mirror of
https://github.com/juanfont/headscale.git
synced 2026-01-11 20:00:28 +01:00
How to setup an unstrusted private Derper #260
Closed
opened 2025-12-29 01:25:13 +01:00 by adam
·
7 comments
No Branch/Tag Specified
main
update_flake_lock_action
gh-pages
kradalby/release-v0.27.2
dependabot/go_modules/golang.org/x/crypto-0.45.0
dependabot/go_modules/github.com/opencontainers/runc-1.3.3
copilot/investigate-headscale-issue-2788
copilot/investigate-visibility-issue-2788
copilot/investigate-issue-2833
copilot/debug-issue-2846
copilot/fix-issue-2847
dependabot/go_modules/github.com/go-viper/mapstructure/v2-2.4.0
dependabot/go_modules/github.com/docker/docker-28.3.3incompatible
kradalby/cli-experiement3
doc/0.26.1
doc/0.25.1
doc/0.25.0
doc/0.24.3
doc/0.24.2
doc/0.24.1
doc/0.24.0
kradalby/build-docker-on-pr
topic/docu-versioning
topic/docker-kos
juanfont/fix-crash-node-id
juanfont/better-disclaimer
update-contributors
topic/prettier
revert-1893-add-test-stage-to-docs
add-test-stage-to-docs
remove-node-check-interval
fix-empty-prefix
fix-ephemeral-reusable
bug_report-debuginfo
autogroups
logs-to-stderr
revert-1414-topic/fix_unix_socket
rename-machine-node
port-embedded-derp-tests-v2
port-derp-tests
duplicate-word-linter
update-tailscale-1.36
warn-against-apache
ko-fi-link
more-acl-tests
fix-typo-standalone
parallel-nolint
tparallel-fix
rerouting
ssh-changelog-docs
oidc-cleanup
web-auth-flow-tests
kradalby-gh-runner
fix-proto-lint
remove-funding-links
go-1.19
enable-1.30-in-tests
0.16.x
cosmetic-changes-integration
tmp-fix-integration-docker
fix-integration-docker
configurable-update-interval
show-nodes-online
hs2021
acl-syntax-fixes
ts2021-implementation
fix-spurious-updates
unstable-integration-tests
mandatory-stun
embedded-derp
prtemplate-fix
v0.28.0-beta.1
v0.27.2-rc.1
v0.27.1
v0.27.0
v0.27.0-beta.2
v0.27.0-beta.1
v0.26.1
v0.26.0
v0.26.0-beta.2
v0.26.0-beta.1
v0.25.1
v0.25.0
v0.25.0-beta.2
v0.24.3
v0.25.0-beta.1
v0.24.2
v0.24.1
v0.24.0
v0.24.0-beta.2
v0.24.0-beta.1
v0.23.0
v0.23.0-rc.1
v0.23.0-beta.5
v0.23.0-beta.4
v0.23.0-beta3
v0.23.0-beta2
v0.23.0-beta1
v0.23.0-alpha12
v0.23.0-alpha11
v0.23.0-alpha10
v0.23.0-alpha9
v0.23.0-alpha8
v0.23.0-alpha7
v0.23.0-alpha6
v0.23.0-alpha5
v0.23.0-alpha4
v0.23.0-alpha4-docker-ko-test9
v0.23.0-alpha4-docker-ko-test8
v0.23.0-alpha4-docker-ko-test7
v0.23.0-alpha4-docker-ko-test6
v0.23.0-alpha4-docker-ko-test5
v0.23.0-alpha-docker-release-test-debug2
v0.23.0-alpha-docker-release-test-debug
v0.23.0-alpha4-docker-ko-test4
v0.23.0-alpha4-docker-ko-test3
v0.23.0-alpha4-docker-ko-test2
v0.23.0-alpha4-docker-ko-test
v0.23.0-alpha3
v0.23.0-alpha2
v0.23.0-alpha1
v0.22.3
v0.22.2
v0.23.0-alpha-docker-release-test
v0.22.1
v0.22.0
v0.22.0-alpha3
v0.22.0-alpha2
v0.22.0-alpha1
v0.22.0-nfpmtest
v0.21.0
v0.20.0
v0.19.0
v0.19.0-beta2
v0.19.0-beta1
v0.18.0
v0.18.0-beta4
v0.18.0-beta3
v0.18.0-beta2
v0.18.0-beta1
v0.17.1
v0.17.0
v0.17.0-beta5
v0.17.0-beta4
v0.17.0-beta3
v0.17.0-beta2
v0.17.0-beta1
v0.17.0-alpha4
v0.17.0-alpha3
v0.17.0-alpha2
v0.17.0-alpha1
v0.16.4
v0.16.3
v0.16.2
v0.16.1
v0.16.0
v0.16.0-beta7
v0.16.0-beta6
v0.16.0-beta5
v0.16.0-beta4
v0.16.0-beta3
v0.16.0-beta2
v0.16.0-beta1
v0.15.0
v0.15.0-beta6
v0.15.0-beta5
v0.15.0-beta4
v0.15.0-beta3
v0.15.0-beta2
v0.15.0-beta1
v0.14.0
v0.14.0-beta2
v0.14.0-beta1
v0.13.0
v0.13.0-beta3
v0.13.0-beta2
v0.13.0-beta1
upstream/v0.12.4
v0.12.4
v0.12.3
v0.12.2
v0.12.2-beta1
v0.12.1
v0.12.0-beta2
v0.12.0-beta1
v0.11.0
v0.10.8
v0.10.7
v0.10.6
v0.10.5
v0.10.4
v0.10.3
v0.10.2
v0.10.1
v0.10.0
v0.9.3
v0.9.2
v0.9.1
v0.9.0
v0.8.1
v0.8.0
v0.7.1
v0.7.0
v0.6.1
v0.6.0
v0.5.2
v0.5.1
v0.5.0
v0.4.0
v0.3.6
v0.3.5
v0.3.4
v0.3.3
v0.3.2
v0.3.1
v0.3.0
v0.2.2
v0.2.1
v0.2.0
v0.1.1
v0.1.0
Labels
Clear labels
CLI
DERP
DNS
Nix
OIDC
SSH
bug
database
documentation
duplicate
enhancement
faq
good first issue
grants
help wanted
might-come
needs design doc
