Open arunoruto opened 1 year ago
mrrfv
commented
6 months ago 2023/05/28 00:54:42 derp: 172.19.0.19:55912: client
rejected: client nodekey: not in set of peers
This isn't an error caused by your reverse proxy, rather it means that the device couldn't be verified by the DERP server. Make sure the container is able to access your Tailscale instance.
I'm not sure about the other ones as I've never used Traefik, but ensure you have websocket support enabled as a first step.
arunoruto
commented
6 months ago @mrrfv thanks for the respons! Websockets are enabled out of the box for traefik as explained here and here. What does it mean to be able to access the tailscale instance? I have mounted the tailscale socket and connected another tailscale container instance with deeper. But nothing seems to work. Also, would HTTP to HTTPS redirecting be a problem?
mrrfv
commented
6 months ago Also, would HTTP to HTTPS redirecting be a problem?
The Tailscale documentation says HTTPS should be optional (i.e. HTTP should still work) just in case you're using a network that blocks encrypted connections. Forcing HTTPS shouldn't cause that big of a problem though.
What does it mean to be able to access the tailscale instance? I have mounted the tailscale socket and connected another tailscale container instance with deeper. But nothing seems to work.
Mounting the Tailscale socket (as a volume) worked for me on the first try, so I don't really know how to help you in that regard. Using the same network or host networking doesn't work in my experience. Are you running Tailscale in a container, or bare-metal?
Also:
environment:
DERP_DOMAIN: derper.your-hostname.comIs <NAME>:<VALUE> the correct method of declaring environment variables in Docker Compose files? I've always declared them using - NAME=VALUE.
arunoruto
commented
6 months ago I don't know if something has changed since I last tackled the problem, but it seems like this compose file works for now:
derp:
image: fredliang/derper:latest
container_name: tail-derp
restart: unless-stopped
environment:
DERP_DOMAIN: derper.example.com
DERP_ADDR: :80
DERP_HTTP_PORT: -1
DERP_VERIFY_CLIENTS: 'true'
cap_add:
- NET_ADMIN
- NET_RAW
devices:
- /dev/net/tun:/dev/net/tun
networks:
- default
volumes:
- /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
labels:
traefik.enable: 'true'
# HTTPS
traefik.http.routers.derper.rule: Host(`derper.example.com`)
traefik.http.routers.derper.tls.certresolver: myresolver
traefik.http.routers.derper.entrypoints: websecure
traefik.http.routers.derper.service: derper
traefik.http.services.derper.loadbalancer.server.port: 80
# STUN
traefik.udp.routers.derper.entrypoints: stun
traefik.udp.services.derper.loadbalancer.server.port: 3478I am not sure if the devices tag was needed, but I made sure to include it too for the TUN device.
Also:
environment: DERP_DOMAIN: derper.your-hostname.comIs
<NAME>:<VALUE>the correct method of declaring environment variables in Docker Compose files? I've always declared them using- NAME=VALUE. Thekey:valuesyntax also works for environments and labels. I like them more since the syntax highlighters pick them up easier. The only downside is, that you need to specify thetrueandfalsevalues in quotes, so they don't get mixed up with the yaml logical values.
I will test this setup for a few days and report if any problems arise. If not, I will close the issue then.
londbell
commented
5 months ago 2023/05/28 00:54:42 derp: 172.19.0.19:55912: client rejected: client nodekey: not in set of peers
This isn't an error caused by your reverse proxy, rather it means that the device couldn't be verified by the DERP server. Make sure the container is able to access your Tailscale instance.
I'm not sure about the other ones as I've never used Traefik, but ensure you have websocket support enabled as a first step.
Thanks for you!
Cheesman97
commented
4 months ago Hi @arunoruto Can you also paste your tailscaled docker-compose? I tried your config but i'm not able to access the tailscaled api
arunoruto
commented
4 months ago Hi @arunoruto Can you also paste your tailscaled docker-compose? I tried your config but i'm not able to access the tailscaled api
I am currently running tailscale on the host machine. Therefore, I am mounting the tailscale.sock file inside the container.
I just switched servers, and the configuration is working so far. But sometimes I got weird behavior. I will try it again with the new server and give feedback.
wang1zhen
commented
1 month ago Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?
I have tried several times, but there is always an error of 502 openresty.
wodepig
commented
1 month ago Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?
I have tried several times, but there is always an error of 502 openresty.
我也有同样的问题.但我最近解决了:
dockerCompose.yml
version: '3.3' services: derper: ports: - '380:80' - '3443:443' - '3478:3478/udp' container_name: derper restart: always volumes: # 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件 - '/www/wwwroot/derper/certs:/app/certs' environment: - 'DERP_CERT_MODE=manual' - 'DERP_DOMAIN=derper.hostname.com' image: fredliang/derper启动后的日志:
2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key 2024/05/19 04:02:23 STUN server listening on [::]:3478 2024/05/19 04:02:23 derper: serving on :443 with TLS宝塔面板的添加网站反代配置和ssl: proxy_pass http://127.0.0.1:3443;
访问: derper.hostname.com:3443(必须带端口)
如果提示Client sent an HTTP request to an HTTPS server.请检查你的ssl配置(nginx和docker的都需要检查) 并且确认访问3443端口 如果访问3443端口还是不行,请检查ssl证书的有效期 ps: 不知道为什么要添加:3443端口
conancheng
commented
1 month ago Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com? I have tried several times, but there is always an error of 502 openresty.
我也有同样的问题.但我最近解决了:
dockerCompose.yml
version: '3.3' services: derper: ports: - '380:80' - '3443:443' - '3478:3478/udp' container_name: derper restart: always volumes: # 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件 - '/www/wwwroot/derper/certs:/app/certs' environment: - 'DERP_CERT_MODE=manual' - 'DERP_DOMAIN=derper.hostname.com' image: fredliang/derper启动后的日志:
2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key 2024/05/19 04:02:23 STUN server listening on [::]:3478 2024/05/19 04:02:23 derper: serving on :443 with TLS宝塔面板的添加网站反代配置和ssl: proxy_pass http://127.0.0.1:3443;
访问: derper.hostname.com:3443(必须带端口)
如果提示Client sent an HTTP request to an HTTPS server.请检查你的ssl配置(nginx和docker的都需要检查) 并且确认访问3443端口 如果访问3443端口还是不行,请检查ssl证书的有效期 ps: 不知道为什么要添加:3443端口
你好,我按照你的方法部署了,但是在网站上Access Controls里面添加了
"derpMap": {
"OmitDefaultRegions": true,
"Regions": {
"900": {
"RegionID": 900,
"RegionCode": "guangzhou",
"RegionName": "TX guangzhou",
"Nodes": [
{
"Name": "guangzhou-derp",
"RegionID": 900,
"DERPPort": 3443, //更换为自己的PORT
"HostName": "derper.XXX.com", //这里更换为自己的域名
"InsecureForTests": true,
},
],
},
},
},
按照这么写了后,找的到derp,但是无法连接的上
I am trying to run a derper container behind a traefik proxy. I am not sure what I am doing wrong, but my config seems to work until I turn on verification. Here is my service:
Derper is giving me constant errors like:
where
172.19.0.19is the docker IP address of traefik, my reverse proxy. The service is available athttps://derper.your-hostname.comand I also get the webpage, but it seems like I am missing something.Sometimes I also do get errors like this: