How to upgrade Tailscale DERP server

Upgrade your own Tailscale DERP server.

Inspect open source DERP relay source code to determine changes.

Log in to the server and inspect service state.

$ systemctl  status derper

● derper.service - DERP Server
     Loaded: loaded (/etc/systemd/system/derper.service; enabled; vendor preset: enabled)
     Active: active (running) since Thu 2023-06-29 18:38:45 CEST; 1 month 27 days ago
   Main PID: 35932 (derper)
      Tasks: 4 (limit: 2220)
     Memory: 15.9M
        CPU: 36min 47.972s
     CGroup: /system.slice/derper.service
             └─35932 /opt/derp/go/bin/derper -c /opt/derp/derp.conf --hostname derp.example.org --verify-clients

Stop DERP service.

$ sudo systemctl stop derper

Download and update Go.

$ sudo wget --output-document /opt/go1.21.0.linux-amd64.tar.gz https://go.dev/dl/go1.21.0.linux-amd64.tar.gz

$ sudo rm -rf /usr/local/go 

$ sudo tar --directory /usr/local --extract --gzip --file /opt/go1.21.0.linux-amd64.tar.gz

Upgrade DERP application.

$ sudo -u derp -i go install tailscale.com/cmd/derper@main

go: downloading tailscale.com v1.1.1-0.20230825221912-94304819263b
go: downloading golang.org/x/crypto v0.12.0
go: downloading golang.org/x/net v0.14.0
go: downloading github.com/klauspost/compress v1.16.7
go: downloading golang.org/x/sys v0.11.0
go: downloading golang.org/x/text v0.12.0
go: downloading go4.org/netipx v0.0.0-20230728180743-ad4cb58a6516

Inspect binary file.

$ sudo -u derp -i /opt/derp/go/bin/derper --help

Usage of /opt/derp/go/bin/derper:
  -a string
        server HTTP/HTTPS listen address, in form ":port", "ip:port", or for IPv6 "[ip]:port". If the IP is omitted, it defaults to all interfaces. Serves HTTPS if the port is 443 and/or -certmode is manual, otherwise HTTP. (default ":443")
  -accept-connection-burst int
        burst limit for accepting new connection (default 9223372036854775807)
  -accept-connection-limit float
        rate limit for accepting new connection (default +Inf)
  -bootstrap-dns-names string
        optional comma-separated list of hostnames to make available at /bootstrap-dns
  -c string
        config file path
  -certdir string
        directory to store LetsEncrypt certs, if addr's port is :443 (default "/opt/derp/.cache/tailscale/derper-certs")
  -certmode string
        mode for getting a cert. possible options: manual, letsencrypt (default "letsencrypt")
  -derp
        whether to run a DERP server. The only reason to set this false is if you're decommissioning a server but want to keep its bootstrap DNS functionality still running. (default true)
  -dev
        run in localhost development mode (overrides -a)
  -hostname string
        LetsEncrypt host name, if addr's port is :443 (default "derp.tailscale.com")
  -http-port int
        The port on which to serve HTTP. Set to -1 to disable. The listener is bound to the same IP (if any) as specified in the -a flag. (default 80)
  -mesh-psk-file string
        if non-empty, path to file containing the mesh pre-shared key file. It should contain some hex string; whitespace is trimmed.
  -mesh-with string
        optional comma-separated list of hostnames to mesh with; the server's own hostname can be in the list
  -stun
        whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value. (default true)
  -stun-port int
        The UDP port on which to serve STUN. The listener is bound to the same IP (if any) as specified in the -a flag. (default 3478)
  -unpublished-bootstrap-dns-names string
        optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list
  -verify-clients
        verify clients to this DERP server through a local tailscaled instance.

Ensure that it can open required ports as regular user.

$ sudo setcap 'cap_net_bind_service=+ep' /opt/derp/go/bin/derper

Start updated service.

$ sudo systemctl start derper

Inspect service status.

$ sudo systemctl status derper

● derper.service - DERP Server
     Loaded: loaded (/etc/systemd/system/derper.service; enabled; vendor preset: enabled)
     Active: active (running) since Sat 2023-08-26 19:13:01 CEST; 18s ago
   Main PID: 589616 (derper)
      Tasks: 4 (limit: 2220)
     Memory: 8.2M
        CPU: 41ms
     CGroup: /system.slice/derper.service
             └─589616 /opt/derp/go/bin/derper -c /opt/derp/derp.conf --hostname derp.example.org --verify-clients

Aug 26 19:13:01 derp.example.org systemd[1]: Started DERP Server.
Aug 26 19:13:01 derp.example.org bash[589616]: 2023/08/26 19:13:01 derper: serving on :443 with TLS
Aug 26 19:13:01 derp.example.org bash[589616]: 2023/08/26 19:13:01 running STUN server on [::]:3478

Inspect service logs.

$ sudo journalctl -u derper -f

Aug 26 19:04:49 derp.example.org systemd[1]: Stopping DERP Server...
Aug 26 19:04:49 derp.example.org systemd[1]: derper.service: Deactivated successfully.
Aug 26 19:04:49 derp.example.org systemd[1]: Stopped DERP Server.
Aug 26 19:04:49 derp.example.org systemd[1]: derper.service: Consumed 36min 47.989s CPU time.
Aug 26 19:13:01 derp.example.org systemd[1]: Started DERP Server.
Aug 26 19:13:01 derp.example.org bash[589616]: 2023/08/26 19:13:01 derper: serving on :443 with TLS
Aug 26 19:13:01 derp.example.org bash[589616]: 2023/08/26 19:13:01 running STUN server on [::]:3478

Remember to update it regularly.