tailscale set --accept-dns=false
In /etc/resolv.conf:
nameserver 8.8.8.8
nameserver 8.8.4.4
DONT USE THIS! Use a tailscale peer relay instead
# Update system
apt update && apt upgrade -y
# Install Go (needed to build derper)
apt install -y golang-go
# Build derper
go install tailscale.com/cmd/derper@latest
# Move to system location
sudo mv ~/go/bin/derper /usr/local/bin/
# Create systemd service
sudo tee /etc/systemd/system/derper.service > /dev/null <<EOF
[Unit]
Description=Tailscale DERP relay
After=network.target
[Service]
ExecStart=/usr/local/bin/derper -a :443 -certmode=letsencrypt -certdir=/var/lib/derper/certs -hostname=derp.jde.nz -verify-clients=false -stun-port=3478
Restart=always
User=root
[Install]
WantedBy=multi-user.target
EOF
# Enable and start
sudo systemctl enable --now derper
{
// my personal derp
"derpMap": {
"OmitDefaultRegions": false,
"Regions": {
"900": {
"RegionID": 900,
"RegionCode": "myderp",
"Nodes": [{
"Name": "900a",
"RegionID": 900,
"HostName": "derp.jde.nz",
"STUNPort": 3478,
}],
},
},
},
// ... rest of your ACL
}
In Proxmox, create a new container:
SSH into the new container:
apt update
apt install haproxy -y
sudo nano /etc/haproxy/haproxy.cfg
Replace with:
global
log /dev/log local0
log /dev/log local1 notice
chroot /var/lib/haproxy
stats socket /run/haproxy/admin.sock mode 660 level admin
stats timeout 30s
user haproxy
group haproxy
daemon
defaults
log global
mode tcp
option tcplog
timeout connect 5000
timeout client 50000
timeout server 50000
frontend https_frontend
bind *:443
mode tcp
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
# Route based on SNI
use_backend derp_backend if { req_ssl_sni -i derp.jde.nz }
default_backend caddy_backend
backend derp_backend
mode tcp
server derp 10.10.13.18:443 check
backend caddy_backend
mode tcp
server caddy 10.10.13.15:443 check
systemctl enable haproxy
systemctl restart haproxy
systemctl status haproxy
Change your router's port 443 forwarding:
OLD: External 443 → Caddy (10.10.13.15:443)
NEW: External 443 → HAProxy (10.10.13.20:443)
HAProxy then sends the 443 traffic on → <Caddy, Derp>
Also External 3478 (UDP) → Derp