derper-docker/README.md

# Derper

[![docker workflow](https://github.com/fredliang44/derper-docker/actions/workflows/docker-image.yml/badge.svg)](https://hub.docker.com/r/fredliang/derper)
[![docker pulls](https://img.shields.io/docker/pulls/fredliang/derper.svg?color=brightgreen)](https://hub.docker.com/r/fredliang/derper)
[![platfrom](https://img.shields.io/badge/platform-amd64%20%7C%20arm64-brightgreen)](https://hub.docker.com/r/fredliang/derper/tags)

# Setup

> required: set env `DERP_DOMAIN` to your domain

```bash
docker run -e DERP_DOMAIN=derper.your-domain.com -p 80:80 -p 443:443 -p 3478:3478/udp fredliang/derper
```

| env                    | required | description                                                                 | default value     |
| -------------------    | -------- | ----------------------------------------------------------------------      | ----------------- |
| DERP_DOMAIN            | true     | derper server hostname                                                      | your-hostname.com |
| DERP_CERT_DIR          | false    | directory to store LetsEncrypt certs(if addr's port is :443)                | /app/certs        |
| DERP_CERT_MODE         | false    | mode for getting a cert. possible options: manual, letsencrypt              | letsencrypt       |
| DERP_ADDR              | false    | listening server address                                                    | :443              |
| DERP_STUN              | false    | also run a STUN server                                                      | true              |
| DERP_STUN_PORT         | false    | The UDP port on which to serve STUN.                                        | 3478              |
| DERP_HTTP_PORT         | false    | The port on which to serve HTTP. Set to -1 to disable                       | 80                |
| DERP_VERIFY_CLIENTS    | false    | verify clients to this DERP server through a local tailscaled instance      | false             |
| DERP_VERIFY_CLIENT_URL | false    | if non-empty, an admission controller URL for permitting client connections | ""                |

# Usage

Fully DERP setup offical documentation: https://tailscale.com/kb/1118/custom-derp-servers/

## Client verification

In order to use `DERP_VERIFY_CLIENTS`, the container needs access to Tailscale's Local API, which can usually be accessed through `/var/run/tailscale/tailscaled.sock`. If you're running Tailscale bare-metal on Linux, adding this to the `docker run` command should be enough: `-v /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock`
feat: init container 2021-09-25 18:29:17 +08:00			`# Derper`
fix: fix readme udp sample & certificate package for letsencrypt, close https://github.com/fredliang44/derper-docker/issues/5 2022-01-28 21:57:33 +08:00
			`[![docker workflow](https://github.com/fredliang44/derper-docker/actions/workflows/docker-image.yml/badge.svg)](https://hub.docker.com/r/fredliang/derper)`
			`[![docker pulls](https://img.shields.io/docker/pulls/fredliang/derper.svg?color=brightgreen)](https://hub.docker.com/r/fredliang/derper)`
docs: add docker hub link 2022-01-09 23:31:37 +08:00			`[![platfrom](https://img.shields.io/badge/platform-amd64%20%7C%20arm64-brightgreen)](https://hub.docker.com/r/fredliang/derper/tags)`
feat: init container 2021-09-25 18:29:17 +08:00
			`# Setup`

fix: fix env docs, close #3 2021-12-24 18:56:39 +08:00			> required: set env `DERP_DOMAIN` to your domain
feat: init container 2021-09-25 18:29:17 +08:00
			```bash
fix: fix readme udp sample & certificate package for letsencrypt, close https://github.com/fredliang44/derper-docker/issues/5 2022-01-28 21:57:33 +08:00			`docker run -e DERP_DOMAIN=derper.your-domain.com -p 80:80 -p 443:443 -p 3478:3478/udp fredliang/derper`
feat: init container 2021-09-25 18:29:17 +08:00			```
docs: update REAMDME.md 2021-09-25 19:14:49 +08:00
feat: add DERP_VERIFY_CLIENT_URL Signed-off-by: 117503445 <t117503445@gmail.com> 2024-07-01 20:36:19 +08:00			`\| env \| required \| description \| default value \|`
			`\| ------------------- \| -------- \| ---------------------------------------------------------------------- \| ----------------- \|`
			`\| DERP_DOMAIN \| true \| derper server hostname \| your-hostname.com \|`
			`\| DERP_CERT_DIR \| false \| directory to store LetsEncrypt certs(if addr's port is :443) \| /app/certs \|`
			`\| DERP_CERT_MODE \| false \| mode for getting a cert. possible options: manual, letsencrypt \| letsencrypt \|`
			`\| DERP_ADDR \| false \| listening server address \| :443 \|`
			`\| DERP_STUN \| false \| also run a STUN server \| true \|`
			`\| DERP_STUN_PORT \| false \| The UDP port on which to serve STUN. \| 3478 \|`
			`\| DERP_HTTP_PORT \| false \| The port on which to serve HTTP. Set to -1 to disable \| 80 \|`
			`\| DERP_VERIFY_CLIENTS \| false \| verify clients to this DERP server through a local tailscaled instance \| false \|`
			`\| DERP_VERIFY_CLIENT_URL \| false \| if non-empty, an admission controller URL for permitting client connections \| "" \|`
feat: support more derper sever flags 2021-09-25 21:24:51 +08:00
docs: update REAMDME.md 2021-09-25 19:14:49 +08:00			`# Usage`
feat: support more derper sever flags 2021-09-25 21:24:51 +08:00
docs: update REAMDME.md 2021-09-25 19:14:49 +08:00			`Fully DERP setup offical documentation: https://tailscale.com/kb/1118/custom-derp-servers/`
Add verify clients usage instructions 2023-12-10 20:52:20 +08:00
			`## Client verification`

			In order to use `DERP_VERIFY_CLIENTS`, the container needs access to Tailscale's Local API, which can usually be accessed through `/var/run/tailscale/tailscaled.sock`. If you're running Tailscale bare-metal on Linux, adding this to the `docker run` command should be enough: `-v /var/run/tailscale/tailscaled.sock:/var/run/tailscale/tailscaled.sock`