By 管理员 
Environment Overview
This setup is based on a Tencent Cloud lightweight server running the Ubuntu Server 24.04 image. The server has Baota (BT Panel) installed manually and is configured with WordPress to host the website. The domain is already registered and has a Let’s Encrypt SSL certificate for encryption. The Tailscale client is also installed on the server.
Changing the Default Port
By default, the DERP service uses HTTPS port 443, which is already used by the WordPress website on this server. Therefore, we need to change the default port. In this example, we use port 2333 as a replacement.
According to the official documentation, UDP port 3478 and TCP port 443 must be open. So, you need to allow these ports in both the Tencent Cloud security group settings and Baota’s firewall settings. Be sure to select the correct protocol. If you need other services (e.g., Windows Remote Desktop), you can open the appropriate port (e.g., 3389), but it is recommended to change the port to avoid being scanned. This will not be covered in detail here.
Certificate Handling
After SSH’ing into the server, due to permission restrictions, the DERP service cannot directly use the certificates issued by Baota. Therefore, we need to manually copy them. Note that the path to certificates may vary depending on the version of Baota. Based on testing, there’s no need to convert the certificate format—just rename the files as needed.
Copy the certificate and key to the DERP directory:
sudo cp /www/server/panel/vhost/cert/your-domain/fullchain.pem ~/derper-path/your-domain.crt
sudo cp /www/server/panel/vhost/cert/your-domain/privkey.pem ~/derper-path/your-domain.keyChange the ownership to the appropriate user (e.g., `ubuntu`):
sudo chown ubuntu:ubuntu ~/derper-path/your-domain.crt
sudo chown ubuntu:ubuntu ~/derper-path/your-domain.keyTest Run the DERP Service
Run this command:
sudo ~/go/bin/derper -hostname your-domain -c=derper-path/derper.conf -http-port=-1 -a :2333 -stun -certmode manual -certdir ~/derper-path/ -verify-clientsExplanation of key options:
– `-a :2333`: Use custom port 2333
– `-http-port=-1`: Disable HTTP access; allow only HTTPS
– `-certmode manual -certdir`: Manual certificate mode and path
– `-verify-clients`: Restrict DERP access to authenticated clients only (important for security)
If successful, visiting `https://your-domain:2333/` should show the DERP server page.
Configure in Tailscale Admin Console
Go to the Access controls section and configure a custom DERP server:
"derpMap": {
"OmitDefaultRegions": false,
"Regions": {
"900": {
"RegionID": 900,
"RegionCode": "tencent derper",
"Nodes": [{
"Name": "1",
"RegionID": 900,
"HostName": "your-domain",
"DERPPort": 2333,
"IPv4": "your-server-v4-address",
"IPv6": "your-server-v6-address"
}]
}
}
}
– `OmitDefaultRegions`: Set to `true` if you want to use only your own DERP server.
– `RegionID`: Just ensure it doesn’t conflict with official ones.
– `DERPPort`: Use the port that replaced 443.
After applying the configuration, reconnect a Tailscale client. If successful, you’ll see Relay #900 under Machine Details. Since the server is in China, latency is much lower compared to official servers. If `OmitDefaultRegions` is set to `true`, you will only see region 900.
Create systemd Service for Auto Start
Create the service file:
sudo vim /etc/systemd/system/derper.serviceContent:
[Unit]
Description=DERP Relay Server
After=network.target
[Service]
Type=simple
User=ubuntu
ExecStart=/home/ubuntu/go/bin/derper \
-hostname your-domain \
-c=/home/ubuntu/derper-path/derper.conf \
-http-port=-1 \
-a :2333 \
-stun \
-certmode manual \
-certdir /home/ubuntu/derper-path/ \
-verify-clients
Restart=on-failure
RestartSec=5
[Install]
WantedBy=multi-user.targetNote: Replace `~/` with the full path like `/home/ubuntu/`, as systemd doesn’t parse `~`.
Reload and Start the Service
sudo systemctl daemon-reexec
sudo systemctl daemon-reload
sudo systemctl enable derper
sudo systemctl start derperCheck service status:
sudo systemctl status derper
View Logs
To view logs:
journalctl -u derperStop or Restart the Service
sudo systemctl stop derper
sudo systemctl restart derperFinally, restart the server manually to verify the DERP service auto-starts correctly.
Reference Links
https://tailscale.com/kb/1082/firewall-ports
https://zhuanlan.zhihu.com/p/638910565
https://bbs.xcjc.net/viewthread.php?tid=9232