headscale icon indicating copy to clipboard operation
headscale copied to clipboard

Published 20 hours ago verified publisher icon juanfont

How to setup an unstrusted private Derper

Open cryptagoras opened this issue 2 years ago • 7 comments

I am trying a simple setup, 2-3 nodes in a single namespaceA and a Derper running on a VPS. The requirements are:

  • Use derper --verify-clients so the Derper can't not used by anyone but my tailnet nodes
  • (Since from what I understand --verify-clients needs the machine to be part of the tailnet) Deny access to any part of the tailnet (to all ports & clients) just in case the Derper machine gets compromised.

My try I tried adding the Derper machine on the tailnet but on a second/separate namespaceB and using ACL to limit any access, but the Derper then can't get the peer set of namespaceA.

2022/04/28 22:00:00 derp: 128.128.128.128:46458: client 8472834283423423423A5235235 rejected: client nodekey:8959350349bc82394234 not in set of peers

Also, I couldn't find a way to add tags, maybe with tags, I could initially add the Derper on the same namespace but then tag it on a limited group (related to #558). If anyone knows if it's possible, it would be great to share, I'll be even happy to add it on the docs unless objected.

Thank you

cryptagoras avatar Apr 28 '22 22:04 cryptagoras

Last time checked (read: about half a year ago) derper with --verify-clients only cares for the machine keys returned by the peer API, so if we provide an "alternative" tailscaled.sock to derper that serves this information, the host does not need to be joined to the tailnet at all. I have a dirty, but functional implementation for an older version of derper (since then, I believe the key format has changed), I could share, but I do not believe I have the time to fix it up right now. Also, it currently only works with the sqlite3 database backend, though I imagine it would not be hard to change that.

enoperm avatar May 10 '22 17:05 enoperm

See https://github.com/enoperm/derpyhead, if you do not mind refactoring it a bit to suit your current usecases.

enoperm avatar May 10 '22 17:05 enoperm

@enoperm thanks for sharing! Very interesting, I'll look into it since that's the only piece missing from having a working setup in my case.

cryptagoras avatar May 15 '22 20:05 cryptagoras

我用了一个变通的方法,从headscale的日志中检索出登录用户的ip地址和machine_key,对比数据库中是否包含该machine_key,如果包含则为信任用户,通过mqqt把该ip传给derp的ipset写入iptables白名单。 headscale的log

2022-06-19T13:05:59Z INF Client sent endpoint update and is ok with a response without peer list handler=PollNetMap machine=**** [GIN] 2022/06/19 - 13:05:59 | 200 | 21.424ms | 1**.1**.1**.38 | POST "/machine/*****ecd207e650765d6c6d794c24b7c47630c0863a4fc5453544e0912/map" ip_send_success: 1.1.1.38

derp的log

2022/06/19 13:05:26 derp client 192.168.88.254:48180/6e6f64656b65793a62626632313266643766303838313664613538306435623738343938643638653133323036396362343566333438376230356133613964383262393963653735: removing connection add:1**.1**.1**.38 ipset v7.15: Element cannot be added to the set: it's already added

zhwk avatar Jun 19 '22 13:06 zhwk

For what it's worth, I have had some time to dust off the aforementioned derper nodekey provider, it does not depend on sqlite3 anymore and can now return keys from arbitrary sources.

enoperm avatar Jun 24 '22 16:06 enoperm

Also, it is now tested and compatible with the latest derper.

enoperm avatar Jun 24 '22 16:06 enoperm

headscale now has a built in derper, while I dont think this would resolve this issues without any more changes, has anyone played around with the combination?

kradalby avatar Sep 08 '22 09:09 kradalby