Because I want to run a Tailscale DERP server without having to trust it.
-
Tailscaleisend-to-end encryptedby design1 -
An insecure DERP server or connection is still secure for DERP users; there are no MITM issues2
-
--verify-clientsrequires adding this DERP server as one of your Tailscale nodes. In my opinion, this is risky, even with ACLs. -
--verify-client-urlallows derper to check an external URL to permit access3
# with Go 1.23.1+
go build -x -v -trimpath -ldflags "-s -w" -buildvcs=false -o tailscale-derp-client-verifier .- On the trusted Tailscale node machine: get the nodes list from your trusted homelab server or laptop, and sync the
nodes.jsonto the DERP server machine:
You can achieve this in many ways. I do this with rclone, systemd timer, and S3 object storage::
#! /usr/bin/env bash
set -e
set -x
[ -f "$RCLONE_CONFIG_FILE" ]
[ -d "$WORK_DIR" ]
[ -n "$TAILSCALE_S3_REMOTE_NAME" ]
[ -n "$TAILSCALE_S3_BUCKET" ]
cd $WORK_DIR
tailscale status --json | jq '[recurse | objects | with_entries(select(.key == "PublicKey")) | .[]] | sort' > "temp.nodes.json"
jq -e . "temp.nodes.json"
if [ "$(cat "nodes.json" || true)" != "$(cat "temp.nodes.json")" ]; then
rclone --config "$RCLONE_CONFIG_FILE" --contimeout=3m --timeout=10m --checksum copyto \
"temp.nodes.json" "$TAILSCALE_S3_REMOTE_NAME:$TAILSCALE_S3_BUCKET/nodes.json"
mv "temp.nodes.json" "nodes.json"
fi- On the DERP server machine: run
tailscale-derp-client-verifier
If you're not syncing the nodes.json with S3 object storage, use the -path argument:
/path/to/tailscale-derp-client-verifier -path /path/to/nodes.jsonI use S3, so I:
. .env
/path/to/tailscale-derp-client-verifier# .env file
S3_ACCESS_KEY_ID=
S3_SECRET_ACCESS_KEY=
S3_ENDPOINT=
S3_REGION=
S3_BUCKET=
S3_FILE=nodes.json
S3_FORCE_PATH_STYLE=- On the DERP server machine: deploy the derper
derper <... other args> --verify-clients=false --verify-client-url-fail-open=false --verify-client-url=http://127.0.0.1:3000