This comprehensive guide details the implementation of a rootless Tailscale configuration, including optional DERP server deployment and SOCKS5 proxy integration. This setup enables secure mesh networking without requiring root privileges, making it ideal for restricted environments and container-based deployments.
Core Components Overview
- Tailscale daemon (tailscaled) in userspace networking mode
- Optional SOCKS5 proxy configuration for service access
- Custom DERP server deployment for optimized peer-to-peer connectivity
1. Tailscaled Deployment in Userspace Mode
1.1 Binary Acquisition
Obtain the static tailscaled binary from the official repository:
curl -O https://pkgs.tailscale.com/stable/tailscale_*_amd64.tgz
tar xzf tailscale_*_amd64.tgz
1.2 Daemon Configuration
Initialize the tailscale daemon with userspace networking:
# Environment Configuration
export TAILSCALED_SOCKET="/tmp2/${USER}/tailscaled.sock"
export TAILSCALED_STATE="${PWD}/tailscaled.state"
# Launch Daemon
./tailscaled \
--tun=userspace-networking \
--state="${TAILSCALED_STATE}" \
--socket="${TAILSCALED_SOCKET}"
1.3 Client Operations
Execute tailscale commands using the custom socket:
# Authentication
./tailscale --socket="${TAILSCALED_SOCKET}" login
# Network Status
./tailscale --socket="${TAILSCALED_SOCKET}" status
# Additional Operations
./tailscale --socket="${TAILSCALED_SOCKET}" <command>
2. SOCKS5 Proxy Integration
2.1 Enhanced Daemon Configuration
Extend the daemon configuration with SOCKS5 proxy support:
./tailscaled \
--tun=userspace-networking \
--state="${TAILSCALED_STATE}" \
--socket="${TAILSCALED_SOCKET}" \
--socks5-server=localhost:21055 \
--outbound-http-proxy-listen=localhost:21055
2.2 Proxychains Configuration
Create a proxychains configuration file (proxychains.conf):
# Core Settings
strict_chain
proxy_dns
tcp_read_time_out 15000
tcp_connect_time_out 8000
# Proxy Definition
[ProxyList]
socks5 127.0.0.1 21055
2.3 Proxy Usage Examples
# Proxified SSH Connection
proxychains -f proxychains.conf -q ssh user@tailnet-host
# Shell Environment Proxification
proxychains -f proxychains.conf -q "${SHELL}"
3. DERP Server Implementation
3.1 Prerequisites
Install the DERP server implementation:
go install tailscale.com/cmd/derper@main
3.2 TLS Certificate Generation
Generate self-signed certificates for DERP server:
# Configuration
export DERP_DOMAIN="derp.example.com" # or IP address
export DERP_PORT=28443
export STUN_PORT=23478
# Certificate Generation
openssl req -x509 \
-newkey rsa:4096 \
-sha256 \
-days 3650 \
-nodes \
-keyout "${DERP_DOMAIN}.key" \
-out "${DERP_DOMAIN}.crt" \
-subj "/CN=${DERP_DOMAIN}" \
-addext "subjectAltName=DNS:${DERP_DOMAIN}"
3.3 DERP Server Deployment
Launch the DERP server with custom configuration:
~/go/bin/derper \
--hostname="${DERP_DOMAIN}" \
-http-port=-1 \
-a=:${DERP_PORT} \
-stun-port=${STUN_PORT} \
-certmode manual \
-certdir "${PWD}" \
-c derp_config.json
3.4 ACL Configuration
Add the DERP server configuration to your Tailscale ACLs:
{
"derpMap": {
"Regions": {
"900": {
"RegionID": 900,
"RegionCode": "CUSTOM_DERP_01",
"Nodes": [
{
"Name": "custom-derp-1",
"RegionID": 900,
"DERPPort": 28443,
"STUNPort": 23478,
"HostName": "derp.example.com",
"InsecureForTests": true
}
]
}
}
}
}
Security Considerations
- Certificate Management: In production environments, replace self-signed certificates with properly validated TLS certificates.
- Socket Permissions: Ensure proper file permissions on the UNIX socket to prevent unauthorized access.
- State File Security: Protect the state file as it contains sensitive configuration data.
- DERP Security: Disable
InsecureForTestsin production and implement proper TLS certificate validation.
Troubleshooting
-
Connection Issues:
- Verify DERP server accessibility
- Check firewall rules for DERP and STUN ports
- Validate TLS certificate configuration
-
Proxy Problems:
- Confirm SOCKS5 server functionality
- Verify proxychains configuration
- Check application compatibility with SOCKS5 proxying