🚀 打造专属高速私有 Tailscale DERP 中转节点 (包含 BBRv3 加速与白名单认证)
适用场景: Tailscale 直连困难,需要使用云服务器作为中转节点,为 OpenWRT 路由器等设备提供低延迟连接,同时防止节点被陌生人“白嫖”。 系统环境: Ubuntu 20.04 / 22.04 等主流 Linux 发行版。
🛠️ 第一阶段:底层网络提速 (升级 BBRv3 加速)
为了让中转节点发挥最大性能,我们首先将系统内核升级并开启最新的 BBRv3 拥塞控制算法,配合 FQ 队列算法,能极大提升网络吞吐量。
1. 安装 BBRv3 内核
- 原项目 GitHub 地址: https://github.com/byJoey/Actions-bbr-v3
请根据你服务器的网络环境,在终端选择执行以下任意一条安装命令:
选项 A:官方直连安装(适用于海外服务器或网络畅通的环境)
Bash
bash <(curl -L -s https://raw.githubusercontent.com/byJoey/Actions-bbr-v3/refs/heads/main/install.sh)
选项 B:镜像代理加速安装(适用于国内云服务器,如下载超时请用此条)
Bash
bash <(curl -L -s https://mirror.ghproxy.com/https://raw.githubusercontent.com/byJoey/Actions-bbr-v3/refs/heads/main/install.sh)
运行后会弹出一个交互界面,选择“安装 BBR v3”。安装完成后系统会提示重启。
2. 优化队列算法并开启 BBR
重启服务器后,重新连接 SSH。官方建议 BBR 配合 fq 队列算法使用效果最佳。 依次执行以下命令强制开启:
Bash
# 清除旧的队列配置
sudo sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf
# 写入最佳配置
echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.conf
# 重新加载生效
sudo sysctl -p
3. 验证加速是否生效
Bash
sysctl net.ipv4.tcp_congestion_control
sysctl net.core.default_qdisc
如果输出结果分别为 bbr 和 fq,说明底层网络加速已完美开启。
🔒 第二阶段:部署 Tailscale (身份认证的基石)
核心原理: DERP 中转服务的白名单机制(-verify-clients)需要向本地运行的 Tailscale 客户端查询访客身份。因此,即使是中转服务器本身,也必须安装并登录 Tailscale。
1. 安装 Tailscale 客户端
推荐使用官方一键脚本(如果网络卡顿,请参考官方文档添加国内镜像源手动安装):
Bash
curl -fsSL https://tailscale.com/install.sh | sh
2. 启动并授权登录
Bash
sudo systemctl enable --now tailscaled
sudo tailscale up
执行后终端会弹出一个登录链接。复制该链接到浏览器,务必使用与你的 OpenWRT 路由器相同的 Tailscale 账号登录。 登录完成后,运行 tailscale status,确认能看到你账号下的其他设备即可。
🛡️ 第三阶段:配置 DERP 中转服务与白名单
此步骤假设你已经编译或下载好了 derper 可执行文件(通常位于 /root/go/bin/derper)。我们将配置它开机自启,并加上最关键的防白嫖锁。
方式 A:通过 Cron 定时任务自启(简单直接)
如果你之前是通过定时任务运行的,请修改 crontab:
- 编辑定时任务:Bash
crontab -e - 写入或修改启动命令(注意
-verify-clients的位置必须在重定向符号>之前):Plaintext@reboot nohup /root/go/bin/derper -hostname [你的域名或IP] -a :[你的HTTPS端口] -stun-port [你的STUN端口] -certmode manual -certdir [你的证书目录] -verify-clients > /var/log/derp.log 2>&1 & - 保存退出,并重启服务器 (
reboot) 即可生效。
方式 B:通过 Systemd 服务守护(推荐,更规范)
- 创建服务文件:Bash
sudo nano /etc/systemd/system/derper.service - 写入以下内容(请替换方括号中的路径和参数):Ini, TOML
[Unit] Description=Tailscale DERP Server After=network.target tailscaled.service [Service] Type=simple Restart=always RestartSec=5 ExecStart=/root/go/bin/derper -hostname [你的域名或IP] -a :[你的HTTPS端口] -stun-port [你的STUN端口] -certmode manual -certdir [你的证书目录] -verify-clients [Install] WantedBy=multi-user.target - 启动并设置开机自启:Bash
sudo systemctl daemon-reload sudo systemctl enable --now derper.service
🎯 第四阶段:终极验证
1. 检查服务器防御状态
在云服务器终端查看日志:
Bash
tail -n 20 /var/log/derp.log
如果你看到 rejected: peer nodekey:... not authorized,说明有陌生设备在尝试连接并被成功拦截,白名单防御生效!
2. 测试专属高速通道
登录到你的 OpenWRT 路由器(或其他同账号下的设备)终端,执行:
Bash
tailscale netcheck
如果在输出结果的 Nearest DERP 或 DERP latency 列表中,出现了你自定义的节点名称,并且延迟数值正常(非超时),恭喜你!一条只属于你自己的 BBRv3 高速中转隧道已经完美打通!
