砥砺前行技术

Headscale vpn安装

一、服务端安装

wget -O /usr/local/bin/headscale https://github.com/juanfont/headscale/releases/download/v0.24.0/headscale_0.24.0_linux_amd64
chmod +x /usr/local/bin/headscale
ln -s /usr/local/bin/headscale /usr/bin/headscale

#创建配置目录

useradd headscale

mkdir -p /etc/headscale

#创建目录用来存储数据与证书

mkdir -p /var/lib/headscale

#创建空的 SQLite 数据库文件

touch /var/lib/headscale/db.sqlite

mkdir /var/run/headscale

chown -R headscale:headscale /etc/headscale

chown -R headscale:headscale /var/lib/headscale

chown -R headscale:headscale /var/run/headscale

#创建配置文件

wget https://github.com/juanfont/headscale/raw/main/config-example.yaml -O /etc/headscale/config.yaml

vi config.yaml

server_url: http://nps.xx.com:54321

listen_addr: 0.0.0.0:54321

v4: 172.16.0.0/16

# v6: fd7a:115c:a1e0::/48

magic_dns: false

创建服务启动文件

vi /etc/systemd/system/headscale.service

[Unit]
Description=headscale controller
After=syslog.target
After=network.target
[Service]
Type=simple
User=headscale
Group=headscale
ExecStart=/usr/local/bin/headscale serve
Restart=always
RestartSec=5
# Optional security enhancements
NoNewPrivileges=yes
PrivateTmp=yes
ProtectSystem=strict
ProtectHome=yes
ReadWritePaths=/var/lib/headscale /var/run/headscale AmbientCapabilities=CAP_NET_BIND_SERVICE
RuntimeDirectory=headscale
[Install]
WantedBy=multi-user.target

启动

systemctl daemon-reload
systemctl enable --now headscale

创建租户

headscale users create default

headscale users list

二、安装derper中继服务

安装golang环境

yum remove golang

wget https://golang.google.cn/dl/go1.23.5.linux-amd64.tar.gz

tar -zxvf go1.23.5.linux-amd64.tar.gz -C /usr/local/

vi /etc/profile

export GOROOT=/usr/local/go
export GOPATH=/usr/local/gopath
export GOBIN=$GOPATH/bin
export PATH=$PATH:$GOROOT/bin
export PATH=$PATH:$GOPATH/bin

source /etc/profile

go env -w GOPROXY=https://goproxy.cn,direct

go env -u GOPROXY

go install tailscale.com/cmd/derper@latest

yum install supervisor

vi /etc/supervisord.conf

[include]
files = supervisord.d/*.conf

vi /etc/supervisord.d/derper.conf

[program:derper]
command=/usr/local/gopath/bin/derper -hostname=nps.xx.com -c /root/derper.conf -certmode manual -certdir /home/dcampuscomkey -a :44321 -http-port -1 -stun -stun-port 3478
user=root
redirect_stderr=true
stdout_logfile=/var/log/supervisor/derper.log
stderr_logfile=/var/log/supervisor/derper-err.log
stdout_logfile_maxbytes=10MB
stdout_logfile_backups=1

systemctl restart supervisord

systemctl enable supervisord

跟换derp启动,验证加密

command=/usr/local/gopath/bin/derper -hostname=nps.dcampus.com -c /root/derper.conf -certmode manual -certdir /home/dcampuscomkey -a :44321 -http-port -1 -stun -stun-port 3478 --verify-clients=true

vi /etc/headscale/config.yaml

# - https://controlplane.tailscale.com/derpmap/default

enabled: disable

paths:

- /etc/headscale/derp.yaml

vi /etc/headscale/derp.yaml

regions:
901:
regionid: 901
regioncode: nps
regionname: xx
nodes:
- name: 1
regionid: 901
hostname: 'nps.xx.com'
ipv4: 'x.x.x.x'
stunport: 3478
stunonly: false
derpport: 44321

重启headscale,客户端查看: tailscale netcheck

三、客户端安装

Linux:

参考https://pkgs.tailscale.com/stable/

# 将 换成你的 Headscale 公网 IP 或域名

tailscale up --login-server=http://nps.xxx.com:54321 --accept-routes=true --accept-dns=false --advertise-routes=172.16.99.0/24 --advertise-exit-node --reset
#这里推荐将 DNS 功能关闭,因为它会覆盖系统的默认 DNS

执行完上面的命令后,会出现链接信息,浏览器打开链接

将其中的命令复制粘贴到 headscale 所在机器的终端中,将USERNAME替换前面创建的租户default

注册成功,查看注册的节点:headscale nodes list

Windows:

安装客户端,完成后需要以管理员身份打开命令行,将其中修改注册表命令粘贴执行

REG ADD "HKLM\Software\Tailscale IPN" /v UnattendedMode /t REG_SZ /d always
REG ADD "HKLM\Software\Tailscale IPN" /v LoginURL /t REG_SZ /d "http://nps.xx.com:54321"

登录命令,将其中的命令粘贴到 Headscale 所在主机的终端,将 USERNAME 替换为之前创建的 USERNAME,然后执行命令即可

tailscale login --login-server=http://nps.xx.com:54321 --accept-routes=true --accept-dns=false

headscale node list

四、打通局域网

到目前为止我们只是打造了一个点对点的 Mesh 网络,各个节点之间都可以通过 WireGuard 的私有网络 IP 进行直连。 我们可以通过适当的配置让每个节点都能访问其他节点的局域网 IP

配置路由转发

echo 'net.ipv4.ip_forward = 1' | tee /etc/sysctl.d/ipforwarding.conf
echo 'net.ipv6.conf.all.forwarding = 1' | tee -a /etc/sysctl.d/ipforwarding.conf
sysctl -p /etc/sysctl.d/ipforwarding.conf

客户端重新执行注册命令

客户端修改注册节点的命令,在原来命令的基础上加上参数 --advertise-routes=172.16.99.0/24,告诉 Headscale 服务器“我这个节点可以转发这些地址的路由”

tailscale up --login-server=http://nps.xxx.com:54321 --accept-routes=true --accept-dns=false --advertise-routes=172.16.99.0/24 --advertise-exit-node --reset

#Headscale 服务端开启路由,查看路由

# headscale routes list

#开启路由

# headscale routes enable -r 1

#其他节点查看路由结果

ip route show table 52|grep "192.168.1.0/24"

五、命令

创建一个9999天的密钥

headscale apikeys create --expiration 9999d

# 根据id删除指定的节点

headscale node delete -i <ID>

sys