According to the official documentation, if you want to use the DERP_VERIFY_CLIENTS Option on a custom derp server, you need to install a tailscale instance. Does this mean that the existing dockerfile cannot enable the DERP_VERIFY_CLIENTS Option? Because I don’t see the steps to install tailscale in the dockerfile.

official documentation : https://tailscale.com/kb/1118/custom-derp-servers#step-2-adding-derp-servers-to-your-tailnet

derper seems to parse boolean argument solely based on whether the corresponding command line flag exists or not, regardless of its value, so passing in --stun false or --verify-clients false has no effect. We might need to stop passing these flags to derper when DERP_STUN and DERP_VERIFY_CLIENTS are not set to true.

I can't think of a clean way to do this without introducing an entrypoint script. Any ideas?

Hi there,

I noticed that the example in README reads:

docker run -e DERP_DOMAIN=derper.your-domain.com -p 80:80 -p 443:443 -p 3478:3478 fredliang/derper

But 3478 port in the docker instance is a UDP port. Please update it. Thanks.

I am trying to run a derper container behind a traefik proxy. I am not sure what I am doing wrong, but my config seems to work until I turn on verification.
Here is my service:

services:
  derp:
    image: fredliang/derper:latest
    container_name: tail-derp
    restart: unless-stopped
    environment:
      DERP_DOMAIN: derper.your-hostname.com
      DERP_ADDR: :80
      DERP_STUN: 'true'
      DERP_STUN_PORT: 3478
      DERP_HTTP_PORT: 443
      DERP_VERIFY_CLIENTS: 'true'
    networks:
      - web
    labels:
      traefik.enable: 'true'
      traefik.http.routers.derper.rule: Host(`derper.your-hostname.com`)
      traefik.http.routers.derper.tls.certresolver: myresolver
      traefik.http.routers.derper.entrypoints: websecure
      traefik.http.services.derper.loadbalancer.server.port: 80
      traefik.udp.routers.derper.entrypoints: stun
      traefik.udp.services.derper.loadbalancer.server.port: 3478

Derper is giving me constant errors like:

...
2023/05/28 01:09:27 derp client 172.19.0.19:50580/<id>: read EOF
2023/05/28 01:09:27 derp client 172.19.0.19:50580/<id>: removing connection
...

where 172.19.0.19 is the docker IP address of traefik, my reverse proxy. The service is available at https://derper.your-hostname.com and I also get the webpage, but it seems like I am missing something.

Sometimes I also do get errors like this:

...
2023/05/28 00:54:42 derp: 172.19.0.19:55912: client <id> rejected: client nodekey:<node key> not in set of peers
...

DERP_HOSTNAME in Readme is wrong, should use DERP_DOMAIN

Change ENV DERP_CERT_DIR /app/certs to ENV DERP_CERT_DIR /app/cert

自己编辑掉，问题主要是docker版本不够高，18和20都跑不了，必须要20.10.23以上版本