How to install TLS certificate for derp server?

Hello everyone :smiley:

Due to the regional network problem, I need to deploy a private derp server. I used the acme client to apply for the TLS certificate and found the parameter ‘-certdir’ through ‘derper -h’, but I’m not sure what the file name of the certificate should be.

What should I name the CA certificate, certificate chain and private key files?

In addition, worried about the security of the derper server, can I use ACL rules to prohibit the access of the derper server to other nodes without affecting the traffic relay?

derper expects the filename to match the hostname: https://github.com/tailscale/tailscale/blob/888e50e1f6d71bd40a0b1f9267cda4cbcbfa53fd/cmd/derper/cert.go#L57

In addition, worried about the security of the derper server, can I use ACL rules to prohibit the access of the derper server to other nodes without affecting the traffic relay?

If you run tailscale on the DERP node and join it to your tailnet, and pass -verify-clients to derper, it will only allow connection by nodes which are joined to your tailnet.

1 Like

Thanks for your reply. I have successfully configured the TLS certificate.

Although the -verify-clients parameter can limit that only my node can use derp, I don’t want derp to access other nodes after joining tailnet (it can only relay traffic and not allow access to other nodes of tailnet). Can I use ACL rules to limit it? (let derp log in to tailnet purely to use the -verify-clients parameter)

I’d suggest adding a tag to the DERP node, and using ACLs to prevent that tag from connecting to anything. It merely needs to be joined to the Tailnet in order to see what nodes are allowed to connect to DERP, it doesn’t need to be able to connect to anything.

One note: you’ll need ACLs to allow the other nodes on your tailnet to connect to the DERP. If you block traffic in both directions, a feature called netmap trimming will remove the nodes from each other’s netmap. They won’t be told about the existence of the other node, and that would break the DERP’s -verify-clients handling as it would no longer know what clients to allow.

1 Like

According to your instructions, I unilaterally prohibit other nodes from accessing derp. After confirmation, the tailscale of derp has obtained the information of other nodes, and other nodes can also access each other through derp.

Thank you very much for your answer!