雷达智富

请输入关键字词

热门搜索排行

最新搜索排行

  • 齐博X1
  • DDOS攻击
  • CC攻击
  • 齐博CMS
  • 齐博
  • Linux
  • 护卫神
  • 海洋cms
  • 小程序
  • 飞飞cms
  • 宝塔面板
  • 火车头采集器
  • UEditor
  • HDwiki
  • 互动百科
  • 网站模板
  • 百度小程序
  • 八爪鱼采集器
  • SEO优化
  • 网络营销
    • 首页 > 内容 > 程序笔记 > 正文

    程序笔记

    在 Ubuntu 22.04|20.04 上安装和配置 Headscale

    2024-07-08 124

    Headscale 是 Tailscale 协调服务器的开源实现。 Tailscale 已经存在了一段时间,它允许用户创建多个设备无缝连接的安全网络,无论这些设备的物理位置如何。简而言之,Tailscale 使部署和管理 VPN 的过程变得更加轻松、更加用户友好。

    Tailscale 技术创建了一个安全的网状网络,使连接到该网络的所有设备能够相互通信,并且表现得就像位于同一本地网络上一样。 Headscale 与 Tailscale 完全分离,独立开发。在本文中,我们将安装、配置和使用 Headscale 来创建网状网络并连接您的设备。

    1.下载Headscale Apt包

    更新系统 apt 包索引。

    sudo apt update

    访问 Github 上的 Headscale 发布页面。在标签下您可以获得最新的稳定版本号。

    VERSION=$(curl --silent "https://api.github.com/repos/juanfont/headscale/releases/latest";|grep '"tag_name"'|sed -E 's/.*"([^"]+)".*/\1/'|sed 's/v//')
wget https://github.com/juanfont/headscale/releases/download/v${VERSION}/headscale_${VERSION}_linux_amd64.deb

    使用 apt 命令下载后安装该软件包。

    sudo apt install -f ./headscale_${VERSION}_linux_amd64.deb

    我们可以让该服务在系统启动时启动。

    sudo systemctl enable headscale

    2. 配置 Headscale 服务

    您可以通过编辑文件 /etc/headscale/config.yaml 来调整 Headscale 配置设置

    sudo vim /etc/headscale/config.yaml

    值得注意的配置参数有:

    # The url clients will connect to.
server_url: http://127.0.0.1:8080

# Address to listen to / bind to on the server
listen_addr: 127.0.0.1:8080

# Address to listen to /metrics, you may want
metrics_listen_addr: 127.0.0.1:9090

    您可以配置为侦听所有接口。

    server_url: http://0.0.0.0:8080
listen_addr: 0.0.0.0:8080

    或者具体的IP地址。

    server_url: http://192.168.20.10:8080
listen_addr: 192.168.20.10:8080

    您可以调整其他参数以适合您的使用案例,并在完成后重新启动服务。

    sudo systemctl restart headscale.service

    可以使用 systemctl 命令检查服务的状态。

    $ systemctl status headscale.service
headscale.service - headscale coordination server for Tailscale
     Loaded: loaded (/lib/systemd/system/headscale.service; enabled; vendor preset: enabled)
     Active: active (running) since Tue 2023-10-03 18:39:12 EAT; 8s ago
   Main PID: 5901 (headscale)
      Tasks: 8 (limit: 19092)
     Memory: 9.4M
        CPU: 68ms
     CGroup: /system.slice/headscale.service
             └─5901 /usr/bin/headscale serve

Okt 03 18:39:12 workstation systemd[1]: Started headscale coordination server for Tailscale.
Okt 03 18:39:12 workstation headscale[5901]: An updated version of Headscale has been found (0.23.0-alpha1 vs. your current v0.22.3). Check it out https://github.com/juanfont/headscale/releases
Okt 03 18:39:12 workstation headscale[5901]: 2023-10-03T18:39:12+03:00 INF Setting up a DERPMap update worker frequency=86400000
Okt 03 18:39:12 workstation headscale[5901]: 2023-10-03T18:39:12+03:00 INF listening and serving HTTP on: 0.0.0.0:9080
Okt 03 18:39:12 workstation headscale[5901]: 2023-10-03T18:39:12+03:00 INF listening and serving metrics on: 0.0.0.0:9090