🇬🇧 英文版 (English Version)
🚀 Build a High-Speed Private Tailscale DERP Relay Node (with BBRv3 Acceleration & Whitelist Authentication)
Use Case: Ideal for situations where direct Tailscale connections are difficult, requiring a cloud server to act as a custom relay (DERP) node. This setup provides low-latency connections for devices like OpenWRT routers while preventing unauthorized users from freeloading on your node. System Environment: Ubuntu 20.04 / 22.04 or other mainstream Linux distributions.
🛠️ Phase 1: Network Layer Acceleration (Upgrade to BBRv3)
To maximize the performance of your relay node, we first upgrade the system kernel to enable the latest BBRv3 congestion control algorithm. Paired with the FQ queuing discipline, this significantly boosts network throughput.
1. Install the BBRv3 Kernel
- Original GitHub Project: https://github.com/byJoey/Actions-bbr-v3
Choose one of the following installation commands based on your server’s network environment:
Option A: Official Direct Installation (Recommended for unrestricted networks)
Bash
bash <(curl -L -s https://raw.githubusercontent.com/byJoey/Actions-bbr-v3/refs/heads/main/install.sh)
Option B: Mirror Proxy Accelerated Installation (For servers in restricted regions experiencing timeouts)
Bash
bash <(curl -L -s https://mirror.ghproxy.com/https://raw.githubusercontent.com/byJoey/Actions-bbr-v3/refs/heads/main/install.sh)
An interactive menu will appear. Select “Install BBR v3”. The system will prompt you to reboot upon completion.
2. Optimize Queuing Discipline and Enable BBR
After rebooting, reconnect via SSH. It is highly recommended to pair BBR with the fq queuing discipline for optimal performance. Execute the following commands sequentially to enforce this configuration:
Bash
# Remove old queue configurations
sudo sed -i '/net.core.default_qdisc/d' /etc/sysctl.conf
# Apply optimal configurations
echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.conf
# Reload sysctl to apply changes
sudo sysctl -p
3. Verify Acceleration Status
Bash
sysctl net.ipv4.tcp_congestion_control
sysctl net.core.default_qdisc
If the outputs are bbr and fq respectively, your network layer acceleration is successfully activated.
🔒 Phase 2: Deploy Tailscale (The Foundation of Authentication)
Core Principle: The DERP relay whitelist mechanism (-verify-clients) verifies a visitor’s identity by querying the locally running Tailscale client. Therefore, Tailscale must be installed and logged in on the relay server itself.
1. Install Tailscale Client
Use the official installation script:
Bash
curl -fsSL https://tailscale.com/install.sh | sh
2. Start and Authorize Login
Bash
sudo systemctl enable --now tailscaled
sudo tailscale up
A login URL will appear in the terminal. Copy and open it in your browser. You must log in using the exact same Tailscale account used on your OpenWRT router. After logging in, run tailscale status to confirm that your other devices are visible in the network.
🛡️ Phase 3: Configure DERP Relay Service & Whitelist
This step assumes you have already compiled or downloaded the derper executable (typically located at /root/go/bin/derper). We will configure it to start on boot and add the critical whitelist lock.
Method A: Autostart via Cron (Simple & Direct)
If you previously ran the service using a cron job, modify your crontab:
- Edit the cron jobs:Bash
crontab -e - Add or modify the startup command (Note: The
-verify-clientsflag must be placed before the>redirection symbol):Plaintext@reboot nohup /root/go/bin/derper -hostname [Your_Domain_or_IP] -a :[Your_HTTPS_Port] -stun-port [Your_STUN_Port] -certmode manual -certdir [Your_Cert_Directory] -verify-clients > /var/log/derp.log 2>&1 & - Save, exit, and restart the server (
reboot) to apply the changes.
Method B: Autostart via Systemd (Recommended & Standard)
- Create a service file:Bash
sudo nano /etc/systemd/system/derper.service - Paste the following configuration (replace the bracketed placeholders with your actual paths/parameters):Ini, TOML
[Unit] Description=Tailscale DERP Server After=network.target tailscaled.service [Service] Type=simple Restart=always RestartSec=5 ExecStart=/root/go/bin/derper -hostname [Your_Domain_or_IP] -a :[Your_HTTPS_Port] -stun-port [Your_STUN_Port] -certmode manual -certdir [Your_Cert_Directory] -verify-clients [Install] WantedBy=multi-user.target - Enable and start the service:Bash
sudo systemctl daemon-reload sudo systemctl enable --now derper.service
🎯 Phase 4: Final Verification
1. Check Server Defense Status
View the logs on your cloud server terminal:
Bash
tail -n 20 /var/log/derp.log
If you see entries like rejected: peer nodekey:... not authorized, it means unauthorized devices are being successfully blocked. Your whitelist is working!
2. Test Your Private High-Speed Tunnel
Log into the terminal of your OpenWRT router (or any other authorized device) and run:
Bash
tailscale netcheck
If your custom node name appears in the Nearest DERP or DERP latency list with a normal latency value, congratulations! Your exclusive BBRv3-accelerated relay tunnel is fully operational.中转隧道已经完美打通!