部署headscale

Updated on with 0 views and 0 comments

官方链接:Official releases - Headscale

1、下载headscale

HEADSCALE_VERSION=$(curl -s "https://api.github.com/repos/juanfont/headscale/releases/latest" | grep '"tag_name"' | sed -E 's/.*"([^\"]+)".*/\1/' | sed 's/v//')

HEADSCALE_ARCH="amd64" # 根据架构调整

wget --output-document=headscale.deb \
 "https://下载地址/headscale_${HEADSCALE_VERSION}_linux_${HEADSCALE_ARCH}.deb"

https://github.com/juanfont/headscale/releases/download/v0.28.0/headscale_0.28.0_linux_amd64.deb

sudo apt install ./headscale.deb

sudo nano /etc/headscale/config.yaml

sudo systemctl enable --now headscale

sudo systemctl status headscale

推荐使用deb包安装方式,它能自动处理用户权限和服务管理等复杂问题。二进制安装方式则适合需要高度自定义环境的高级用户。安装完成后,建议参考官方文档进行进一步的配置和使用。

要求

只要满足以下要求,Headscale 就应该工作:

  • 具有 headscale 公共 IP 地址的服务器。建议使用公共 IPv4 和公共 IPv6 地址的双堆栈设置。
  • Headscale 通过端口 443 上的 HTTPS 提供服务。
  • 一个基于 Linux 的操作系统。本次部署环境为Ubuntu24.04。
  • 了解 Linux 以及 网络 基础知识
  • 一个用于运行 Headscale 的专用本地用户账户。
  • 一个域名以及对应的域名证书(crt+key)

如果部分端口已被占用,需要调整配置文件,修改部分端口。

以下是github官方的更新说明:

Minimum supported Tailscale client version: v1.74.0

Tags as identity

Tags are now implemented following the Tailscale model where tags and user ownership are mutually exclusive. Devices can be either
user-owned (authenticated via web/OIDC) or tagged (authenticated via tagged PreAuthKeys). Tagged devices receive their identity from
tags rather than users, making them suitable for servers and infrastructure. Applying a tag to a device removes user-based
ownership. See the Tailscale tags documentation for details on how tags work.

User-owned nodes can now request tags during registration using --advertise-tags. Tags are validated against the tagOwners policy
and applied at registration time. Tags can be managed via the CLI or API after registration. Tagged nodes can return to user-owned
by re-authenticating with tailscale up --advertise-tags= --force-reauth.

A one-time migration will validate and migrate any RequestTags (stored in hostinfo) to the tags column. Tags are validated against
your policy's tagOwners rules during migration. #3011

Smarter map updates

The map update system has been rewritten to send smaller, partial updates instead of full network maps whenever possible. This reduces bandwidth usage and improves performance, especially for large networks. The system now properly tracks peer
changes and can send removal notifications when nodes are removed due to policy changes.
#2856 #2961

Pre-authentication key security improvements

Pre-authentication keys now use bcrypt hashing for improved security #2853. Keys
are stored as a prefix and bcrypt hash instead of plaintext. The full key is only displayed once at creation time. When listing keys,
only the prefix is shown (e.g., hskey-auth-{prefix}-***). All new keys use the format hskey-auth-{prefix}-{secret}. Legacy plaintext keys in the format {secret} will continue to work for backwards compatibility.

Web registration templates redesign

The OIDC callback and device registration web pages have been updated to use the Material for MkDocs design system from the official
documentation. The templates now use consistent typography, spacing, and colours across all registration flows.

Database migration support removed for pre-0.25.0 databases

Headscale no longer supports direct upgrades from databases created before version 0.25.0. Users on older versions must upgrade
sequentially through each stable release, selecting the latest patch version available for each minor release.