    列出 Headscale 服务使用的端口。

    $ ss -tunelp | egrep '9080|9090'
tcp   LISTEN 0      128                *:9080             *:*    users:(("headscale",pid=5901,fd=11)) uid:1002 ino:69679 sk:b cgroup:/system.slice/headscale.service v6only:0 <->
tcp   LISTEN 0      128                *:9090             *:*    users:(("headscale",pid=5901,fd=13)) uid:1002 ino:69680 sk:c cgroup:/system.slice/headscale.service v6only:0 <->

    3. 为 Headscale 配置 Nginx 代理

    在本指南中,我们将配置 Nginx 作为 Headscale 的代理服务器。 IP 地址和 DNS 名称的映射为:

    • vpn.hirebestengineers. 指向128.140.96.199

    我们可以确认配置的 DNS 记录正在运行。

    $ host vpn.hirebestengineers.com
vpn.hirebestengineers.com has address 128.140.96.199

    在 Ubuntu 系统中安装 Nginx Web 服务器。

    sudo apt install nginx

    为 Headscale 创建虚拟主机。

    sudo vim /etc/nginx/conf.d/headscale.conf

    粘贴以下信息并更新server_name值。

    map $http_upgrade $connection_upgrade {
    default      keep-alive;
    'websocket'  upgrade;
    ''           close;
}

server {
    listen 80;
	listen [::]:80;

    server_name vpn.hirebestengineers.com;

    location / {
        proxy_pass  http://localhost:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $server_name;
        proxy_redirect http:// https://;
        proxy_buffering off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
    }
}

    确认nginx配置正确。

    $ sudo nginx  -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

    Headscale 可以配置为使用域名。

    $ sudo vim /etc/headscale/config.yaml
server_url: http://vpn.hirebestengineers.com:80

    您需要重新启动 Headscale 服务才能使更改生效。

    4. 使用 SSL 证书保护 Headscale

    我们将配置 Headscale 以使用 TLS。这可以是商业证书、免费的 Let’s Encrypt SSL 或自签名证书。

    使用 Let’s Encrypt SSL

    首先安装 certbot 工具

    sudo apt update && sudo apt install snapd
sudo snap install --classic certbot

    使用 nginx headscale.conf 文件中配置的域名为 Headscale 生成 Let’s Encrypt SSL。

    DOMAIN=vpn.hirebestengineers.com
sudo certbot --register-unsafely-without-email --agree-tos --nginx -d $DOMAIN

    成功更新输出。

    Saving debug log to /var/log/letsencrypt/letsencrypt.log
Account registered.
Requesting a certificate for vpn.hirebestengineers.com

Successfully received certificate.
Certificate is saved at: /etc/letsencrypt/live/vpn.hirebestengineers.com/fullchain.pem
Key is saved at:         /etc/letsencrypt/live/vpn.hirebestengineers.com/privkey.pem
This certificate expires on 2024-01-02.
These files will be updated when the certificate renews.
Certbot has set up a scheduled task to automatically renew this certificate in the background.

Deploying certificate
Successfully deployed certificate for vpn.hirebestengineers.com to /etc/nginx/conf.d/headscale.conf
Congratulations! You have successfully enabled HTTPS on https://vpn.hirebestengineers.com

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
If you like Certbot, please consider supporting our work by:
 * Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
 * Donating to EFF:                    https://eff.org/donate-le
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

    Certbot 工具会自动将 SSL 配置注入到文件中。您可以通过查看其内容来确认。

    cat /etc/nginx/conf.d/headscale.conf

    重新启动 nginx 网络服务器。

    sudo systemctl restart nginx

    最后更新 Headscale 配置并将 url 设置为域和 https。

    $ sudo vim /etc/headscale/config.yaml
server_url: https://vpn.hirebestengineers.com:443

    重新启动头秤服务。

    sudo systemctl restart headscale

    请注意,如果不使用 Nginx 代理,也可以在 Headscale 配置文件中指定证书。

    $ sudo vim /etc/headscale/config.yaml
## Use already defined certificates:
tls_cert_path: ""
tls_key_path: ""

    使用自定义 SSL 证书

    如果使用自定义证书,您可以修改

    map $http_upgrade $connection_upgrade {
    default      keep-alive;
    'websocket'  upgrade;
    ''           close;
}

server {
    listen 80;
	listen [::]:80;

	listen 443      ssl http2;
	listen [::]:443 ssl http2;

    server_name your_fqdn;

    ssl_certificate <PATH_TO_CERT>;
    ssl_certificate_key <PATH_CERT_KEY>;
    ssl_protocols TLSv1.2 TLSv1.3;

    location / {
        proxy_pass http://localhost:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $server_name;
        proxy_redirect http:// https://;
        proxy_buffering off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
    }
}

