Tailscale is a very convenient networking tool that allows devices in different network environments, even in different countries and regions, to connect to the same virtual local area network. However, the official DERP servers are located abroad, and if hole punching fails, the relay latency can be very high. We can deploy one or more DERP servers domestically (or in the closest location to the usage area) to reduce relay latency and improve access speed.

If you are self-hosting Headscale, building your own DERP server will be necessary.

Headscale comes with a built-in DERP server, but I do not recommend using it (if the relay traffic is too high, it may affect the normal transmission of control information).

Preparation

You need to prepare a server with a public IP and open ports TCP 80, TCP 443, and UDP 3478 in the firewall. You also need to prepare a domain name and resolve the domain name to the server.

Please note: If you plan to use a server in mainland China, the domain name also needs to complete the ICP filing.

Install Golang

Before proceeding to the next step, you need to install Golang on the server. You can refer to the instructions on go.dev for specific steps, which will not be elaborated on here.

Compile and Install

Execute the following commands in order:

git clone https://github.com/tailscale/tailscale.git
cd tailscale
go build cmd/derper
sudo mv derper /usr/sbin/derper

Install System Service

Write the following content into /etc/systemd/system/derper.service:

[Unit]
Description=Derper
Wants=network-pre.target
After=network-pre.target NetworkManager.service systemd-resolved.service

[Service]
ExecStart=/usr/sbin/derper --hostname replace_with_your_prepared_domain -a :443 -http-port 80 -certmode letsencrypt --certdir /var/lib/derper/certs
Restart=on-failure

[Install]
WantedBy=multi-user.target

Then execute the commands to create the data folder, activate, and start the service:

mkdir -p /var/lib/derper
sudo systemctl daemon-reload
sudo systemctl enable derper
sudo systemctl start derper

Configure Tailscale

1. Modify ACL

Go to the Tailscale admin backend, select the Access controls tab, and edit the content:

2. Verify

On a client connected to Tailscale, execute tailscale netcheck to check if the output includes the self-built DERP server:

Report:
    * Time: 2025-07-30T15:17:57.176736Z
    * UDP: true
    * IPv4: yes, 127.0.0.1:114514
    * IPv6: no, but OS has support
    * MappingVariesByDestIP: true
    * PortMapping: 
    * CaptivePortal: false
    * Nearest DERP: My Derper
    * DERP latency:
        - my_derper: 162ms   (My Derper)

Set Up Client Verification

By default, the self-built DERP server can be used by all Tailscale users who know the server IP (including Headscale instances). You can set up client verification to restrict access to only your own network.

1. Install Tailscale on the Server

You need to install Tailscale on the server and join your network. Please refer to the official website for specific steps, which will not be elaborated on here.

2. Modify Configuration

Add the -verify-clients parameter to the previous Systemd service configuration file. The modified file should look something like this:

Then restart the service: