Logo

Complete Tailscale Guide: From Self-Hosting DERP Servers to Mac Subnet Routing

Published on
...
Authors

Background

Tailscale is an excellent networking tool, but when using it in mainland China, connection speeds are usually slow and even unstable because the official DERP servers are located overseas. By self-hosting DERP servers, you can significantly improve Tailscale's connection speed and stability. Additionally, combined with Mac mini and Surge for DHCP service setup, you can provide routing functionality for your entire home network.

This guide will detail how to deploy DERP servers on domestic servers, configure Mac mini as a router, and install and use Tailscale on various platforms.

💡 Extended Reading: If you want to learn how to use Mac Mini as a home cloud server with Tailscale, you can refer to [Mac_mini_to_cloud](/Mac Mini M2 到云端) article. For deploying other services on VPS, you can also refer to [substore deployment tutorial](/substore 部署使用教程).

What is DERP?

DERP (Designated Encrypted Relay for Packets) is the relay server used by Tailscale. When two devices cannot establish a direct P2P connection, traffic is relayed through DERP servers. Features include:

  • Handles NAT traversal failures
  • Provides STUN service to assist P2P connection establishment
  • Relayed data uses end-to-end encryption; servers cannot decrypt
  • Improves connection success rate and stability

Connection Types Explained

Tailscale connections have three methods:

  1. Direct Connection: Devices establish P2P connections directly, fastest speed
  2. STUN Hole Punching: Achieves P2P connection through STUN protocol hole punching
  3. DERP Relay: When the above methods fail, connection is relayed through DERP servers

Tailscale Installation Guide for All Platforms

macOS Installation

There are three ways to install Tailscale on macOS:

  1. Recommended Method: Download installation package from Tailscale official website

    Visit https://tailscale.com/download to download Mac installer

  2. App Store Installation:

    Search for "Tailscale" in Mac App Store and install

  3. Command Line Installation (advanced users):

    brew install tailscale

After installation, click the menu bar icon and log into your Tailscale account.

iOS/iPadOS Installation

  1. Search for "Tailscale" in App Store
  2. Open the app after installation
  3. Click "Get Started"
  4. Allow VPN configuration installation
  5. Log in using SSO identity provider

Android Installation

  1. Search for "Tailscale" in Google Play Store
  2. Open the app after installation
  3. Click "Get Started"
  4. Allow VPN configuration installation
  5. Log in using Google account or other SSO identity provider

Windows Installation

  1. Visit Tailscale download page to download Windows installer
  2. Run the .exe installation file
  3. After installation completes, click the Tailscale icon in system tray
  4. Click "Log in" and log in using SSO identity provider

Self-Hosting DERP Server

Preparation

Deploying a self-hosted DERP server requires:

  • A server with public IP (Aliyun, Tencent Cloud, etc.)
  • Basic Linux command operation ability
  • Remote connection tool (SSH)

Deployment Steps

1. Log into Server

ssh root@your_server_IP

2. Install Docker

If Docker is already installed on the server, skip this step.

curl -fsSL https://get.docker.com | sh

systemctl start docker
systemctl enable docker

3. Pull and Run DERP Container

We use a Docker image optimized for pure IP deployment:

# Pull image
docker pull ghcr.io/yangchuansheng/ip_derper:latest

# Run container
docker run --restart always \
  --name derper \
  -d \
  -p 59443:443 \
  -p 3478:3478/udp \
  ghcr.io/yangchuansheng/ip_derper:latest

4. Check Service Status

# View container running status
docker ps

# View container logs
docker logs derper

# Test DERP service
curl -k https://localhost:59443

Normally, you should see the DERP welcome page.

5. Configure Server Firewall

Ensure the following ports are open:

  • TCP 59443 (DERP main port)
  • UDP 3478 (STUN port)

If using Aliyun/Tencent Cloud, you need to add corresponding rules in the console's security group.

Configure Tailscale to Use Self-Hosted DERP

1. Log into Tailscale Admin Console

Visit Tailscale Admin Console and enter the "Access Controls" page.