    5. 将客户端设备加入 Headscale 网格

    让我们在 Headscale 服务器上创建一个名为 computingforgeeks 的用户。

    $ sudo su -
# headscale users create computingforgeeks
User created

    安装 Tailscale 客户端

    • Windows客户端
    • iOS系统
    • 安卓
    • Linux
    • 苹果系统

    在 Linux 上安装 Tailscale

    要在 Linux 上安装 tailscale,请运行以下命令。

    curl -fsSL https://tailscale.com/install.sh | sudo sh

    可以使用以下命令检查 Tailscale 的版本。

    $ tailscale --version
1.54.1
  tailscale commit: 0a01efc8f894db55d0975d1926fd5347c548a7af
  other commit: 3d05984255c1a1eff11920ebd04033439926aaf8
  go version: go1.21.4

    macOS 上安装

    您可以使用 Homebrew 安装:

    brew install tailscale

    或者通过运行脚本。

    curl -fsSL https://tailscale.com/install.sh | sudo sh

    使用预先验证的密钥注册机器

    您可以使用预先验证的密钥注册新机器。

    列出在 Headscale 服务器中创建的用户。

    $ headscale user list
ID | Name        | Created
1  | myfirstuser | 2023-10-04 14:01:42
2  | jkmutai     | 2023-10-04 14:03:31

    首先使用命令行生成密钥:

    headscale --user <username> preauthkeys create --reusable --expiration 24h

    执行该命令会返回一个预先验证的密钥,用于在运行 tailscale 命令时将节点连接到 headscale

    tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>

    让我们看下面的例子。

    # On Headscale server
# headscale --user jkmutai preauthkeys create --reusable --expiration 24h
4763c4f4293b260eff230065378e5668c13db44f4569ed7b

# On Machine to be registered
# tailscale up --login-server http://vpn.hirebestengineers.com --authkey 4763c4f4293b260eff230065378e5668c13db44f4569ed7b

    要列出用户的预身份验证密钥,请使用:

    headscale preauthkeys --user <username> list

    使用预验证密钥的机器注册命令不会给出任何输出。但您可以从 Headscale 服务器 CLI 确认是否添加了新节点。

    # headscale node list
ID | Hostname | Name   | MachineKey | NodeKey | User    | IP addresses                  | Ephemeral | Last seen           | Expiration          | Online | Expired
1  | rocky8   | rocky8 | [s+TG9]    | [QQFV0] | jkmutai | 100.64.0.1, fd7a:115c:a1e0::1 | false     | 2023-10-05 17:05:58 | 0001-01-01 00:00:00 | online | no
2  | mail     | mail   | [V8WI2]    | [OvPLb] | jkmutai | 100.64.0.2, fd7a:115c:a1e0::2 | false     | 2023-10-05 17:06:32 | 0001-01-01 00:00:00 | online | no

    注册机器(普通登录)

    在客户端计算机上,执行tailscale登录命令:

    tailscale up --login-server YOUR_HEADSCALE_URL

    请参阅下面的示例。

    # tailscale up --login-server http://vpn.hirebestengineers.com

To authenticate, visit:
	https://vpn.hirebestengineers.com:443/register/nodekey:410155d1792d0f81a5f39415a1a418f882208751570c2e5195f7a6842ca44e6a

    当您在浏览器中打开链接时,您会收到用于注册添加到 Headscale 网络的计算机的命令。

    列出在 Headscale 服务器中创建的用户。

    $ headscale user list
ID | Name        | Created
1  | myfirstuser | 2023-10-04 14:01:42
2  | jkmutai     | 2023-10-04 14:03:31

    将命令复制并粘贴到 Headscale 服务器终端上,同时将 USERNAME 替换为创建的用户。

    $ headscale nodes register --user computingforgeeks --key nodekey:410155d1792d0f81a5f39415a1a418f882208751570c2e5195f7a6842ca44e6a
Machine rocky8 registered

    要通过 headscale 注册机器,命令语法为:

    headscale --user <username> nodes register --key <YOU_+MACHINE_KEY>

    您现在可以列出添加到 Headscale 网络的节点。

    # headscale node list
ID | Hostname | Name   | MachineKey | NodeKey | User    | IP addresses                  | Ephemeral | Last seen           | Expiration          | Online | Expired
1  | rocky8   | rocky8 | [s+TG9]    | [QQFV0] | jkmutai | 100.64.0.1, fd7a:115c:a1e0::1 | false     | 2023-10-05 16:48:58 | 0001-01-01 00:00:00 | online | no

