在本文中,我们演示如何使用 Docker 容器运行 Headscale 和 Headscale UI。我们最近的文章专门介绍了使用 .deb
包在 Ubuntu Linux 系统上安装 Headscale。该帖子的链接在下面的链接中共享。
- 在 Ubuntu 上安装和配置 Headscale
如果您不喜欢基于软件包的 Headscale 安装,那么本文就是为您设计的。 Headscale 是 Tailscale 协调服务器的一个非常强大的开源替代解决方案。它是为了在您自己的基础设施中自托管而构建的。 Headscale是独立开发的,除了是Tailscale协调服务器的重新实现版本外,与Tailscale公司没有任何关系。
按照本博客文章中共享的步骤设置在 Docker 容器中运行的专用 Headscale 服务器。相同的过程可以重复用于 Podman/Podman compose 设置,只需进行少量修改。我们还在 docker 中安装了 Headscale UI。
1)安装Docker引擎
首先确保 Docker 引擎已安装并正常运行,然后开始设置。请参阅以下有关在 Linux 系统上安装 Docker 的指南。
- 如何在 Linux 系统上安装 Docker CE
安装后您可以检查版本。
$ docker --version
Docker version 24.0.7, build afdd53b
另请检查是否安装了 compose 插件。
$ docker compose version
Docker Compose version v2.21.0
2)定义Docker Compose文件
让我们创建一个存储 Headscale 配置和数据的目录。
mkdir -p ~/headscale && cd ~/headscale
在 headscale 目录中创建一个空的 SQlite 数据库:
mkdir ./config
touch ./config/db.sqlite
创建一个名为 docker-compose.yml 的新文件
vim docker-compose.yml
粘贴并修改以下内容。如果您不需要在 Docker 容器中运行 Headscale,请删除其部分。
version: '3.9'
services:
headscale:
container_name: headscale
image: headscale/headscale:latest
command: headscale serve
restart: unless-stopped
ports:
- 8080:8080
- 9090:9090
volumes:
- ./config:/etc/headscale/
- ./data:/var/lib/headscale/
headscale-ui:
container_name: headscale-ui
image: ghcr.io/gurucomputing/headscale-ui:latest
pull_policy: always
restart: unless-stopped
ports:
- 9080:80
在我们的撰写文件中,我们是:
- 在
/etc/headscale
下安装config/
- 在
/var/lib/headscale/
下挂载data/
- 将端口 8080 转发到 headscale 容器之外,以便
headscale
实例变得可用 - 将端口 9080 转发到 headscale-ui 容器之外,以便
headscale-ui
实例变得可用
如果在 UI 上使用 https,您可以映射单独的端口,如下所示。
- 9443:443
3) 启动 Headscale 容器
下载配置模板文件。
mkdir {config,data}
wget https://raw.githubusercontent.com/juanfont/headscale/main/config-example.yaml -O config/config.yaml
在启动 Docker 容器之前,根据您的偏好修改配置文件。以下是您可能需要的一些设置:
# Change to your hostname or host IP
# server_url: //vpn.computingforgeeks.com:8080
server_url: http://192.168.20.11:8080
# Listen to 0.0.0.0 so it's accessible outside the container
metrics_listen_addr: 0.0.0.0:9090
使用 docker compose 命令启动容器。 -d
选项表示分离,以便它们在后台运行。
$ docker compose up -d
[+] Running 19/19
✔ headscale-ui 13 layers [⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿] 0B/0B Pulled 3.2s
✔ 8921db27df28 Pull complete 0.5s
✔ 5e0dab5e7f18 Pull complete 0.5s
✔ e7466e9238c6 Pull complete 0.5s
✔ 9aca5eef2d98 Pull complete 0.7s
✔ 4f4fb700ef54 Pull complete 0.8s
✔ 5007d4d43f68 Pull complete 0.8s
✔ 2ebc6f305da4 Pull complete 1.0s
✔ 712d06ffc498 Pull complete 1.1s
✔ ac473b17e437 Pull complete 1.7s
✔ 36f5767e6555 Pull complete 1.7s
✔ 7c6ac0210a21 Pull complete 1.8s
✔ 7765e166cec5 Pull complete 1.8s
✔ 896f16a8f15c Pull complete 2.0s
✔ headscale 4 layers [⣿⣿⣿⣿] 0B/0B Pulled 4.4s
✔ 9e3ea8720c6d Pull complete 2.3s
✔ 71273269cd97 Pull complete 2.4s