2. Modify ACL Configuration

Add the following content to the ACL configuration file (note JSON format and comma positions):

"derpMap": {
  "OmitDefaultRegions": false,
  "Regions": {
    "901": {
      "RegionID": 901,
      "RegionCode": "sh",
      "RegionName": "Shanghai Aliyun",
      "Nodes": [
        {
          "Name": "901",
          "RegionID": 901,
          "HostName": "your_server_IP",
          "DERPPort": 59443,
          "IPv4": "your_server_IP",
          "InsecureForTests": true,
          "STUNPort": 3478
        }
      ]
    },
    "1": null,
    "2": null,
    "4": null,
    "6": null,
    "8": null,
    "9": null,
    "10": null,
    "11": null,
    "12": null,
    "13": null,
    "14": null,
    "15": null,
    "16": null,
    "17": null,
    "18": null,
    "19": null,
    "21": null,
    "22": null,
    "23": null,
    "24": null,
    "25": null
  }
},

Important Notes:

  • Replace "your_server_IP" with your server's actual public IP
  • IP address must be enclosed in double quotes
  • Ensure JSON format is correct, especially comma positions

3. Restart Tailscale Client

After configuration modification, you need to restart Tailscale client on all devices:

On Mac:

# Exit
/Applications/Tailscale.app/Contents/MacOS/Tailscale down

# Reconnect (if subnet routing is configured, need parameters)
/Applications/Tailscale.app/Contents/MacOS/Tailscale up --advertise-routes=192.168.31.0/24 --accept-routes

On Phone:

  • Open Settings -> Apps -> Tailscale -> Force Stop
  • Restart Tailscale app

Mac Mini + Surge as Gateway and DHCP Server

Surge DHCP Server Setup

Surge is a powerful network tool that can work with Mac mini as a DHCP server and gateway for home networks.

1. Set Surge as DHCP Server

  1. Open Surge for Mac
  2. Click the Surge icon in menu bar
  3. Select "More Features" -> "Gateway Mode"
  4. Click "Open Settings"
  5. In Gateway Mode panel:
    • Enable "DHCP Server"
    • Set DHCP IP range (e.g., 192.168.31.100 - 192.168.31.200)
    • Set gateway IP (Mac mini's IP address, e.g., 192.168.31.1)
    • Set DNS server (usually Surge's internal DNS: 198.18.0.2)

2. Configure Mac Network Settings

  1. Set static IP for Mac mini (consistent with gateway IP set above):
    • Open System Settings -> Network
    • Select main network connection (Ethernet or Wi-Fi)
    • Configure IPv4: Manual
    • Set IP address (e.g., 192.168.31.1)
    • Set subnet mask (usually: 255.255.255.0)
    • Set router address (upstream router's IP)

3. Enable IP Forwarding

Execute in Mac terminal:

# Enable temporarily
sudo sysctl -w net.inet.ip.forwarding=1

# Enable permanently
echo "net.inet.ip.forwarding=1" | sudo tee -a /etc/sysctl.conf

Configure Mac Mini as Tailscale Subnet Router

1. Set Up Tailscale Subnet Routing

# Execute in Mac terminal
/Applications/Tailscale.app/Contents/MacOS/Tailscale up --advertise-routes=192.168.31.0/24 --accept-routes

2. Approve Routes in Tailscale Admin Console

  1. Log into Tailscale admin console
  2. Go to "Machines" page
  3. Find Mac mini device
  4. Click "...", select "Edit route settings"
  5. Approve 192.168.31.0/24 subnet route

3. Ensure Surge Configuration is Correct

Add rules in Surge configuration to allow Tailscale traffic:

# Add to Surge rule set
IP-CIDR,100.64.0.0/10,DIRECT
IP-CIDR,192.168.31.0/24,DIRECT

Setting Up Exit Node

Tailscale can set specific devices as exit nodes, allowing other devices' traffic to access the internet through that node.

