tailscale-derp.default

# Configuration file for Tailscale DERP service

# Hostname for LetsEncrypt certificate (if addr's port is :443)
DERP_DOMAIN=derp.tailscale.com

# Mode for obtaining a certificate: manual, letsencrypt
DERP_CERT_MODE=letsencrypt

# Directory to store LetsEncrypt certificates (if addr's port is :443)
DERP_CERT_DIR=/root/.cache/tailscale/derper-certs

# Server HTTPS listen address, in the form ":port", "ip:port", or for IPv6 "[ip]:port".
# If the IP is omitted, it defaults to all interfaces.
DERP_ADDR=:443

# Whether to run a STUN server. It will bind to the same IP (if any) as the --addr flag value.
DERP_STUN=true

# The port on which to serve HTTP. Set to -1 to disable.
# The listener is bound to the same IP (if any) as specified in the -a flag.
DERP_HTTP_PORT=80

# Verify clients to this DERP server through a local tailscaled instance.
DERP_VERIFY_CLIENTS=true

# Optional comma-separated list of hostnames to mesh with.
# The server's own hostname can be in the list.
# Example: DERP_MESH_WITH=host1.example.com,host2.example.com
# DERP_MESH_WITH=

# Optional comma-separated list of hostnames to make available at /bootstrap-dns.
# DERP_BOOTSTRAP_DNS_NAMES=

# Burst limit for accepting new connections.
DERP_ACCEPT_CONNECTION_BURST=9223372036854775807

# Rate limit for accepting new connections.
DERP_ACCEPT_CONNECTION_LIMIT=+Inf

# Whether to run a DERP server. The only reason to set this false is if you're decommissioning a server
# but want to keep its bootstrap DNS functionality still running.
DERP_RUN_DERP=true

# Optional comma-separated list of hostnames to make available at /bootstrap-dns and not publish in the list.
# DERP_UNPUBLISHED_BOOTSTRAP_DNS_NAMES=

# Optional path to a file containing the mesh pre-shared key.
# It should contain some hex string; whitespace is trimmed.
# DERP_MESH_PSK_FILE=