/ts-derp-docker

Yet another take on a Tailscale DERP Docker image

Primary LanguageDockerfile

Erisa's Tailscale DERP Docker image

This is yet another take on a Tailscale DERP server in a Docker image.

The guiding principles that distinguish this from alternatives are:

  • Compatibility with all containerboot environment variables.
  • Stable and predictable versioning, using the same version of Tailscale and DERP together to ensure stability.
  • Will not run Tailscale if not desired.
  • Full functioning of /debug/ routes.
  • Ease of use. Just clone, set variables, and docker compose up -d.
  • Support for multiple architectures.

The image is available on ghcr.io/erisa/ts-derper with the :latest tag serving the latest stable version of Tailscale and some versioned tags being available for specific versions.

Setup

In short, and assuming you want to verify clients are part of your tailnet:

  • Setup DNS records on a subdomain to point to the public IPv4/IPv6 of the machine that's going to run the DERP server.
  • Clone the repository: $ git clone https://github.com/Erisa/ts-derp-docker && cd ts-derp-docker
  • Create your own copy of the .env: $ cp example.env .env
  • Edit .env with an auth key, the domain and an optional hostname.
    • I recommend attaching a tag to your authkey, such as tag:derpers.
  • Run docker compose up -d
  • Add the DERP server to your tailnet, as directed by the documentation.

The following ports are required by default:

80/tcp (HTTP)
443/tcp (HTTPS)
3478/udp (STUN)

Port 80 normally cannot be changed, but you are welcome to try and see.

You can change HTTPS and STUN to different ports in the .env configuration. You must then update DERPnode.DERPPort and DERPNode.STUNPort accordingly.

If you need custom certificates, set TS_DERP_CERTMODE to manual and place the files in ./certs as derp.example.com.crt and derp.example.com.key.

Credits