The following steps can be used to setup FRP to allow access to a service behind a firewall or behind NAT to the Internet.
To follow these instructions you must have a server that has a public IP to run the FRP server service.
Download and extract the FRP archive from the releases page. Once extracted, move the frps binary to /usr/local/bin/:
wget https://github.com/fatedier/frp/releases/download/v0.45.0/frp_0.45.0_linux_amd64.tar.gz
tar zxvf frp_0.45.0_linux_amd64.tar.gz
mv frp_0.45.0_linux_amd64/frps /usr/local/bin/
Create the systemd service file at /etc/systemd/system/frps.service:
cat << EOF > /etc/systemd/system/frps.service
[Unit]
Description=Fast Reverse Proxy Server
ConditionPathExists=/etc/frps.ini
ConditionPathExists=/usr/local/bin/frps
[Service]
Restart=always
ExecStart=/usr/local/bin/frps -c /etc/frps.ini
[Install]
WantedBy=multi-user.target
EOF
The above service will load the configuration from /etc/frps.ini. Create the configuration file and add the following:
cat << EOF > /etc/frps.ini
[common]
bind_port = 12000
bind_udp_port = 12001
kcp_bind_port = 12002
authentication_method = token
token = SECRET-HERE
EOF
The authentication token should be changed to something secret to prevent anyone from connecting to the server. The ports being bound also must be accessible from the clients so if iptables/nftables is running on the server be sure to allow traffic to them.
The server can then be enabled and started:
systemctl enable --now frps.service
These steps can be used to enable the admin dashboard to show basic statistics. I will be using certbot to generate a certificate for the dashboard.
First, install certbot:
sudo snap install core
sudo snap refresh core
sudo snap install --classic certbot
sudo ln -s /snap/bin/certbot /usr/bin/certbot
Generate the certificate:
certbot certonly \
--key-type ecdsa \
--standalone \
--preferred-challenges http \
--agree-tos \
-d $(hostname -f)
If the hostname used to access the admin dashboard will be different from the servers FQDN be sure to set the correct domain above.
Next, edit the /etc/frps.ini configuration file and enable the dashboard. A username/password will be defined to secure it with HTTP basic auth. The following configuration should be added (make sure it is under the [common] section):
dashboard_port = 12003
dashboard_user = admin
dashboard_pwd = DASHBOARD-PASSWORD
dashboard_tls_mode = true
dashboard_tls_cert_file = /etc/letsencrypt/live/server-hostname/fullchain.pem
dashboard_tls_key_file = /etc/letsencrypt/live/server-hostname/privkey.pem
Make sure the certifcate path and dashboard password are set properly and then restart the service:
systemctl restart frps.service
The dashboard should then be accessible using HTTPS on port 12003.
For this example the SSH service will be exposed from the client to port 5000 on the server. If this is a service that is setup as needed or it is temporary skip the steps to add the systemd service.
As with the server setup, download the FRP release archive and extract it. This time the frpc binary needs to be moved to /usr/local/bin/:
wget https://github.com/fatedier/frp/releases/download/v0.45.0/frp_0.45.0_linux_amd64.tar.gz
tar zxvf frp_0.45.0_linux_amd64.tar.gz
mv frp_0.45.0_linux_amd64/frpc /usr/local/bin/
Create the systemd service file at /etc/systemd/system/frpc.service:
cat << EOF > /etc/systemd/system/frpc.service
[Unit]
Description=Fast Reverse Proxy Client
ConditionPathExists=/etc/frpc.ini
ConditionPathExists=/usr/local/bin/frpc
[Service]
Restart=always
ExecStart=/usr/local/bin/frpc -c /etc/frpc.ini
[Install]
WantedBy=multi-user.target
EOF
Create the client configuration file /etc/frpc.ini:
cat << EOF > /etc/frpc.ini
[common]
server_addr = 192.0.2.1
server_port = 12000
authentication_method = token
token = SECRET-HERE
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 5000
EOF
If using the systemd service, enable/start the service:
systemctl enable --now frpc.service
If just running ad-hoc, start the client manually:
/usr/local/bin/frpc -c /etc/frpc.ini
You should then be able to SSH to the client using the servers IP on port 5000:
ssh -oPort=6000 root@192.0.2.1
There are a bunch of other service types and options, check the README from the FRP GitHub repo for further information.