Create a DERP server in the K8s cluster
This article was last updated on: July 24, 2024 am
Preface
The purpose of this article is to build Tailscale’s DERP server within a K8s cluster.
Background Knowledge
Tailscale
Tailscale allows you to easily manage access to private resources (essentially a VPN tool), quickly SSH into devices on your network, and work securely from anywhere in the world.
Create a secure WireGuard mesh network between your devices, virtual machines and servers - even if they are separated by a firewall or subnet.
DERP
Tailscale runs a DERP relay server to help connect your nodes. In addition to using the DERP servers provided by tailscale, you can also run your own servers.
Tailscale runs DERP relay servers distributed around the world, using your Tailscale node point-to-point as a side channel during NAT traversal and as a backup in case NAT traversal fails and a direct connection cannot be established.
Tailscale runs DERP servers in many locations. As of September 2022, this list includes:
- Australia (Sydney)
- Brazil (São Paulo)
- Canada (Toronto)
- Dubai (Dubai)
- France (Paris)
- Germany (Frankfurt)
- Hong Kong (Hong Kong)
- India (Bangalore)
- Japan (Tokyo)
- Netherlands (Amsterdam)
- Poland (Warsaw)
- Singapore (Singapore)
- South Africa (Johannesburg)
- Spain (Madrid)
- United Kingdom (London)
- United States (Chicago, Dallas, Denver, Honolulu, Los Angeles, Miami, New York City, San Francisco, and Seattle)
Tailscale clients automatically select the nearest low-latency relay. In order to provide low latency connectivity, Tailscale is continuously expanding and adding more DERP servers as needed.
In order to achieve Low Latency and Stability, DERP servers need to be built.
Steps
Convert any minimal docker-compose configuration to K8s configuration according to the last reference document (you can use the tool: kompose
to convert), the converted configuration is as follows:
📝Notes:
To facilitate the configuration of domains as Env, StatefulSets is used here.
1 |
|
1 |
|
The details are as follows:
- Why use StatefulSets, instead of Deployment or DaemonSet, mainly because my own expectations are as follows:
- I want to be able to use a domain name like
derper-tok-{1..3}.example.com
, so that if I use StatefulSets,derper-tok-1
is the POD Name, which is easy to configure. - If you use Deployment or DaemonSet, the Pod name is random and the domain name needs to be configured one by one.
- I want to be able to use a domain name like
- The K8s service here is purely because it is needed to create StatefulSets, and is not actually used
- The domain name is combined by
MY_POD_NAME
DOMAIN
DERP_DOMAIN
based on the POD name DERP_CERT_MODE
Now the new version of DERP supports let’s encrypt to apply certificate automatically, which is much more convenient than before.DERP_VERIFY_CLIENTS: true
Ensure that only you can use your own DERP server, need to use with tailscalefredliang/derper:latest
The image is used directlysecurityContext
needs to ensure that it hasNET_ADMIN
capability, andprivileged: true
is best added to ensure greater privileges.hostNetwork: true
uses the host network directly, i.e.: port 443, 3478 to listen directly to the K8s Node port, simple and brutal. If there is a port conflict you need to adjust the port, or don’t use this mode.volumeMounts
andvolumes
: Here I installed the tailscale socket on the K8s Node as/run/tailscale/tailscaled.sock
, and mounted it to the DERP container/var/run/tailscale/ tailscaled.sock
, and withDERP_VERIFY_CLIENTS: true
, the DERP server will automatically verify the client and ensure security.
That’s it, kubectl apply
and you’re done.
🎉🎉🎉
Summary
This article is rather pure and illustrates a scenario: installing a DERP server in K8s. There is not much context, so you can learn about it yourself if you are interested.
There may be time for an article on installing tailscale in K8s later.
After installation, configure the ACL on the tailscale console, add the new DERP domains to derpMap
and you are done.
Finally, you can verify it with: tailscale netcheck
.
Reference documentation
- Custom DERP Servers - Tailscale
- fredliang/derper - Docker Image | Docker Hub
- Tailscale Basic Tutorial: Deploying a Private DERP Relay Server - CloudNative Labs
- Headscale underwriting facilities of DERP relay server self-built | Junyao Xian Sen (junyao.tech)
- My server series: tailscale using custom derper server (docker deployment) - 霖的个人开发笔记 (linshenkx.cn)
- Tailscale on Kubernetes - Tailscale