使用frp做内网穿透,需要配置两个服务器,一个是客户端,一个是服务端。
安装
官方地址: frp
分为客户端和服务端
服务端
下载最新安装包
# 解压并进入目录
tar -zxvf frp_*.tar.gz
rm -f frp_*.tar.gz
cd frp_*
# 创建配置文件
mkdir -p /etc/frp
cp frps /usr/local/bin/
ln -s /usr/local/bin/frps /usr/bin/frps
cp frps.ini /etc/frp/frps.ini
sed -i 's/nobody/root/' systemd/frps.service
cp systemd/frps.service /usr/lib/systemd/system/
参考以下配置文件
[common]
bind_addr = 0.0.0.0
bind_port = 28001
bind_udp_port = 28002
dashboard_port = 8004
dashboard_user = change_dashboard_user
dashboard_pwd = change_dashboard_pwd
log_file = /etc/frp/frps.log
log_level = info
log_max_days = 10
token = change_token
max_pool_count = 50
tcp_mux = true
启动服务
# 开启服务
systemctl enable frps
systemctl start frps
客户端
# 以下命令在root下执行
mkdir -p /etc/frp
cp frpc.ini /etc/frp/
cp frpc /usr/local/bin/
ln -s /usr/local/bin/frpc /usr/bin/frpc
# 替换nobody为root, 或者删掉
sed -i 's/nobody/root/' systemd/frpc.service
cp systemd/frpc.service /usr/lib/systemd/system/
配置文件
[common]
protocol = tcp
server_addr = server_ip
server_port = 28001
; 和服务端一致
token = change_token
tcp_mux = true
pool_count = 10
; 可增加多个, 注意修改端口
[my-ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 28122
use_encryption = true
use_compression = true
启动服务
# 开启服务
systemctl enable frpc
systemctl start frpc
TLS
参考frp tls
frpc TLS settings (under the [common] section):
tls_enable = true
tls_cert_file = server.crt
tls_key_file = server.key
tls_trusted_ca_file = ca.crt
frps TLS settings (under the [common] section):
tls_only = true
tls_enable = true
tls_cert_file = client.crt
tls_key_file = client.key
tls_trusted_ca_file = ca.crt
可以通过以下方式生成自签名证书
openssl配置文件
cat > my-openssl.cnf << EOF
[ ca ]
default_ca = CA_default
[ CA_default ]
x509_extensions = usr_cert
[ req ]
default_bits = 2048
default_md = sha256
default_keyfile = privkey.pem
distinguished_name = req_distinguished_name
attributes = req_attributes
x509_extensions = v3_ca
string_mask = utf8only
[ req_distinguished_name ]
[ req_attributes ]
[ usr_cert ]
basicConstraints = CA:FALSE
nsComment = "OpenSSL Generated Certificate"
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid,issuer
[ v3_ca ]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer
basicConstraints = CA:true
EOF
生成ca证书
openssl genrsa -out ca.key 2048
openssl req -x509 -new -nodes -key ca.key -subj "/CN=example.ca.com" -days 5000 -out ca.crt
生成frps证书, 修改IP和域名
openssl genrsa -out server.key 2048
openssl req -new -sha256 -key server.key \
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=server.com" \
-reqexts SAN \
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:localhost,IP:127.0.0.1,DNS:example.server.com")) \
-out server.csr
openssl x509 -req -days 365 \
-in server.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(printf "subjectAltName=DNS:localhost,IP:127.0.0.1,DNS:example.server.com") \
-out server.crt
生成frpc证书
openssl genrsa -out client.key 2048
openssl req -new -sha256 -key client.key \
-subj "/C=XX/ST=DEFAULT/L=DEFAULT/O=DEFAULT/CN=client.com" \
-reqexts SAN \
-config <(cat my-openssl.cnf <(printf "\n[SAN]\nsubjectAltName=DNS:client.com,DNS:example.client.com")) \
-out client.csr
openssl x509 -req -days 365 \
-in client.csr -CA ca.crt -CAkey ca.key -CAcreateserial \
-extfile <(printf "subjectAltName=DNS:client.com,DNS:example.client.com") \
-out client.crt
真实IP
http协议
# frpc.ini
[web]
type = https
local_port = 443
custom_domains = test.example.com
# now v1 and v2 are supported
proxy_protocol_version = v2
nginx配置
server {
listen 443 ssl http2 proxy_protocol;
real_ip_header proxy_protocol;
real_ip_recursive on;
set_real_ip_from 127.0.0.1;
……
}
ssh协议
-
frpc conf
[common] server_addr = x.x.x.x server_port = 12345 authentication_method = token token = xxxxxx [ssh] type = tcp local_ip = 127.0.0.1 local_port = 54000 remote_port = 30000 proxy_protocol_version = v2 -
install go-mmproxy
go get -u github.com/path-network/go-mmproxy通过以下命令查看路径
go env | grep GOPATH -
install service
go-mmproxy
sudo vim /lib/systemd/system/go-mmproxy.service[Unit] Description=go-mmproxy After=network.target [Service] Type=simple LimitNOFILE=65535 ExecStartPost=/sbin/ip rule add from 127.0.0.1/8 iif lo table 123 ExecStartPost=/sbin/ip route add local 0.0.0.0/0 dev lo table 123 ExecStart=/usr/local/bin/go-mmproxy -4 127.0.0.1:22 -l 0.0.0.0:54000 ExecStopPost=/sbin/ip rule del from 127.0.0.1/8 iif lo table 123 ExecStopPost=/sbin/ip route del local 0.0.0.0/0 dev lo table 123 Restart=on-failure RestartSec=10s [Install] WantedBy=multi-user.targetfrpc
sudo vim /lib/systemd/system/frpc.service[Unit] Description=Frp Server Daemon with go-mmproxy Requires=go-mmproxy.service After=syslog.target network.target go-mmproxy.service Wants=network.target [Service] type=simple ExecStart=/usr/local/bin/frp/frpc -c /usr/local/bin/frp/frpc.ini ExecStop=/bin/kill $MAINPID RestartSec=1min KillMode=control-group Restart=always [Install] WantedBy=multi-user.target -
start service
# First enable start service when boot: sudo systemctl enable --now go-mmproxy.service sudo systemctl enable --now frpc.service -
show ssh log
tail -f /var/log/auth.log
参考
上篇证书