This is yet another take on a Tailscale DERP server in a Docker image.
The guiding principles that distinguish this from alternatives are:
- Compatibility with all containerboot environment variables.
- Stable and predictable versioning, using the same version of Tailscale and DERP together to ensure stability.
- Will not run Tailscale if not desired.
- Full functioning of
/debug/
routes. - Ease of use. Just clone, set variables, and
docker compose up -d
. - Support for multiple architectures.
The image is available on ghcr.io/erisa/ts-derper
with the :latest
tag serving the latest stable version of Tailscale and some versioned tags being available for specific versions.
In short, and assuming you want to verify clients are part of your tailnet:
- Setup DNS records on a subdomain to point to the public IPv4/IPv6 of the machine that's going to run the DERP server.
- Clone the repository:
$ git clone https://github.com/Erisa/ts-derp-docker && cd ts-derp-docker
- Create your own copy of the
.env
:$ cp example.env .env
- Edit
.env
with an auth key, the domain and an optional hostname.- I recommend attaching a tag to your authkey, such as
tag:derpers
.
- I recommend attaching a tag to your authkey, such as
- Run
docker compose up -d
- Add the DERP server to your tailnet, as directed by the documentation.
The following ports are required by default:
80/tcp (HTTP)
443/tcp (HTTPS)
3478/udp (STUN)
Port 80 normally cannot be changed, but you are welcome to try and see.
You can change HTTPS and STUN to different ports in the .env
configuration. You must then update DERPnode.DERPPort and DERPNode.STUNPort accordingly.
If you need custom certificates, set TS_DERP_CERTMODE
to manual
and place the files in ./certs
as derp.example.com.crt
and derp.example.com.key
.