一、安装tailscale安装包
bash
# 添加 Tailscale 官方仓库
ubuntu@ccpp:~$ curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.noarmor.gpg | sudo tee /usr/share/keyrings/tailscale-archive-keyring.gpg > /dev/null
ubuntu@ccpp:~$ curl -fsSL https://pkgs.tailscale.com/stable/ubuntu/jammy.tailscale-keyring.list | sudo tee /etc/apt/sources.list.d/tailscale.list
# Tailscale packages for ubuntu jammy
deb [signed-by=/usr/share/keyrings/tailscale-archive-keyring.gpg] https://pkgs.tailscale.com/stable/ubuntu jammy main
ubuntu@ccpp:~$ sudo apt update
Get:1 https://pkgs.tailscale.com/stable/ubuntu jammy InRelease
Hit:2 http://security.ubuntu.com/ubuntu jammy-security InRelease
Hit:3 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy InRelease
Hit:4 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-updates InRelease
Get:5 https://pkgs.tailscale.com/stable/ubuntu jammy/main amd64 Packages [14.7 kB]
Hit:6 http://ap-osaka-1-ad-1.clouds.archive.ubuntu.com/ubuntu jammy-backports InRelease
Get:7 https://pkgs.tailscale.com/stable/ubuntu jammy/main all Packages [354 B]
Fetched 21.7 kB in 3s (8603 B/s)
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
All packages are up to date.p2
bash
ubuntu@ccpp:~$ sudo apt install tailscale -y
Reading package lists... Done
Building dependency tree... Done
Reading state information... Done
The following additional packages will be installed:
tailscale-archive-keyring
The following NEW packages will be installed:
tailscale tailscale-archive-keyring
0 upgraded, 2 newly installed, 0 to remove and 0 not upgraded.
Need to get 36.6 MB of archives.
After this operation, 71.9 MB of additional disk space will be used.
Get:1 https://pkgs.tailscale.com/stable/ubuntu jammy/main amd64 tailscale amd64 1.96.4 [36.6 MB]
Get:2 https://pkgs.tailscale.com/stable/ubuntu jammy/main all tailscale-archive-keyring all 1.35.181 [3082 B]
Fetched 36.6 MB in 6s (6195 kB/s)
debconf: delaying package configuration, since apt-utils is not installed
Selecting previously unselected package tailscale.
(Reading database ... 105450 files and directories currently installed.)
Preparing to unpack .../tailscale_1.96.4_amd64.deb ...
Unpacking tailscale (1.96.4) ...
Selecting previously unselected package tailscale-archive-keyring.
Preparing to unpack .../tailscale-archive-keyring_1.35.181_all.deb ...
Unpacking tailscale-archive-keyring (1.35.181) ...
Setting up tailscale-archive-keyring (1.35.181) ...
Setting up tailscale (1.96.4) ...
Created symlink /etc/systemd/system/multi-user.target.wants/tailscaled.service → /lib/systemd/system/tailscaled.service.
debconf: unable to initialize frontend: Dialog
debconf: (No usable dialog-like program is installed, so the dialog based frontend cannot be used. at /usr/share/perl5/Debconf/FrontEnd/Dialog.pm line 78.)
debconf: falling back to frontend: Readline
Scanning processes...
Scanning linux images...
Running kernel seems to be up-to-date.
No services need to be restarted.
No containers need to be restarted.
No user sessions are running outdated binaries.
No VM guests are running outdated hypervisor (qemu) binaries on this host.二、登录到tailscale官网
bash
ubuntu@ccpp:~$ sudo tailscale up
To authenticate, visit:
https://login.tailscale.com/a/00000000000三、打开 udp 41641 端口
1,打开nsg的 UDP 41641 端口(入站)
这是 Tailscale 在 OCI(Oracle Cloud)上实现直连(Direct Connection) 的关键配置,否则流量会走中继(DERP),速度会慢一些。
OCI NSG / Security List 配置要点
在 Network Security Group (NSG) 中添加 Ingress(入站)规则:
- Stateless:必须勾选(OCI 上 Tailscale 官方推荐)
- Source CIDR :
0.0.0.0/0(允许所有来源) - IP Protocol :UDP
- Destination Port Range :41641
添加完后,保存即可。
额外说明
- 只开这个端口就够了,不用开 TCP 22(SSH)给公网。
- Tailscale 本身会加密所有流量,所以 41641 端口暴露的风险相对较低(主要是 WireGuard UDP 包)。
- 如果想更严格,可以先只允许你常用 IP 的 41641,但大多数人直接用
0.0.0.0/0。
测试方法:
- 添加规则后,在实例上运行
tailscale status。 - 从你的电脑连上 Tailscale,执行
tailscale ping <实例的tailscale-ip>,看是否显示 direct(直连)而不是 relay。
bash
PS C:\Users\> & "C:\Program Files\Tailscale\tailscale.exe" ping 1.1.4.1
pong from z (1.1.4.1) via 2.1.2.4:41641 in 193ms
PS C:\Users\> & "C:\Program Files\Tailscale\tailscale.exe" status
100.107.249.78 desktop- ppp@ windows -
100.127.43.102 c ppp@ linux idle, tx 612 rx 476从via 2.1.2.4:41641,可以指定,是直连的
如果 ping 显示 relay,检查规则是否生效(有时 OCI 需要等 1-2 分钟)。
在vm standard e2.1 micro实例上,也能查看
bash
ubuntu@z:~$ tailscale status
100. z aa@ linux -
100. desktop aa@ windows active; direct 111:32, tx 9951324 rx 24702402,打开ufw防火墙端口(to do)
sudo ufw allow 41641/udp
bash
# Oracle Cloud 安全组中放行 UDP 41641(全部来源或你的 IP)
# 或者临时用 ufw(如果启用了 ufw)
sudo ufw allow 41641/udp三、修改nsg的rule,不允许ssh流量,++ 关闭Ubuntu的22端口
Ubuntu的udp端口,是否需要关闭,
为什么昨天我没看到这个端口打开?
1,按照如下命令,设置完开机启动后,可以关掉nsg的允许ssh 规则
bash
ubuntu@c:~$ sudo systemctl enable --now tailscaled
ubuntu@c:~$ sudo systemctl is-enabled tailscaled
enabled2,删除掉允许ssh流量的nsg 规则里面的rule
四、
五、
最终目标状态
| 规则 | 操作 |
|---|---|
| 入站 TCP 22 来自你的电脑IP | ❌ 删除(不再需要) |
| 入站 UDP 41641 来自 0.0.0.0/0 | ✅ 新增 |
| 出站所有流量 | ✅ 保持不动 |
操作步骤
OCI 控制台 → 网络 → 虚拟云网络 → 你的VCN → 网络安全组 → 你的NSG
- 找到 TCP 22 那条入站规则 → 删除
- 点「添加规则」:
- 方向:入站
- 协议:UDP
- 源:0.0.0.0/0
- 目标端口:41641
- 保存
修改前先确认 Tailscale 已正常工作
建议顺序:
1. 先装好 Tailscale,确认能通过 100.x.x.x SSH 连上
2. 再删除 TCP 22 的入站规则千万不要先删 22 端口规则,否则 Tailscale 没装好的话就进不去了。