1. 创建db.sqlite acl.sqlite文件和data/ config/目录,下载示例配置文件。
mkdir -p /home/docker/headscale/config && \
mkdir -p /home/docker/headscale/data && \
touch /home/docker/headscale/config/acl.sqlite \
touch /home/docker/headscale/data/db.sqlite && \
wget https://github.com/juanfont/headscale/raw/main/config-example.yaml -O /home/docker/headscale/config/config.yaml2. 修改config.yaml示例配置文件以下参数高亮字段,
server_url: https://hs.xxx.com #修改服务url为配置解析的域名
listen_addr: 0.0.0.0:8080 #默认服务端口
metrics_listen_addr: 0.0.0.0:9090 #链路质量默认监听端口
grpc_listen_addr: 0.0.0.0:50443 #grpc默认监听端口
prefixes: #默认分配节点的IP网段
v4: 100.64.0.0/10
v6: fd7a:115c:a1e0::/48
policy:
mode: database #ACL模式为数据库
path: "./acl.sqlite" #ACL配置文件路径
derp:
server:
enabled: true #启用内嵌式中转服务器、
#ipv4: #注释掉
#ipv6:
dns:
magic_dns: false #关闭magic dns
base_domain: hs.xxx.com #加入节点的设备以此为根域
randomize_client_port: true #开启端口随机3. 启动docker headscale 0.25.0,docker环境自行安装。
docker run -d \
--name headscale \
--restart always \
-v /home/docker/headscale/config:/etc/headscale/ \
-v /home/docker/headscale/data:/var/lib/headscale \
-p 8080:8080 \
-p 9090:9090 \
-p 3478:3478/udp \
--restart always \
headscale/headscale:0.25.0 \
serve4. 配置Nginx反向代理headscale 8080端口和Headscale-admin webui页面。
下载headscale-admin 0.25.0 解压到 /home/docker/headscale/web
安装nginx,编辑配置文件/etc/nginx/conf.d/hs.xxx.com.conf
map $http_upgrade $connection_upgrade {
default upgrade;
'' close;
}
server {
server_name hs.xxx.com;
location /admin {
alias /home/docker/headscale/web;
index index.html;
}
location / {
proxy_pass http://localhost:8080;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $server_name;
proxy_redirect http:// https://;
proxy_buffering off;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
}
listen 443 ssl;
ssl_certificate /etc/nginx/ssl/xxx.cer; #域名证书路径
ssl_certificate_key /etc/nginx/ssl/xxx.key;
}
server {
if ($host = hs.xxx.com) {
return 301 https://$host$request_uri;
}
server_name hs.xxx.com;
listen 80;
return 404;
}
5. 保存配置文件,重启nginx。
打开管理页面 https://hs.xxx.com/admin 输入apikey保存。
#headscale docker中生成apikey,有效期10000天
docker exec -it headscale headscale apikeys create -e 10000d
#docker创建headscale用户 test
docker exec -it headscale headscale users create test
#docker创建headscale用户test的预验证密钥,有效期1000天可复用
docker exec -it headscale headscale preauthkeys create -u test -e 1000d --reusable
#查看用户test的预验证密钥
docker exec -it headscale headscale preauthkeys list -u test6. 客户端安装tailscale,使用预验证密钥快速加入控制器的命令。
#--auth-key xxx 用户的验证密钥,--login-server https://hs.xxx.com headscale服务器URL,
#--hostname 此节点主机名,--accept-dns=false 不接受下发的dns,
#--accept-routes 接受其它节点公告的路由,--advertise-routes ip1,ip2 通告本地2个子网
tailscale up --auth-key 028agf492b3cf41882a1712991f42d21242892ef10h1d1a3 --login-server https://hs.xxx.com --hostname homerouter --accept-dns=false --accept-routes --advertise-routes 10.0.1.0/24,10.0.2.0/24
#(可选)禁用snat,默认情况下通告子网路由时会使用snat
tailscale up --snat-subnet-routes=false7. 遇到的问题
openwrt 安装tailscale因iptables-nft导致无法启动 failed to connect to local tailscaled; it doesn't appear to be running 参考此处解决 openwrt tailscale start
docker启动headscale反复重启日志报错“did not find expected key”因为重建docker手动删除了/data下的derp_server_private.key和noise_private.key。
8. 参考链接:
Docker 搭建 headscale 异地组网完整教程
https://www.cnblogs.com/Yogile/p/17064031.html
https://help.sap560.com/g-Tailscale/20/102.html
https://github.com/GoodiesHQ/headscale-admin
发表回复