FJC Life

外观

Headscale 基础教程,从入门到部署

1111 字约 4 分钟

2024-12-01

Tailscale 是一款基于 Wireguard构建的现代 VPN。它的工作方式类似于 网络计算机之间的 覆盖网络- 使用NAT 遍历。[译] NAT 穿透是如何工作的:技术原理及企业级实践(Tailscale, 2020)

Tailscale 中的所有内容都是开源的,除了专有操作系统(Windows 和 macOS/iOS)的 GUI 客户端和控制服务器。

控制服务器充当 Tailscale 网络中节点的 Wireguard 公钥交换点。它分配客户端的 IP 地址、在每个用户之间创建边界、允许用户之间共享机器,并公开节点的公布路由。

Tailscale网络(tailnet)是 Tailscale 以私人用户或组织的形式分配给用户的私有网络。

Headscale 是什么

Tailscale 的控制服务器是不开源的,由此开源社区 Headscale 旨在实现 Tailscale 控制服务器的自托管开源替代方案,实现了Tailscale控制服务器的主要功能,可以部署在企业内部,没有限制,所有的网络流量都由自己控制。

Headscale 部署

教程环境

debian@Headscale-Guide:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Debian
Description:    Debian GNU/Linux 12 (bookworm)
Release:        12
Codename:       bookworm
Headscale 版本为 0.23.0
ARCH 为 amd64

Linux 二进制文件部署

推荐将 Headscale 部署在有公网IP的机器上

  1. GitHub 中下载二进制文件
wget --output-document=/usr/local/bin/headscale \
 https://github.com/juanfont/headscale/releases/download/v<HEADSCALE VERSION>/headscale_<HEADSCALE VERSION>_linux_<ARCH>

在本教程中

  • <HEADSCALE VERSION>0.23.0
  • <ARCH>amd64
debian@Headscale-Guide:~$ sudo wget --output-document=/usr/local/bin/headscale \
 https://github.com/juanfont/headscale/releases/download/v0.23.0/headscale_0.23.0_linux_amd64
 
--2024-10-21 14:13:56--  https://github.com/juanfont/headscale/releases/download/v0.23.0/headscale_0.23.0_linux_amd64
Resolving github.com (github.com)... 20.205.243.166, ::
Connecting to github.com (github.com)|20.205.243.166|:443... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://objects.githubusercontent.com/github-production-release-asset-2e65be/273871859/431a7e24-7ba8-40b9-ba0a-490769efe97a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241021%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241021T141357Z&X-Amz-Expires=300&X-Amz-Signature=87684f6154855a75ad283f1ee435c98df03e8a80c55234ee6693122ecb71ae69&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dheadscale_0.23.0_linux_amd64&response-content-type=application%2Foctet-stream [following]
--2024-10-21 14:13:57--  https://objects.githubusercontent.com/github-production-release-asset-2e65be/273871859/431a7e24-7ba8-40b9-ba0a-490769efe97a?X-Amz-Algorithm=AWS4-HMAC-SHA256&X-Amz-Credential=releaseassetproduction%2F20241021%2Fus-east-1%2Fs3%2Faws4_request&X-Amz-Date=20241021T141357Z&X-Amz-Expires=300&X-Amz-Signature=87684f6154855a75ad283f1ee435c98df03e8a80c55234ee6693122ecb71ae69&X-Amz-SignedHeaders=host&response-content-disposition=attachment%3B%20filename%3Dheadscale_0.23.0_linux_amd64&response-content-type=application%2Foctet-stream
Resolving objects.githubusercontent.com (objects.githubusercontent.com)... 185.199.110.133, 185.199.111.133, 185.199.109.133, ...
Connecting to objects.githubusercontent.com (objects.githubusercontent.com)|185.199.110.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 51593368 (49M) [application/octet-stream]
Saving to: ‘/usr/local/bin/headscale’

/usr/local/bin/headscale                                    100%[=========================================================================================================================================>]  49.20M  12.7MB/s    in 4.6s    