1. Configure Exit Node on Overseas Server

Linux Server Setup

  1. Install Tailscale:

    curl -fsSL https://tailscale.com/install.sh | sh

  2. Enable IP forwarding:

    echo 'net.ipv4.ip_forward = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
echo 'net.ipv6.conf.all.forwarding = 1' | sudo tee -a /etc/sysctl.d/99-tailscale.conf
sudo sysctl -p /etc/sysctl.d/99-tailscale.conf

  3. Set server as Exit Node:

    sudo tailscale up --advertise-exit-node

Allow Exit Node in Console

  1. Log into Tailscale admin console
  2. Find that server
  3. Click "...", select "Edit..."
  4. Check "Use as exit node"
  5. Click "Save"

2. Use Exit Node on Other Devices

macOS

# Command line setup
/Applications/Tailscale.app/Contents/MacOS/Tailscale up --exit-node=<exit_node_IP_or_name>

# Allow local network access while using exit node
/Applications/Tailscale.app/Contents/MacOS/Tailscale up --exit-node=<exit_node_IP_or_name> --exit-node-allow-lan-access

Can also set through GUI:

  1. Click Tailscale icon in menu bar
  2. Select "Settings"
  3. Find "Use Exit Node" option
  4. Select your exit node

iOS/Android

  1. Open Tailscale app
  2. Go to "Settings"
  3. Click "Exit Node"
  4. Select your configured exit node
  5. If you need to access local network, enable "Allow LAN access"

Windows

  1. Right-click Tailscale icon in system tray
  2. Select "Settings"
  3. Select exit node in "Exit Node" dropdown menu

Connection Checking and Troubleshooting

1. Check if Devices Are Directly Connected

# Execute in Mac terminal
/Applications/Tailscale.app/Contents/MacOS/Tailscale ping 100.xx.xx.xx

# View connection details
/Applications/Tailscale.app/Contents/MacOS/Tailscale status -peers

Direct connection shows as "direct", relay shows as "relay" or "via DERP".

2. Network Environment Check

# Run network check
/Applications/Tailscale.app/Contents/MacOS/Tailscale netcheck

This will show NAT type, available DERP servers, and latency information.

3. Common Troubleshooting

Container Startup Failure

# Check logs
docker logs derper

# Try changing port
docker rm -f derper
docker run --restart always --name derper -d -p 12345:443 -p 3478:3478/udp ghcr.io/yangchuansheng/ip_derper:latest

Connection Still Slow

# Check network status
/Applications/Tailscale.app/Contents/MacOS/Tailscale netcheck

# Confirm client has been restarted
/Applications/Tailscale.app/Contents/MacOS/Tailscale down
/Applications/Tailscale.app/Contents/MacOS/Tailscale up

Port Occupied

# Find process occupying port
netstat -tulpn | grep -E '59443|3478'

# Kill occupying process
kill -9 process_ID

Subnet Routing Cannot Be Accessed

  1. Check if IP forwarding is enabled
  2. Confirm route is approved in console
  3. Check firewall rules
  4. Confirm rules are configured correctly in Surge

Optimization Recommendations

  1. Choose Appropriate Server Location: Try to select servers close to your actual location
  2. Adjust MTU Value: If connection is unstable, try --mtu=1280 parameter
  3. Multi-Node Deployment: Deploy multiple DERP nodes in different regions to improve availability
  4. Monitor Service: Regularly check if DERP service is running normally
  5. Combined Use of Exit Nodes: Deploy multiple exit nodes in different regions, switch as needed

References

Enjoy using it! If you have any questions, feel free to discuss in the community.

Related Posts

Reasons

Setting up Mac Mini M2 as a personal cloud server with FRP for remote access

Cloud Deployment

Deploying Sub-Store on VPS (Docker Compose + Caddy)

Guide on how to deploy Sub-Store on VPS using Docker Compose and Caddy, including basic usage and configuration.

TutorialCloud Deployment

Pandas Excel Reading Failure Case Analysis

Cloud Deployment
Complete Tailscale Guide: From Self-Hosting DERP Servers to Mac Subnet Routing | 原子比特之间