BREAKING

  • API: The Node message in the gRPC/REST API has been simplified - the ForcedTags, InvalidTags, and ValidTags fields have been removed and replaced with a single Tags field that contains the node's applied tags #2993

    • API clients should use the Tags field instead of ValidTags
    • The headscale nodes list CLI command now always shows a Tags column and the --tags flag has been removed

  • PreAuthKey CLI: Commands now use ID-based operations instead of user+key combinations #2992

    • headscale preauthkeys create no longer requires --user flag (optional for tracking creation)
    • headscale preauthkeys list lists all keys (no longer filtered by user)
    • headscale preauthkeys expire --id <ID> replaces --user <USER> <KEY>
    • headscale preauthkeys delete --id <ID> replaces --user <USER> <KEY>

    Before:

    headscale preauthkeys create --user 1 --reusable --tags tag:server
headscale preauthkeys list --user 1
headscale preauthkeys expire --user 1 <KEY>
headscale preauthkeys delete --user 1 <KEY>

    After:

    headscale preauthkeys create --reusable --tags tag:server
headscale preauthkeys list
headscale preauthkeys expire --id 123
headscale preauthkeys delete --id 123

  • Tags: The gRPC SetTags endpoint now allows converting user-owned nodes to tagged nodes by setting tags. #2885

  • Tags: Tags are now resolved from the node's stored Tags field only #2931

    • --advertise-tags is processed during registration, not on every policy evaluation
    • PreAuthKey tagged devices ignore --advertise-tags from clients
    • User-owned nodes can use --advertise-tags if authorized by tagOwners policy
    • Tags can be managed via CLI (headscale nodes tag) or the SetTags API after registration

  • Database migration support removed for pre-0.25.0 databases #2883

    • If you are running a version older than 0.25.0, you must upgrade to 0.25.1 first, then upgrade to this release
    • See the upgrade path documentation for detailed guidance
    • In version 0.29, all migrations before 0.28.0 will also be removed

  • Remove ability to move nodes between users #2922

    • The headscale nodes move CLI command has been removed
    • The MoveNode API endpoint has been removed
    • Nodes are permanently associated with their user or tag at registration time

  • Add oidc.email_verified_required config option to control email verification requirement #2860

    • When true (default), only verified emails can authenticate via OIDC in conjunction with oidc.allowed_domains or
      oidc.allowed_users. Previous versions allowed to authenticate with an unverified email but did not store the email
      address in the user profile. This is now rejected during authentication with an unverified email error.
    • When false, unverified emails are allowed for OIDC authentication and the email address is stored in the user
      profile regardless of its verification state.

  • SSH Policy: Wildcard (*) is no longer supported as an SSH destination #3009

    • Use autogroup:member for user-owned devices
    • Use autogroup:tagged for tagged devices
    • Use specific tags (e.g., tag:server) for targeted access

    Before:

    { "action": "accept", "src": ["group:admins"], "dst": ["*"], "users": ["root"] }

    After:

    { "action": "accept", "src": ["group:admins"], "dst": ["autogroup:member", "autogroup:tagged"], "users": ["root"] }

  • SSH Policy: SSH source/destination validation now enforces Tailscale's security model #3010
    Per Tailscale SSH documentation, the following rules are now enforced:

    1. Tags cannot SSH to user-owned devices: SSH rules with tag:* or autogroup:tagged as source cannot have username destinations (e.g., alice@) or autogroup:member/autogroup:self as destination
    2. Username destinations require same-user source: If destination is a specific username (e.g., alice@), the source must be that exact same user only. Use autogroup:self for same-user SSH access instead

    Invalid policies now rejected at load time:

    // INVALID: tag source to user destination
{"src": ["tag:server"], "dst": ["alice@"], ...}

// INVALID: autogroup:tagged to autogroup:member
{"src": ["autogroup:tagged"], "dst": ["autogroup:member"], ...}

// INVALID: group to specific user (use autogroup:self instead)
{"src": ["group:admins"], "dst": ["alice@"], ...}

    Valid patterns:

    // Users/groups can SSH to their own devices via autogroup:self
{"src": ["group:admins"], "dst": ["autogroup:self"], ...}

// Users/groups can SSH to tagged devices
{"src": ["group:admins"], "dst": ["autogroup:tagged"], ...}