    6. 有用的 Headscale 命令

    删除网络中的节点。

    headscale node delete -i <ID>

    将节点移至另一个用户

    headscale node move  -i  <ID> -u <New-User>

    重命名网络中的计算机

    headscale node rename  -i  <ID>  <NEW_NAME>

    使网络中的计算机过期(注销)

    headscale node expire -i <ID>

    列出预授权密钥:

    headscale preauthkeys --user <username> list

    生成预认证密钥:

    headscale --user <username> preauthkeys create --reusable --expiration <expiry>

    使预身份验证密钥过期:

    headscale preauthkeys --user <username>  expire <key>

    创建 API 密钥:

    headscale apikeys create --expiration 90d

    列出 API 密钥:

    headscale apikeys list

    使 API 密钥过期:

    headscale apikeys expire --prefix "<PREFIX>"

    启用路由:

    # headscale routes list
ID | Machine         | Prefix          | Advertised | Enabled | Primary
2  | pfsense-chaileo | 192.168.88.0/24 | true       | true    | true
3  | pfsense-gulled  | 192.168.89.0/24 | true       | false   | false

# headscale routes enable -r 3
# headscale routes list
ID | Machine         | Prefix          | Advertised | Enabled | Primary
2  | pfsense-chaileo | 192.168.88.0/24 | true       | true    | true
3  | pfsense-gulled  | 192.168.89.0/24 | true       | true    | true

    7. 安装 Headscale UI

    Headscale-UI 是 Headscale Tailscale 兼容协调服务器的 Web 前端。我们将在 Docker 容器中运行它。

    安装 Docker CE。

    sudo apt update
sudo apt install ca-certificates curl gnupg lsb-release

sudo mkdir -p /etc/apt/keyrings
curl -fsSL https://download.docker.com/linux/ubuntu/gpg | sudo gpg --dearmor -o /etc/apt/keyrings/docker.gpg

echo \
  "deb [arch=$(dpkg --print-architecture) signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu \
  $(lsb_release -cs) stable" | sudo tee /etc/apt/sources.list.d/docker.list > /dev/null

sudo apt update
sudo apt install docker-ce docker-ce-cli containerd.io docker-compose-plugin

    为 Headscale UI 创建 Compose 文件。

    $ vim docker-compose.yml
version: '3.9'
services:
  headscale-ui:
    container_name: headscale-ui
    image: ghcr.io/gurucomputing/headscale-ui:latest
    pull_policy: always
    restart: unless-stopped
    ports:
        - 9080:80

    然后启动容器

    docker compose up -d

    使用 docker 命令检查状态。

    $ docker ps
CONTAINER ID   IMAGE                                       COMMAND                  CREATED      STATUS      PORTS                                            NAMES
5fa151abfa99   ghcr.io/gurucomputing/headscale-ui:latest   "/bin/sh -c '/bin/sh…"   9 days ago   Up 9 days   443/tcp, 0.0.0.0:9080->80/tcp, :::9080->80/tcp   headscale-ui

    更新 Headscale 的 Nginx 代理 /etc/nginx/conf.d/headscale.conf 配置以包含 UI。

    map $http_upgrade $connection_upgrade {
    default      keep-alive;
    'websocket'  upgrade;
    ''           close;
}

server {

    server_name vpn.example.com;

    location /web/ {
    proxy_pass http://ServerIP:9080/web/;
    }


    location / {
        proxy_pass  http://localhost:8080;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $connection_upgrade;
        proxy_set_header Host $server_name;
        proxy_redirect http:// https://;
        proxy_buffering off;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
	add_header 'Access-Control-Allow-Origin' '';
    }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/vpn.example.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/vpn.example.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

}


server {
    if ($host = vpn.example.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    listen 80;
	listen [::]:80;

    server_name vpn.example.com;
    return 404; # managed by Certbot
}

    更新配置后重新启动Nginx。

    sudo systemctl restart nginx

    访问 Headscale-UI Web 界面:http://yourfqdn/web。单击设置设置 Headscale URL 和 API 密钥。

    如果您没有,请在 Headscale 服务器上生成 API 密钥。

    headscale apikeys create --expiration 120d

    输入 Headscale URL 和 API 密钥。

    下一篇阅读:

    • 将 pfSense 加入 Tailscale/Headscale VPN 网格
    更新于:2个月前
    赞一波!

    相关文章

    文章评论

    全部评论