文章目录
- 选择
- 准备环境
- 安装
- 安全配置
-
- [生成默认 ca](#生成默认 ca)
- [生成 frps 证书](#生成 frps 证书)
- [生成 frpc 的证书](#生成 frpc 的证书)
- 服务端配置
- 客户端配置
- 参考
选择
截至2025年,nps四年没维护了:https://github.com/ehang-io/nps
主流方案:https://github.com/fatedier/frp
准备环境
需要一台公网服务器
需要一个域名,并提供泛域名解析。
安装
一键安装服务端(在公网服务器上)
https://github.com/MvsCode/frps-onekey
bash
wget https://gitee.com/mvscode/frps-onekey/raw/master/install-frps.sh -O ./install-frps.sh
chmod 700 ./install-frps.sh
./install-frps.sh installfrps安装路径:/usr/local/frps
frps status manage : frps {start|stop|restart|status|config|version}
Example:
start: frps start
stop: frps stop
restart: frps restartdocker安装客户端(在本地局域网)
bash
docker run --restart=always --network host -d -v ~/frpc.ini:/etc/frp/frpc.ini --name frpc snowdreamtech/frpc1panel安装客户端(在本地局域网)
略,很简单
安全配置
bash
cat > my-openssl.cnf << EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = usr_cert
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
[ req_attributes ]
[ usr_cert ]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:true
EOF生成默认 ca
bash
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=domain.com" -days 36500 -out ca.crt生成 frps 证书
bash
openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key \
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=domain.com" \
-reqexts SAN \
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,DNS:domain.com")) \
-out server.csr
openssl x509 -req -days 365 -sha256 \
-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1,DNS:domain.com") \
-out server.crt生成 frpc 的证书
bash
openssl genrsa -out client.key 2048
openssl req -new -sha256 -key client.key \
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=domain.com" \
-reqexts SAN \
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,DNS:domain.com")) \
-out client.csr
openssl x509 -req -days 365 -sha256 \
-in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(printf "subjectAltName=DNS:localhost,DNS:domain.com") \
-out client.crt服务端配置
将上面生成好的文件放到/usr/local/frps/ssl/中
bash
nano /usr/local/frps/frps.toml
bash
transport.tls.certFile = "/usr/local/frps/ssl/server.crt"
transport.tls.keyFile = "/usr/local/frps/ssl/server.key"
transport.tls.trustedCaFile = "/usr/local/frps/ssl/ca.crt"客户端配置
将上面生成好的文件放到/etc/frp/ssl/中
bash
serverAddr =
serverPort =
auth.method = "token"
auth.token = "xxxxxx"
webServer.addr = "0.0.0.0"
webServer.port = 8080
webServer.user = "xxxxxx"
webServer.password = "xxxxxx"
webServer.pprofEnable = false
# tls
transport.tls.certFile = "/etc/frp/ssl/client.crt"
transport.tls.keyFile = "/etc/frp/ssl/client.key"
transport.tls.trustedCaFile = "/etc/frp/ssl/ca.crt"
[[proxies]]
name = "ha"
type = "https"
localPort = 443
localIP = "192.168.141.250"
subdomain = "ha"
transport.useEncryption = true
transport.useCompression = true
[[proxies]]
name = "freshrss"
#type = "https"
#localPort = 443
type = "http"
localPort = 80
localIP = "192.168.170.1"
subdomain = "freshrss"
transport.useEncryption = true
transport.useCompression = true
[[proxies]]
name = "wol"
type = "http"
localPort = 9090
localIP = "192.168.255.254"
subdomain = "wol"
transport.useEncryption = true
transport.useCompression = true