开源 on Ops FreeEdge https://ops.freeedge.uk/tags/%E5%BC%80%E6%BA%90/ Recent content in 开源 on Ops FreeEdge Hugo en-us Fri, 03 Apr 2026 23:00:00 +0000 Headscale vs Tailscale 托管版:自托管权衡与运营成本深度对比 https://ops.freeedge.uk/posts/headscale-vs-tailscale/ Fri, 03 Apr 2026 23:00:00 +0000 https://ops.freeedge.uk/posts/headscale-vs-tailscale/ <h1 id="headscale-vs-tailscale-托管版自托管权衡与运营成本深度对比">Headscale vs Tailscale 托管版:自托管权衡与运营成本深度对比</h1> <h2 id="引言">引言</h2> <p>在现代网络架构中,Tailscale 以其基于 WireGuard 的零配置 VPN 解决方案脱颖而出。它利用 NAT 穿越技术和 DERP(Detour Encrypted Routing Protocol)中继,实现设备间的 P2P 连接。自托管开源实现 Headscale 作为 Tailscale 控制服务器(Coordination Server)的替代品,提供完全控制权,但带来了运维负担。本文深入剖析 Headscale 的架构、与 Tailscale 托管版的对比、功能对等性、运营成本、迁移路径,并为不同团队规模给出推荐。</p> <h2 id="headscale-架构剖析">Headscale 架构剖析</h2> <h3 id="协调服务器coordination-server">协调服务器(Coordination Server)</h3> <p>Headscale 是 Tailscale 控制平面(Control Plane)的自托管实现,主要负责节点注册、公钥交换、IP 地址分配、ACL(Access Control List)策略执行和路由管理。它使用 Go 语言编写,支持单一 tailnet(Tailscale 网络),适合个人或小型团队。</p> <p>核心组件包括:</p> <ul> <li><strong>节点注册</strong>:支持 Web 认证、预认证密钥(Pre-auth Keys)。</li> <li><strong>数据库</strong>:SQLite、PostgreSQL 或 MySQL 存储节点状态、用户和密钥。</li> <li><strong>API 服务</strong>:gRPC 和 HTTP 接口,用于客户端通信和 CLI 操作。</li> </ul> <p>示例配置文件 <code>config.yaml</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;"><code class="language-yaml" data-lang="yaml"><span style="display:flex;"><span><span style="color:#f92672">server_url</span>: <span style="color:#ae81ff">https://headscale.example.com:8080</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">listen_addr</span>: <span style="color:#ae81ff">0.0.0.0</span>:<span style="color:#ae81ff">8080</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">private_key_path</span>: <span style="color:#ae81ff">/var/lib/headscale/private.key</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">noise</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">private_key_path</span>: <span style="color:#ae81ff">/var/lib/headscale/noise_private.key</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">db_type</span>: <span style="color:#ae81ff">sqlite3</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">db_path</span>: <span style="color:#ae81ff">/var/lib/headscale/db.sqlite</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">dns</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">magic_dns</span>: <span style="color:#66d9ef">true</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">base_domain</span>: <span style="color:#ae81ff">example.com</span> </span></span><span style="display:flex;"><span> <span style="color:#f92672">nameservers</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">1.1.1.1</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">acl_policy_path</span>: <span style="color:#ae81ff">/etc/headscale/acl.hujson</span> </span></span><span style="display:flex;"><span><span style="color:#f92672">derp</span>: </span></span><span style="display:flex;"><span> <span style="color:#f92672">urls</span>: </span></span><span style="display:flex;"><span> - <span style="color:#ae81ff">https://controlplane.tailscale.com/derpmap/default</span> </span></span></code></pre></div><h3 id="derp-中继服务器替换">DERP 中继服务器替换</h3> <p>Tailscale 使用 DERP 服务器作为最后手段中继流量,当 P2P 失败时介入。Headscale 支持嵌入式 DERP 服务器,或指向 Tailscale 的公共 DERP 地图。但为完全自托管,可部署自定义 DERP:</p>