✔ 007b622b7a95 Pull complete 2.5s
✔ 50a37fbfee41 Pull complete 2.5s
[+] Running 3/3
✔ Network headscale_default Created 0.1s
✔ Container headscale-ui Started 0.6s
✔ Container headscale Started
检查创建的容器的状态。
$ docker compose ps
NAME IMAGE COMMAND SERVICE CREATED STATUS PORTS
headscale headscale/headscale:latest "headscale serve" headscale 45 seconds ago Up 43 seconds 0.0.0.0:8080->8080/tcp, :::8080->8080/tcp, 0.0.0.0:9090->9090/tcp, :::9090->9090/tcp
headscale-ui ghcr.io/gurucomputing/headscale-ui:latest "/bin/sh -c '/bin/sh…" headscale-ui 45 seconds ago Up 43 seconds 443/tcp, 0.0.0.0:9080->80/tcp, :::9080->80/tcp
您可以通过运行跟踪容器日志来查看内部发生的情况。
$ docker logs --follow headscale
2023-10-05T23:29:19Z INF go/src/headscale/hscontrol/protocol_common.go:574 > Successfully sent auth url AuthURL=http://192.168.20.11:8080/register/nodekey:af52937e8bc375a0d73a01cd453fd2f814144796b0270cedb0d126a39518c306 machine=jammy noise=true
$ docker logs --follow headscale-ui
no Caddyfile detected, copying across default config
Starting Caddy
{"level":"info","ts":1696545638.4848695,"msg":"using provided configuration","config_file":"/data/Caddyfile","config_adapter":"caddyfile"}
{"level":"info","ts":1696545638.4858341,"logger":"admin","msg":"admin endpoint started","address":"localhost:2019","enforce_origin":false,"origins":["//localhost:2019","//[::1]:2019","//127.0.0.1:2019"]}
{"level":"info","ts":1696545638.4859416,"logger":"tls.cache.maintenance","msg":"started background certificate maintenance","cache":"0xc000544fc0"}
{"level":"info","ts":1696545638.486509,"logger":"http","msg":"server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS","server_name":"srv0","https_port":443}
{"level":"warn","ts":1696545638.4865189,"logger":"http","msg":"automatic HTTP->HTTPS redirects are disabled","server_name":"srv0"}
{"level":"warn","ts":1696545638.4865253,"logger":"http","msg":"server is listening only on the HTTP port, so no automatic HTTPS will be applied to this server","server_name":"srv1","http_port":80}
{"level":"info","ts":1696545638.4865966,"logger":"pki.ca.local","msg":"root certificate trust store installation disabled; unconfigured clients may show warnings","path":"storage:pki/authorities/local/root.crt"}
{"level":"warn","ts":1696545638.4866195,"logger":"tls","msg":"YOUR SERVER MAY BE VULNERABLE TO ABUSE: on-demand TLS is enabled, but no protections are in place","docs":"https://caddyserver.com/docs/automatic-https#on-demand-tls"}
{"level":"info","ts":1696545638.48668,"logger":"http.log","msg":"server running","name":"srv1","protocols":["h1","h2","h3"]}
{"level":"info","ts":1696545638.486689,"logger":"tls","msg":"cleaning storage unit","description":"FileStorage:/home/appuser/.local/share/caddy"}
{"level":"info","ts":1696545638.4867213,"logger":"http","msg":"enabling HTTP/3 listener","addr":":443"}
{"level":"info","ts":1696545638.4867342,"logger":"tls","msg":"finished cleaning storage units"}
{"level":"info","ts":1696545638.4867566,"msg":"failed to sufficiently increase receive buffer size (was: 208 kiB, wanted: 2048 kiB, got: 416 kiB). See https://github.com/lucas-clemente/quic-go/wiki/UDP-Receive-Buffer-Size for details."}
{"level":"info","ts":1696545638.4868112,"logger":"http.log","msg":"server running","name":"srv0","protocols":["h1","h2","h3"]}
{"level":"info","ts":1696545638.486932,"msg":"autosaved config (load with --resume flag)","file":"/home/appuser/.config/caddy/autosave.json"}
{"level":"info","ts":1696545638.4869497,"msg":"serving initial configuration"}
ss
命令可用于检查主机上的端口是否已绑定。
$ ss -tunlp|egrep '8080|9080'
tcp LISTEN 0 4096 0.0.0.0:9080 0.0.0.0:* users:(("docker-proxy",pid=364448,fd=4))
tcp LISTEN 0 4096 0.0.0.0:8080 0.0.0.0:* users:(("docker-proxy",pid=364428,fd=4))
tcp LISTEN 0 4096 [::]:9080 [::]:* users:(("docker-proxy",pid=364455,fd=4))
tcp LISTEN 0 4096 [::]:8080 [::]:* users:(("docker-proxy",pid=364434,fd=4))
4)访问Container shell
您可以通过运行以下命令来访问 headscale
容器 shell:
docker exec -ti headscale bash
对于 headscale-ui 运行:
docker exec -ti headscale-ui sh
我们可以通过在 Headscale 实例上创建用户来测试功能。
root@4f2fbe02c029:/# headscale users create computingforgeeks
无需进入容器 shell 即可执行一行命令。
docker exec headscale \
headscale users create myuser
5) 将客户端设备加入 Headscale 网络
您需要在 Headscale 服务器上创建一个用户。我们将创建一个名为computingforgeeks的项目。
$ docker exec headscale headscale users create computingforgeeks
User created
在您的设备上安装 Tailscale 客户端
- Windows客户端
- iOS系统
- 安卓
- Linux
- 苹果系统
在 Linux/BSD 上安装 Tailscale
对于基于 Linux 和 BSD 的系统,运行以下命令:
curl -fsSL https://tailscale.com/install.sh | sudo sh
可以使用以下命令检查 Tailscale 的版本。
$ tailscale --version
1.50.1
tailscale commit: f45c02bfcf5ee5790c3af278c9e974c9b9b0e771
other commit: 36a20760a45bd1936686879b34c35146cc0c4ec1
go version: go1.21.1
在 macOS 上安装
您可以使用 Homebrew 安装:
brew install tailscale
或者通过运行脚本。
curl -fsSL https://tailscale.com/install.sh | sudo sh
注册机器(普通登录)
在客户端计算机上,执行tailscale
登录命令:
tailscale up --login-server YOUR_HEADSCALE_URL
请参阅下面的示例。
# tailscale up --login-server http://192.168.20.11:8080
To authenticate, visit:
http://192.168.20.11:8080/register/nodekey:410155d1792d0f81a5f39415a1a418f882208751570c2e5195f7a6842ca44e6a
打开链接会给出要在 Headscale 服务器中执行的命令以注册设备。
列出在 Headscale 服务器中创建的所有用户:
$ docker exec headscale headscale user list
ID | Name | Created
1 | computingforgeeks | 2023-10-05 22:50:40
2 | myuser | 2023-10-05 22:52:18
3 | user2 | 2023-10-05 22:59:03
请记住在运行命令时将 USERNAME 替换为您的有效用户名。
$ docker exec headscale \
headscale nodes register --user computingforgeeks --key nodekey:410155d1792d0f81a5f39415a1a418f882208751570c2e5195f7a6842ca44e6a
Machine rocky8 registered
使用 headscale
注册机器的一般语法是:
docker exec headscale \
headscale --user <username> nodes register --key <YOU_+MACHINE_KEY>
列出添加到 Headscale 网状网络的所有计算机。
# docker exec headscale headscale node list
ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Online | Expired
1 | jammy | jammy | [cN/Um] | [r1KTf] | computingforgeeks | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2023-10-05 23:39:04 | 0001-01-01 00:00:00 | online | no
使用预先验证的密钥注册机器
您还可以使用预先验证的密钥注册新机器。
首先使用命令行生成密钥:
docker exec headscale \
headscale --user <username> preauthkeys create --reusable --expiration 24h
执行该命令会返回一个预先验证的密钥,用于在运行 tailscale
命令时将节点连接到 headscale
:
tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>
让我们看下面的例子。
# On Headscale server
# docker exec headscale headscale --user jkmutai preauthkeys create --reusable --expiration 24h
4763c4f4293b260eff230065378e5668c13db44f4569ed7b
# On Machine to be registered
# tailscale up --login-server http://vpn.hirebestengineers.com --authkey 4763c4f4293b260eff230065378e5668c13db44f4569ed7b
使用预验证密钥的机器注册命令不会给出任何输出。但您可以从 Headscale 服务器 CLI 确认是否添加了新节点。
# docker exec headscale headscale node list
ID | Hostname | Name | MachineKey | NodeKey | User | IP addresses | Ephemeral | Last seen | Expiration | Online | Expired
1 | rocky8 | rocky8 | [s+TG9] | [QQFV0] | jkmutai | 100.64.0.1, fd7a:115c:a1e0::1 | false | 2023-10-05 17:05:58 | 0001-01-01 00:00:00 | online | no
2 | mail | mail | [V8WI2] | [OvPLb] | jkmutai | 100.64.0.2, fd7a:115c:a1e0::2 | false | 2023-10-05 17:06:32 | 0001-01-01 00:00:00 | online | no
6) 有用的头秤命令
删除网络中的节点。
docker exec headscale \
headscale node delete -i <ID>
将节点移至另一个用户
docker exec headscale \
headscale node move -i <ID> -u <New-User>
重命名网络中的计算机
docker exec headscale \
headscale node rename -i <ID> <NEW_NAME>
使网络中的计算机过期(注销)
docker exec headscale \
headscale node expire -i <ID>
创建 API 密钥:
docker exec headscale \
headscale apikeys create --expiration 90d
列出 API 密钥:
docker exec headscale \
headscale apikeys list
使 API 密钥过期:
docker exec headscale \
headscale apikeys expire --prefix "<PREFIX>"
7) 访问 Headscale UI
在 Headscale 服务器上生成 API 密钥。
docker exec headscale \
headscale apikeys create --expiration 120d
这给出了与此类似的输出。
8bnNOGwOkw.bjQXvEB4Vk9Ia1R9HupEB0yB9PFthth_Or8QcHncKmw
在 http://ServerIP_or_hostname:9080/web/settings.html 上打开 Headscale UI
在框中输入 Headscale 服务器 URL 和生成的令牌。例子:
- Headscale URL://api.computingforgeeks.com
- Headscale API 密钥:8bnNOGwOkw.bjQXvEB4Vk9Ia1R9HupEB0yB9PFthth_Or8QcHncKmw
下一篇文章请查看:
- 将 pfSense 加入 Tailscale/Headscale VPN 网格
- 如何在 OPNsense 上启用和启动 SSH 服务器
- 如何在 OPNsense 上安装和配置 Tailscale 客户端
结论
对于希望创建 Tailscale 网状网络并将设备连接到其中的中小型公司来说,Headscale 是一个完美的解决方案。它是 VPN 服务器设置的强大、安全且可靠的替代解决方案。它使您可以完全控制网状网络和协调服务器。网状 VPN 使用点对点 (P2P) 模型为其用户创建安全的共享环境。