既然看见标题点进来了，那么应该知道异地组网是啥，就不多赘述了

注：为了方便部署，采用 Podman 部署

部署 HeadScale

1. 创建配置文件夹 sudo mkdir -p /opt/headscale

2. 创建空数据库 sudo touch /opt/headscale/db.sqlite

3. 编辑 sudo vim /opt/headscale/config.yaml

    1# 服务器 URL，应当为正在使用的域名
    2server_url: https://example.com:51443
    3
    4# / 和 /metrics 的监听端口
    5listen_addr: 0.0.0.0:7200
    6metrics_listen_addr: 0.0.0.0:7300
    7
    8# 握手证书，如果没有，将自动生成
    9private_key_path: /etc/headscale/private.key
   10
   11# TS2021 Noise protocol
   12noise:
   13  private_key_path: /etc/headscale/noise_private.key
   14
   15# 分配的 IP 前缀
   16ip_prefixes:
   17  - fda8::/64
   18  - 10.128.0.0/24
   19
   20# derp 中继服务
   21derp:
   22  server:
   23    # 内置中继服务开关，如果开启 server_url 必须是 https，DERP 依赖 TLS
   24    enabled: true
   25
   26    # 区域信息
   27    region_id: 999
   28    region_code: "headscale"
   29    region_name: "Headscale Embedded DERP"
   30
   31    # STUN 服务监听端口
   32    stun_listen_addr: "0.0.0.0:3478"
   33
   34  # 外部 DERP 服务器列表
   35  urls: []
   36  # 本地服务器列表(填写 YAML 路径)
   37  paths: []
   38  # 自动更新与更新间隔
   39  auto_update_enabled: true
   40  update_frequency: 24h
   41
   42# 禁用检查更新
   43disable_check_updates: true
   44# 不活跃节点删除间隔
   45ephemeral_node_inactivity_timeout: 30m
   46# 结点状态检查间隔
   47node_update_check_interval: 10s
   48
   49# 数据库设置
   50db_type: sqlite3
   51db_path: /etc/headscale/db.sqlite
   52
   53# TLS 证书路径
   54tls_cert_path: ""
   55tls_key_path: ""
   56
   57log:
   58  # Output formatting for logs: text or json
   59  format: text
   60  level: info
   61
   62# CLI Socket
   63unix_socket: /etc/headscale/headscale.sock
   64unix_socket_permission: "0777"
   

4. 部署

   1sudo podman run -d \
   2  --name headscale \
   3  -v /opt/headscale:/etc/headscale \
   4  -p 127.0.0.1:7200:7200 \
   5  -p 127.0.0.1:7300:7300 \
   6  -p 3478:3478/udp \
   7  --restart always \
   8  docker.nju.edu.cn/headscale/headscale:latest \
   9  headscale serve
   

5. 查看状态

   1sudo podman ps -a
   

6. 开机自启

   1sudo systemctl enable --now podman-restart.service
   

7. 测试

   1curl http://127.0.0.1:7300/metrics
   

Tips:

需放行端口 3478/UDP

反向代理

 1map $http_upgrade $connection_upgrade {
 2    default      keep-alive;
 3    'websocket'  upgrade;
 4    ''           close;
 5}
 6
 7server {
 8    listen 51443 http2 ssl;
 9    listen [::]:51443 http2 ssl;
10    server_name example.com;
11
12    error_page 497 301 =307 https://$host:$server_port$request_uri;
13    include tmpl.d/tls_example.com.conf;
14
15    location / {
16        proxy_pass http://127.0.0.1:7200;
17        proxy_http_version 1.1;
18        proxy_set_header Upgrade $http_upgrade;
19        proxy_set_header Connection $connection_upgrade;
20        proxy_set_header Host $server_name;
21        proxy_redirect http:// https://;
22        proxy_buffering off;
23        proxy_set_header X-Real-IP $remote_addr;
24        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
25        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
26        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
27    }
28}

加入网络

• client:

 1# 安装
 2sudo pacman -Sy tailscale
 3# 启动
 4sudo systemctl enable --now tailscaled.service
 5# 加入
 6sudo tailscale up \
 7  --login-server=<url> \
 8  --accept-dns=false \
 9  --accept-routes \
10  --netfilter-mode=off

• server:

1# 注册用户
2sudo podman exec headscale \
3headscale users create <user>
4# 注册节点
5sudo podman exec headscale \
6headscale --user <user> nodes register --key <MACHINE_KEY>

• 客户端连接信息查看

1# 使用的 DERP 中继服务器
2sudo tailscale netcheck

未完待续……

比如访问子网，或者指定节点作为出口