果仓库中已有证书则复制过去
if [ -f "${REPO_CERT}" ] && [ -f "${REPO_KEY}" ]; then
echo "从仓库证书复制到 ${SYSTEM_CERT_DIR}"
mkdir -p "${SYSTEM_CERT_DIR}"
cp "${REPO_CERT}" "${SYSTEM_CERT}"
cp "${REPO_KEY}" "${SYSTEM_KEY}"
chmod 644 "${SYSTEM_CERT}"
chmod 600 "${SYSTEM_KEY}"
elif [ -x "/usr/local/bin/gen-certs.sh" ]; then
echo "调用 /usr/local/bin/gen-certs.sh 生成证书: ${CERT_NAME}"
/usr/local/bin/gen-certs.sh "${CERT_NAME}"
elif [ -x "./gen-certs.sh" ] || [ -f "./gen-certs.sh" ]; then
echo "调用 ./gen-certs.sh 生成证书: ${CERT_NAME}"
./gen-certs.sh "${CERT_NAME}"
if [ -f "${REPO_CERT}" ] && [ -f "${REPO_KEY}" ]; then
mkdir -p "${SYSTEM_CERT_DIR}"
cp "${REPO_CERT}" "${SYSTEM_CERT}"
cp "${REPO_KEY}" "${SYSTEM_KEY}"
chmod 644 "${SYSTEM_CERT}"
chmod 600 "${SYSTEM_KEY}"
else
echo "错误: gen-certs.sh 未能生成预期的证书文件 (${REPO_CERT}, ${REPO_KEY})"
exit 1
fi
else
echo "错误: 未找到证书,也没有可用的 gen-certs.sh 来生成证书。"
exit 1
fi
else
echo "证书已存在: ${SYSTEM_CERT}"
fi
# 启动DERP服务
echo "启动DERP服务: ${DERP_HOST}:${DERP_PORT}"
echo "证书文件: /etc/derper/certs/${DERP_HOST}.crt, /etc/derper/certs/${DERP_HOST}.key"
echo "参数: -a :${DERP_PORT} -http-port ${HTTP_PORT} -stun-port ${STUN_PORT} -hostname ${DERP_HOST} -certmode manual -certdir /etc/derper/certs ${VERIFY_FLAG}"
# https://github.com/tailscale/tailscale/blob/main/cmd/derper/README.md#guide-to-running-cmdderper
# https://github.com/tailscale/tailscale/blob/main/cmd/derper/derper.go#L56
exec /usr/local/bin/derper \
-a :${DERP_PORT} \
-http-port ${HTTP_PORT} \
-stun-port ${STUN_PORT} \
-hostname ${DERP_HOST} \
-certmode manual \
-certdir /etc/derper/certs \
${VERIFY_FLAG}