2024-10-21 14:14:04 (10.6 MB/s) - ‘/usr/local/bin/headscale’ saved [51593368/51593368]
  1. 授权 headscale 执行权限
sudo chmod +x /usr/local/bin/headscale
  1. 添加专用用户来运行 headscale:
sudo useradd \
 --create-home \
 --home-dir /var/lib/headscale/ \
 --system \
 --user-group \
 --shell /usr/sbin/nologin \
 headscale
  1. 下载配置文件
sudo mkdir -p /etc/headscale

sudo wget -O /etc/headscale/config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
  • 修改配置文件,将 server_url 改为公网IP或域名。
  • 建议打开随机端口,randomize_client_port: true
  1. 创建 service 配置文件
sudo touch /etc/systemd/system/headscale.service

写入以下文件

[Unit]
After=syslog.target
After=network.target
Description=headscale coordination server for Tailscale
X-Restart-Triggers=/etc/headscale/config.yaml

[Service]
Type=simple
User=headscale
Group=headscale
ExecStart=/usr/local/bin/headscale serve
ExecReload=/usr/bin/kill -HUP $MAINPID
Restart=always
RestartSec=5

WorkingDirectory=/var/lib/headscale
ReadWritePaths=/var/lib/headscale /var/run

AmbientCapabilities=CAP_NET_BIND_SERVICE CAP_CHOWN
CapabilityBoundingSet=CAP_NET_BIND_SERVICE CAP_CHOWN
LockPersonality=true
NoNewPrivileges=true
PrivateDevices=true
PrivateMounts=true
PrivateTmp=true
ProcSubset=pid
ProtectClock=true
ProtectControlGroups=true
ProtectHome=true
ProtectHostname=true
ProtectKernelLogs=true
ProtectKernelModules=true
ProtectKernelTunables=true
ProtectProc=invisible
ProtectSystem=strict
RemoveIPC=true
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
RestrictNamespaces=true
RestrictRealtime=true
RestrictSUIDSGID=true
RuntimeDirectory=headscale
RuntimeDirectoryMode=0750
StateDirectory=headscale
StateDirectoryMode=0750
SystemCallArchitectures=native
SystemCallFilter=@chown
SystemCallFilter=@system-service
SystemCallFilter=~@privileged
UMask=0077

[Install]
WantedBy=multi-user.target
  1. 启动
sudo systemctl daemon-reload
sudo systemctl enable --now headscale
sudo systemctl status headscale

Debian/Ubuntu 部署

  1. 下载 headscale 包
wget --output-document=headscale.deb \
 "https://github.com/juanfont/headscale/releases/download/v0.23.0/headscale_0.23.0_linux_amd64.deb"
  1. 安装
sudo apt install ./headscale.deb
  1. 下载配置文件
sudo mkdir -p /etc/headscale

sudo wget -O /etc/headscale/config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
  1. 启动 headscale 服务
sudo systemctl enable --now headscale

sudo systemctl status headscale

Docker 部署

docker 安装教程✈

  1. 下载配置文件
sudo mkdir -p ./headscale/config
sudo mkdir -p ./headscale/data

sudo wget -O ./headscale/config/config.yaml https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml
  • 修改 headscale_url 为设置的 IP
  • 修改 listen_addr0.0.0.0
  1. docker compose 启动
services:
  headscale:
    image: headscale/headscale:0.23.0
    container_name: headscale
    restart: always
    ports:
      - "8080:8080"
    volumes:
      - ./headscale/config:/etc/headscale
      - ./headscale/data:/var/lib/headscale
    command: [ "serve" ]
    environment:
      - TZ=Asia/Shanghai

创建用户

headscale 文件部署

 headscale user create name

docker 方式部署

docker exec -it headscale headscale user create name

Headscale UI 管理

介绍

使用 vue go 开发,并独立与 Headscale 库运行。项目地址✈

  • 支持多用户管理
  • 支持 sqlite postgres 数据库

安装

克隆项目 git clone https://github.com/suixinio/headscale-hub.git

  1. 修改 .env.production 文件中 VUE_APP_BASE_API 的路由
  2. docker compose up -d 启动
  3. 创建 headscale 用户
docker exec -it headscale headscale users create admin
  1. 创建密钥
docker exec -it headscale headscale apikeys create
  1. 修改 hub\config.yml 中的 headscale.api_key 参数,然后重启 headscale 容器

界面介绍

image-1729526827422image-1729526839805image-1729526846566image-1729526858608image-1729526868253