前后一共折腾了不下5次，今天终于弄好了

这里使用的是非443端口，证书需要在宿主先申请好，我这里用的acme的cf api生成，教程这里忽略

证书这里举例用/root/crt/123.com.crt，KEY /root/crt/123.com.key，必须是域名.crt+域名.key形式

安装dokcer

curl -fsSL https://get.docker.com -o get-docker.sh && sh get-docker.sh

dcokcer运行，把/root/crt/ 映射进docker

docker run --restart unless-stopped --name derper -p 12345:12345 -p 3478:3478/udp -v /root/crt/:/crt/ -dt qctt/derper /derper -stun -a 0.0.0.0:12345 -hostname 123.com -certdir=/crt/ -certmode=manual

在tailscle控制页的Access Controls示例，OmitDefaultRegions = true表示关闭中继节点

// Example/default ACLs for unrestricted connections.
{
  // Declare static groups of users beyond those in the identity service.
  "Groups": {
    "group:example": [ "user1@example.com", "user2@example.com" ],
  },
  // Declare convenient hostname aliases to use in place of IP addresses.
  "Hosts": {
    "example-host-1": "100.100.100.100",
  },
  "DERPMap": {
    "OmitDefaultRegions": true,
  "Regions": {
      "901": {
        "RegionID": 901,
        "RegionCode": "test",
        "Nodes": [{
           "Hostname": "123.com",
            "DERPPort": 12345,
            "Name": "1",
            "RegionID": 901
        }]
      }
    }
  },
  // Access control lists.
  "ACLs": [
    // Match absolutely everything. Comment out this section if you want
    // to define specific ACL restrictions.
    { "Action": "accept", "Users": ["*"], "Ports": ["*:*"] },
  ]
}