Skip to content

eznix86/tailscale-derper-ansible

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

7 Commits
roles
roles
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
derper.yaml
derper.yaml
 
 
inventory.ini.example
inventory.ini.example
 
 

Repository files navigation

Tailscale DERP Ansible

Important

This project is considered feature-complete — it already does what it is intended to do.
I may add small improvements or fixes when necessary, but no major new features are planned.
You are welcome to contribute, or fork the project to extend it further.

Overview

This playbook helps you to self-host a Tailscale DERP server on Ubuntu/Debian. It is designed to run on bare-metal, since DERP does not work reliably behind firewalls, NAT, or load balancers. Custom DERP servers require direct, be on a publicly accessible network.

Tailscale does not provide automatic updates for DERP, so this playbook configures a cron job to keep it up to date (Tailscale docs).

For security, the playbook restricts access so that only DERP traffic is allowed.

This includes:

  • self-update (Debian/Ubuntu only)
  • ssh-hardening (don't forget to add your SSH keys so you do not get kicked out)
  • firewall (UFW)
    • Allows only port 80, 443, 3478 (stun)
  • fail2ban
    • includes configurable report to AbuseIPDB
  • block blacklisted IPs, default is 3 (moderate), configurable from 1-8

Custom Configuration

Adjust host-specific settings (domain, region, IP, etc.) directly in inventory.ini to suit your environment.

Usage

git clone https://github.com/eznix86/tailscale-derper-ansible.git

cd tailscale-derper-ansible

# Edit inventory.ini as needed
cp inventory.ini.example inventory.ini

ansible-playbook -i inventory.ini derper.yaml
  • NOTES.txt will be generated locally containing the DERP map snippet for Tailscale Access Control Panel.
  • If you use cloudflare, disable the proxy.

Debugging

To check if the DERP service on your node:

systemctl status derper
journalctl -u derper

Basic sysadmin stuff

# look ips which are blocked
fail2ban-client status sshd
# firewall status
ufw status
# blocked list from https://github.com/stamparm/ipsum
ipset list

Verify if your DERP is accessible:

tailscale status # you should see what you specified as your derper_region_code
tailscale netcheck # if your derper is close to you, you should see it first
tailscale debug derp-map # you should see your config you added on tailscale

If you want to use the existing DERP provided by tailscale if yours is down, set "OmitDefaultRegions" to false, it will always take the first one based on tailscale netcheck.

For further things, RTFM: https://tailscale.com/kb/1118/custom-derp-servers.

Contributions

If you see something missing please contribute.

License

LICENSE

About

Quick and Easy way to setup a Tailscale DERP server on a VPS

Topics

ansible derp tailscale derper

Resources

Readme

License

GPL-3.0 license
Activity

Stars

19 stars

Watchers

0 watching

Forks

2 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages