DERP¶

A DERP (Designated Encrypted Relay for Packets) server is mainly used to relay traffic between two nodes in case a direct connection can't be established. Headscale provides an embedded DERP server to ensure seamless connectivity between nodes.

Configuration¶

DERP related settings are configured within the derp section of the configuration file. The following sections only use a few of the available settings, check the example configuration for all available configuration options.

Enable embedded DERP¶

Headscale ships with an embedded DERP server which allows to run your own self-hosted DERP server easily. The embedded DERP server is disabled by default and needs to be enabled. In addition, you should configure the public IPv4 and public IPv6 address of your Headscale server for improved connection stability:

derp:
  server:
    enabled: true
    ipv4: 198.51.100.1
    ipv6: 2001:db8::1

Keep in mind that additional ports are needed to run a DERP server. Besides relaying traffic, it also uses STUN (udp/3478) to help clients discover their public IP addresses and perform NAT traversal. Check DERP server connectivity to see if everything works.

Remove Tailscale's DERP servers¶

Once enabled, Headscale's embedded DERP is added to the list of free-to-use DERP servers offered by Tailscale Inc. To only use Headscale's embedded DERP server, disable the loading of the default DERP map:

derp:
  server:
    enabled: true
    ipv4: 198.51.100.1
    ipv6: 2001:db8::1
  urls: []

Customize DERP map¶

The DERP map offered to clients can be customized with a dedicated YAML-configuration file. Typical use-cases involve:

• Running a fleet of custom DERP servers
• Excluding or choosing specific regions from the Tailscale's list of free-to-use DERP servers

The following sample derp.yaml references two custom regions (custom-east with ID 900 and custom-west with ID 901) with one custom DERP server in each region. Each DERP server offers DERP relay via HTTPS on tcp/443, support for captive portal checks via HTTP on tcp/80 and STUN on udp/3478. See the definitions of DERPMap, DERPRegion and DERPNode for all available options.

regions:
  900:
    regionid: 900
    regioncode: custom-east
    regionname: My region (east)
    nodes:
      - name: 900a
        regionid: 900
        hostname: derp900a.example.com
        ipv4: 198.51.100.1
        ipv6: 2001:db8::1
        canport80: true
  901:
    regionid: 901
    regioncode: custom-west
    regionname: My Region (west)
    nodes:
      - name: 901a
        regionid: 901
        hostname: derp901a.example.com
        ipv4: 198.51.100.2
        ipv6: 2001:db8::2
        canport80: true

Use the following configuration to only serve the two DERP servers from the above derp.yaml:

derp:
  server:
    enabled: false
  urls: []
  paths:
    - /etc/headscale/derp.yaml

The embedded DERP server can also be enabled and is automatically added to the custom DERP map.

Verify clients¶

Access to DERP serves can be restricted to nodes that are members of your Tailnet. Relay access is denied for unknown clients.

derp:
  server:
    verify_clients: true

Check DERP server connectivity¶

Any Tailscale client may be used to introspect the DERP map and to check for connectivity issues with DERP servers.

• Display DERP map: tailscale debug derp-map
• Check connectivity with the embedded DERP¹:tailscale debug derp headscale

Additional DERP related metrics and information is available via the metrics and debug endpoint.

Limitations¶

• The embedded DERP server can't be used for Tailscale's captive portal checks as it doesn't support the /generate_204 endpoint via HTTP on port tcp/80.
• There are no speed or throughput optimisations, the main purpose is to assist in node connectivity.