needs investigation
no-stale-bot
out of scope
performance
policy 📝
pull-request
question
regression
routes
stale
tags
tailscale-feature-gap
well described ❤️
wontfix
Mirrored from GitHub Pull Request
No Label
enhancement
Milestone
No items
No Milestone
Projects
Clear projects
No project
Notifications
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: starred/headscale#260
Reference in New Issue
Block a user
Blocking a user prevents them from interacting with repositories, such as opening or commenting on pull requests or issues. Learn more about blocking a user.
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @cryptagoras on GitHub (Apr 29, 2022).
I am trying a simple setup, 2-3 nodes in a single namespaceA and a Derper running on a VPS.
The requirements are:
derper --verify-clientsso the Derper can't not used by anyone but my tailnet nodes--verify-clientsneeds the machine to be part of the tailnet) Deny access to any part of the tailnet (to all ports & clients) just in case the Derper machine gets compromised.My try
I tried adding the Derper machine on the tailnet but on a second/separate namespaceB and using ACL to limit any access, but the Derper then can't get the peer set of namespaceA.
Also, I couldn't find a way to add tags, maybe with tags, I could initially add the Derper on the same namespace but then tag it on a limited group (related to #558).
If anyone knows if it's possible, it would be great to share, I'll be even happy to add it on the docs unless objected.
Thank you
@enoperm commented on GitHub (May 10, 2022):
Last time checked (read: about half a year ago) derper with
--verify-clientsonly cares for the machine keys returned by the peer API, so if we provide an "alternative"tailscaled.sockto derper that serves this information, the host does not need to be joined to the tailnet at all. I have a dirty, but functional implementation for an older version of derper (since then, I believe the key format has changed), I could share, but I do not believe I have the time to fix it up right now. Also, it currently only works with thesqlite3database backend, though I imagine it would not be hard to change that.@enoperm commented on GitHub (May 10, 2022):
See https://github.com/enoperm/derpyhead, if you do not mind refactoring it a bit to suit your current usecases.
@cryptagoras commented on GitHub (May 15, 2022):
@enoperm thanks for sharing! Very interesting, I'll look into it since that's the only piece missing from having a working setup in my case.
@zhwk commented on GitHub (Jun 19, 2022):
我用了一个变通的方法,从headscale的日志中检索出登录用户的ip地址和machine_key,对比数据库中是否包含该machine_key,如果包含则为信任用户,通过mqqt把该ip传给derp的ipset写入iptables白名单。
headscale的log
2022-06-19T13:05:59Z INF Client sent endpoint update and is ok with a response without peer list handler=PollNetMap machine=****
[GIN] 2022/06/19 - 13:05:59 | 200 | 21.424ms | 1**.1**.1**.38 | POST "/machine/*****ecd207e650765d6c6d794c24b7c47630c0863a4fc5453544e0912/map"
ip_send_success: 1.1.1.38
derp的log
2022/06/19 13:05:26 derp client 192.168.88.254:48180/6e6f64656b65793a62626632313266643766303838313664613538306435623738343938643638653133323036396362343566333438376230356133613964383262393963653735: removing connection
add:1**.1**.1**.38
ipset v7.15: Element cannot be added to the set: it's already added
@enoperm commented on GitHub (Jun 24, 2022):
For what it's worth, I have had some time to dust off the aforementioned derper nodekey provider, it does not depend on sqlite3 anymore and can now return keys from arbitrary sources.
@enoperm commented on GitHub (Jun 24, 2022):
Also, it is now tested and compatible with the latest derper.
@kradalby commented on GitHub (Sep 8, 2022):
headscale now has a built in derper, while I dont think this would resolve this issues without any more changes, has anyone played around with the combination?