使用frp内网穿透：将本地服务暴露到公网

文章目录

• 选择
• 准备环境
• 安装
• • 一键安装服务端（在公网服务器上）
  • docker安装客户端（在本地局域网）
  • 1panel安装客户端（在本地局域网）
• 安全配置
• • [生成默认 ca](#生成默认 ca)
  • [生成 frps 证书](#生成 frps 证书)
  • [生成 frpc 的证书](#生成 frpc 的证书)
• 服务端配置
• 客户端配置
• 参考

选择

截至2025年，nps四年没维护了：https://github.com/ehang-io/nps

主流方案：https://github.com/fatedier/frp

准备环境

需要一台公网服务器

需要一个域名，并提供泛域名解析。

安装

一键安装服务端（在公网服务器上）

https://github.com/MvsCode/frps-onekey

wget https://gitee.com/mvscode/frps-onekey/raw/master/install-frps.sh -O ./install-frps.sh
chmod 700 ./install-frps.sh
./install-frps.sh install

frps安装路径：/usr/local/frps

frps status manage : frps {start|stop|restart|status|config|version}
Example:
  start: frps start
   stop: frps stop
restart: frps restart

docker安装客户端（在本地局域网）

docker run --restart=always --network host -d -v ~/frpc.ini:/etc/frp/frpc.ini --name frpc snowdreamtech/frpc

1panel安装客户端（在本地局域网）

略，很简单

安全配置

自定义 TLS 协议加密

cat > my-openssl.cnf << EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = usr_cert
[ req ]
default_bits        = 2048
default_md          = sha256
default_keyfile     = privkey.pem
distinguished_name  = req_distinguished_name
attributes          = req_attributes
x509_extensions     = v3_ca
string_mask         = utf8only
[ req_distinguished_name ]
[ req_attributes ]
[ usr_cert ]
basicConstraints       = CA:FALSE
nsComment              = "OpenSSL Generated Certificate"
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid,issuer
[ v3_ca ]
subjectKeyIdentifier   = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints       = CA:true
EOF

生成默认 ca

openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=domain.com" -days 36500 -out ca.crt

生成 frps 证书

openssl genrsa -out server.key 2048

openssl req -new -sha256 -key server.key \
    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=domain.com" \
    -reqexts SAN \
    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,DNS:domain.com")) \
    -out server.csr

openssl x509 -req -days 365 -sha256 \
	-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
	-extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1,DNS:domain.com") \
	-out server.crt

生成 frpc 的证书

openssl genrsa -out client.key 2048
openssl req -new -sha256 -key client.key \
    -subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=domain.com" \
    -reqexts SAN \
    -config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,DNS:domain.com")) \
    -out client.csr

openssl x509 -req -days 365 -sha256 \
    -in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
	-extfile <(printf "subjectAltName=DNS:localhost,DNS:domain.com") \
	-out client.crt

服务端配置

将上面生成好的文件放到/usr/local/frps/ssl/中

nano /usr/local/frps/frps.toml 

transport.tls.certFile = "/usr/local/frps/ssl/server.crt"
transport.tls.keyFile = "/usr/local/frps/ssl/server.key"
transport.tls.trustedCaFile = "/usr/local/frps/ssl/ca.crt"

客户端配置

将上面生成好的文件放到/etc/frp/ssl/中

serverAddr = 
serverPort = 

auth.method = "token"
auth.token = "xxxxxx"

webServer.addr = "0.0.0.0"
webServer.port = 8080
webServer.user = "xxxxxx"
webServer.password = "xxxxxx"
webServer.pprofEnable = false

# tls
transport.tls.certFile = "/etc/frp/ssl/client.crt"
transport.tls.keyFile = "/etc/frp/ssl/client.key"
transport.tls.trustedCaFile = "/etc/frp/ssl/ca.crt"

[[proxies]]
name = "ha"
type = "https"
localPort = 443
localIP = "192.168.141.250"
subdomain = "ha"
transport.useEncryption = true
transport.useCompression = true


[[proxies]]
name = "freshrss"
#type = "https"
#localPort = 443
type = "http"
localPort = 80
localIP = "192.168.170.1"
subdomain = "freshrss"
transport.useEncryption = true
transport.useCompression = true


[[proxies]]
name = "wol"
type = "http"
localPort = 9090
localIP = "192.168.255.254"
subdomain = "wol"
transport.useEncryption = true
transport.useCompression = true

参考

https://shaonianzhentan.github.io/ha-docs/#/install_frpc