Open arunoruto opened 1 year ago
2023/05/28 00:54:42 derp: 172.19.0.19:55912: client
rejected: client nodekey: not in set of peers
This isn't an error caused by your reverse proxy, rather it means that the device couldn't be verified by the DERP server. Make sure the container is able to access your Tailscale instance.
I'm not sure about the other ones as I've never used Traefik, but ensure you have websocket support enabled as a first step.
@mrrfv thanks for the respons! Websockets are enabled out of the box for traefik as explained here and here. What does it mean to be able to access the tailscale instance? I have mounted the tailscale socket and connected another tailscale container instance with deeper. But nothing seems to work. Also, would HTTP to HTTPS redirecting be a problem?
Also, would HTTP to HTTPS redirecting be a problem?
The Tailscale documentation says HTTPS should be optional (i.e. HTTP should still work) just in case you're using a network that blocks encrypted connections. Forcing HTTPS shouldn't cause that big of a problem though.
What does it mean to be able to access the tailscale instance? I have mounted the tailscale socket and connected another tailscale container instance with deeper. But nothing seems to work.
Mounting the Tailscale socket (as a volume) worked for me on the first try, so I don't really know how to help you in that regard. Using the same network or host networking doesn't work in my experience. Are you running Tailscale in a container, or bare-metal?
Also:
environment:
DERP_DOMAIN: derper.your-hostname.com
Is <NAME>:<VALUE>
the correct method of declaring environment variables in Docker Compose files? I've always declared them using - NAME=VALUE
.
I don't know if something has changed since I last tackled the problem, but it seems like this compose file works for now:
derp:
image: fredliang/derper:latest
container_name: tail-derp
restart: unless-stopped
environment:
DERP_DOMAIN: derper.example.com
DERP_ADDR: :80
DERP_HTTP_PORT: -1
DERP_VERIFY_CLIENTS: 'true'
cap_add:
- NET_ADMIN
- NET_RAW
devices:
- /dev/net/tun:/dev/net/tun
networks:
- default
volumes:
- /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock
labels:
traefik.enable: 'true'
# HTTPS
traefik.http.routers.derper.rule: Host(`derper.example.com`)
traefik.http.routers.derper.tls.certresolver: myresolver
traefik.http.routers.derper.entrypoints: websecure
traefik.http.routers.derper.service: derper
traefik.http.services.derper.loadbalancer.server.port: 80
# STUN
traefik.udp.routers.derper.entrypoints: stun
traefik.udp.services.derper.loadbalancer.server.port: 3478
I am not sure if the devices
tag was needed, but I made sure to include it too for the TUN device.
Also:
environment: DERP_DOMAIN: derper.your-hostname.com
Is
<NAME>:<VALUE>
the correct method of declaring environment variables in Docker Compose files? I've always declared them using- NAME=VALUE
. Thekey:value
syntax also works for environments and labels. I like them more since the syntax highlighters pick them up easier. The only downside is, that you need to specify thetrue
andfalse
values in quotes, so they don't get mixed up with the yaml logical values.
I will test this setup for a few days and report if any problems arise. If not, I will close the issue then.
2023/05/28 00:54:42 derp: 172.19.0.19:55912: client rejected: client nodekey: not in set of peers
This isn't an error caused by your reverse proxy, rather it means that the device couldn't be verified by the DERP server. Make sure the container is able to access your Tailscale instance.
I'm not sure about the other ones as I've never used Traefik, but ensure you have websocket support enabled as a first step.
Thanks for you!
Hi @arunoruto Can you also paste your tailscaled docker-compose? I tried your config but i'm not able to access the tailscaled api
Hi @arunoruto Can you also paste your tailscaled docker-compose? I tried your config but i'm not able to access the tailscaled api
I am currently running tailscale on the host machine. Therefore, I am mounting the tailscale.sock
file inside the container.
I just switched servers, and the configuration is working so far. But sometimes I got weird behavior. I will try it again with the new server and give feedback.
Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?
I have tried several times, but there is always an error of 502 openresty.
Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com?
I have tried several times, but there is always an error of 502 openresty.
我也有同样的问题.但我最近解决了:
dockerCompose.yml
version: '3.3' services: derper: ports: - '380:80' - '3443:443' - '3478:3478/udp' container_name: derper restart: always volumes: # 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件 - '/www/wwwroot/derper/certs:/app/certs' environment: - 'DERP_CERT_MODE=manual' - 'DERP_DOMAIN=derper.hostname.com' image: fredliang/derper
启动后的日志:
2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key 2024/05/19 04:02:23 STUN server listening on [::]:3478 2024/05/19 04:02:23 derper: serving on :443 with TLS
宝塔面板的添加网站反代配置和ssl: proxy_pass http://127.0.0.1:3443;
![]()
![]()
访问: derper.hostname.com:3443(必须带端口)
如果提示Client sent an HTTP request to an HTTPS server.请检查你的ssl配置(nginx和docker的都需要检查) 并且确认访问3443端口 如果访问3443端口还是不行,请检查ssl证书的有效期 ps: 不知道为什么要添加:3443端口
Hi, I am using Nginx Proxy Manager in docker, and not quite sure about how I could reverse proxy correctly. For docker, if I use 8443:443 to derper docker instance, and when reverse proxying it with derper.my-domain.com, can I set the destination to https://localhost:8443 with my certificate of *.my-domain.com? I have tried several times, but there is always an error of 502 openresty.
我也有同样的问题.但我最近解决了:
dockerCompose.yml
version: '3.3' services: derper: ports: - '380:80' - '3443:443' - '3478:3478/udp' container_name: derper restart: always volumes: # 你的证书文件夹,里面应该有derper.hostname.com.crt和derper.hostname.com.key文件 - '/www/wwwroot/derper/certs:/app/certs' environment: - 'DERP_CERT_MODE=manual' - 'DERP_DOMAIN=derper.hostname.com' image: fredliang/derper
启动后的日志:
2024/05/19 04:02:23 no config path specified; using /var/lib/derper/derper.key 2024/05/19 04:02:23 STUN server listening on [::]:3478 2024/05/19 04:02:23 derper: serving on :443 with TLS
宝塔面板的添加网站反代配置和ssl: proxy_pass http://127.0.0.1:3443;
![]()
![]()
访问: derper.hostname.com:3443(必须带端口)
如果提示Client sent an HTTP request to an HTTPS server.请检查你的ssl配置(nginx和docker的都需要检查) 并且确认访问3443端口 如果访问3443端口还是不行,请检查ssl证书的有效期 ps: 不知道为什么要添加:3443端口
你好,我按照你的方法部署了,但是在网站上Access Controls里面添加了
"derpMap": {
"OmitDefaultRegions": true,
"Regions": {
"900": {
"RegionID": 900,
"RegionCode": "guangzhou",
"RegionName": "TX guangzhou",
"Nodes": [
{
"Name": "guangzhou-derp",
"RegionID": 900,
"DERPPort": 3443, //更换为自己的PORT
"HostName": "derper.XXX.com", //这里更换为自己的域名
"InsecureForTests": true,
},
],
},
},
},
按照这么写了后,找的到derp,但是无法连接的上
I am trying to run a derper container behind a traefik proxy. I am not sure what I am doing wrong, but my config seems to work until I turn on verification. Here is my service:
Derper is giving me constant errors like:
where
172.19.0.19
is the docker IP address of traefik, my reverse proxy. The service is available athttps://derper.your-hostname.com
and I also get the webpage, but it seems like I am missing something.Sometimes I also do get errors like this: