From 94b229abd0a59edfc6b860679aea21a3b17f2983 Mon Sep 17 00:00:00 2001 From: Jake Howard Date: Sun, 22 Sep 2024 16:21:21 +0100 Subject: [PATCH] Use Tailscale's DERP servers Close another port, and hopefully get a little more reliability in weird network configurations --- ansible/roles/headscale/files/headscale.yml | 5 +++-- terraform/casey_vps.tf | 11 +---------- 2 files changed, 4 insertions(+), 12 deletions(-) diff --git a/ansible/roles/headscale/files/headscale.yml b/ansible/roles/headscale/files/headscale.yml index 1315559..34825b9 100644 --- a/ansible/roles/headscale/files/headscale.yml +++ b/ansible/roles/headscale/files/headscale.yml @@ -77,7 +77,7 @@ derp: server: # If enabled, runs the embedded DERP server and merges it into the rest of the DERP config # The Headscale server_url defined above MUST be using https, DERP requires TLS to be in place - enabled: true + enabled: false # Region ID to use for the embedded DERP server. # The local DERP prevails if the region ID collides with other region ID coming from @@ -95,7 +95,8 @@ derp: stun_listen_addr: 0.0.0.0:3478 # List of externally available DERP maps encoded in JSON - urls: [] + urls: + - https://controlplane.tailscale.com/derpmap/default # Locally available DERP map files encoded in YAML # diff --git a/terraform/casey_vps.tf b/terraform/casey_vps.tf index a042b7b..0feb52e 100644 --- a/terraform/casey_vps.tf +++ b/terraform/casey_vps.tf @@ -76,22 +76,13 @@ resource "linode_firewall" "casey" { } inbound { - label = "allow-inbound-headscale" + label = "allow-inbound-tailscale" action = "ACCEPT" protocol = "UDP" ports = "41641" ipv4 = ["0.0.0.0/0"] ipv6 = ["::/0"] } - - inbound { - label = "allow-inbound-stun" - action = "ACCEPT" - protocol = "UDP" - ports = "3478" - ipv4 = ["0.0.0.0/0"] - ipv6 = ["::/0"] - } } resource "linode_rdns" "casey_reverse_ipv4" {