// Tagged devices can SSH to other tagged devices
{"src": ["autogroup:tagged"], "dst": ["autogroup:tagged"], ...}

// Same user can SSH to their own devices
{"src": ["alice@"], "dst": ["alice@"], ...}

官方文档翻译:

要求

只要满足以下要求,headscale应该就能正常工作:

  • 一个拥有公网IP地址用于headscale的服务器。建议采用双栈配置,分别使用公共IPv4和公共IPv6地址。
  • headscale通过 HTTPS 在 443(1) 端口提供,可能会使用额外的端口
  • 一个相当现代的Linux或BSD操作系统。
  • 专门的本地用户账户来运行 headscale。
  • 需要一点命令行知识来配置和操作headscale。

使用中的端口

所使用的端口会根据预期场景和启用的功能而有所不同。部分列出的端口可以通过配置文件更改,但我们建议使用默认设置。

  • TCP/80
    • 公开曝光:是的
    • HTTP,Let's Encrypt 通过 HTTP-01 挑战验证所有权。
    • 只有在使用内置带有 HTTP-01 挑战的 Let's Enrypt 客户端时才需要。详情请参见TLS
  • TCP/443
    • 公开曝光:是的
    • HTTPS,向Tailscale客户提供Headscale所需的^1^
    • 如果启用嵌入式DERP服务器,则必须
  • UDP/3478
    • 公开曝光:是的
    • STUN,如果嵌入式DERP服务器被启用,则需要
  • TCP/50443
    • 公开曝光:是的
    • 只有在使用gRPC接口远程控制Headscale时才需要。
  • TCP/9090

假设

headscale等级文档和提供的示例是在考虑以下几个假设的情况下编写的:

  • Headscale 作为系统服务通过专用本地用户运行。headscale
  • 配置由/etc/headscale/config.yaml加载 。
  • SQLite被用作数据库。
  • headscale的数据目录(用于私钥、ACL、SQLite数据库等)位于/var/lib/headscale
  • 需要用户替换的URL和值要么表示为,要么使用占位符值,如。<VALUE_TO_CHANGE>``headscale.example.com

请根据当地环境进行调整。

  1. 在某些情况下,Tailscale客户端假设443端口是HTTPS。通过HTTP或在443以外的端口上HTTPS来提供headscale是可行的,但强烈建议在生产环境中坚持在443端口使用HTTPS。更多信息请参见第2164期。

官方说明-开始使用:

入门

本页面帮助你开始使用 headscale,并提供了 headscale 命令行工具的一些使用示例。headscale

前提条件

寻求帮助

命令行工具内置了帮助。要显示可用命令及其参数和选项,请执行:headscale

[X] [ ] 本地容器

# Show help
headscale help

# Show help for a specific command
headscale <COMMAND> --help

管理来自其他本地用户的headscale

默认情况下,只有用户或 会拥有访问用于与服务通信的 unix 套接字()的必要权限。为了能与 headscale 服务通信,你必须确保执行命令的用户能访问 Unix 套接字。一般来说,你可以通过以下任一方法实现:headscale``root``/var/run/headscale/headscale.sock

  • 使用sudo
  • 以用户身份执行命令headscale
  • 将你的用户添加到群组headscale

为了验证,您可以使用您偏好的方法执行以下命令:

headscale users list

管理headscale用户

在headscale中,节点(机器或设备)通常分配给headscale用户。这样的headscale用户可能分配了许多节点,并可通过该命令进行管理。点击内置帮助以获取更多信息: 。headscale users``headscale users --help

创建一个headscale用户

[X] [ ] 本地容器

headscale users create <USER>

列出现有headscale用户名单

[X] [ ] 本地容器

headscale users list

注册节点

必须先注册节点,才能将 headscale 作为 Tailscale 的协调服务器。以下示例适用于Linux/BSD操作系统上的Tailscale客户端。或者,按照说明连接安卓苹果Windows设备。请阅读注册方法,了解可用的注册方法概览。

网络认证

在客户端机器上,执行命令并以你的 headscale 实例的 FQDN 作为参数提供:tailscale up

tailscale up --login-server <YOUR_HEADSCALE_URL>

通常会打开一个带有进一步说明的浏览器窗口。本页解释了如何在您的headscale服务器上完成注册,并打印了批准节点所需的注册密钥:

[X] [ ] 本地容器

headscale nodes register --user <USER> --key <REGISTRATION_KEY>

预认证密钥

也可以生成预授权密钥并非交互式注册节点。首先,在 headscale 实例上生成预授权密钥。默认情况下,钥匙有效期为一小时,且只能使用一次(参见其他选项):headscale preauthkeys --help

[X] [ ] 本地容器

headscale preauthkeys create --user <USER_ID>

该命令在成功时返回预授权密钥,用于通过以下命令将节点连接到headscale实例:tailscale up

tailscale up --login-server <YOUR_HEADSCALE_URL> --authkey <YOUR_AUTH_KEY>

连接安卓客户端

本文档旨在展示用户如何使用带有headscale的官方Android Tailscale客户端。

安装

Google Play商店F-Droid安装官方的Tailscale Android客户端。

通过网络认证连接

  • 打开应用,选择右上角的设置菜单
  • 点击Accounts
  • 在菜单右上角的三个点中选择Use an alternate server
  • 输入你的服务器网址(例如 ),并按照说明操作https://headscale.example.com
  • 节点注册完成后客户端会自动连接。在那之前,服务器日志中什么都看不到。

使用预认证密钥连接

  • 打开应用,选择右上角的设置菜单
  • 点击Accounts
  • 在菜单右上角的三个点中选择Use an alternate server
  • 输入你的服务器网址(例如 )。如果提示打开登录,关闭登录并继续https://headscale.example.com
  • 打开右上角的设置菜单
  • 点击Accounts
  • 在烤肉菜单右上角的三个点中选择Use an auth key
  • 输入你从Headscale生成的预授权密钥
  • 如有需要,点击主屏幕。你现在应该已经连接到你的headscale上了。Log in

连接Windows客户端

本文档旨在展示用户如何使用带有 headscale 的官方 Windows Tailscale 客户端。

关于你的Headscale实例的说明

在你的运行实例上,也有一个端点,提供如何连接你的Windows设备的信息。/windows

安装

下载官方Windows客户端并安装。

配置headscale网址

打开命令提示符或 Powershell,使用 Tailscale 的登录命令连接到你的 headscale 实例(例如):https://headscale.example.com

tailscale login --login-server <YOUR_HEADSCALE_URL>

按照打开的浏览器窗口中的指示完成配置。

故障排除

无人值守模式

默认情况下,Tailscale的Windows客户端仅在用户登录时运行。如果你想让 Tailscale 一直运行,请启用“无人值守模式”:

  • 点击尾鳞托盘图标并选择Preferences
  • 启用Run unattended
  • 确认“无人值守模式”消息

另见:当我未登录电脑时保持Tailscale运行

节点注册失败

如果你看到以下信息反复出现:

[GIN] 2022/02/10 - 16:39:34 | 200 |    1.105306ms |       127.0.0.1 | POST     "/machine/redacted"

在你的headscale输出中,打开日志,寻找:DEBUG

2022-02-11T00:59:29Z DBG Machine registration has expired. Sending a authurl to register machine=redacted

这通常意味着上述注册表键未被正确设置。

要重置并重新尝试,重要的是:

  1. 关闭Tailscale服务(或托盘中运行的客户端)
  2. 删除位于 的 Tailscale 应用数据文件夹,然后尝试重新连接。C:\Users\<USERNAME>\AppData\Local\Tailscale
  3. 确保Windows节点从headscale中删除(以确保全新设置)
  4. 在Windows机器上启动Tailscale并重新尝试登录。

原文地址:Getting started - Headscale

标题:部署headscale
作者:lovejjt
地址:https://www.lovejjt.top/articles/2026/05/18/1779115266626.html