How to use FRP to achieve intranet penetration

Introduction to intranet penetration

Intranet penetration is a technique that accesses applications in an internal network through a public network. It helps users easily access applications running in the internal network on the external network without port forwarding on the router or using a VPN.

There are several ways to implement intranet penetration, the most common of which is the reverse proxy server-based method. A reverse proxy server can forward public network requests to applications in the internal network and return the response to the client. This approach requires configuring a reverse proxy server on the public network and configuring the corresponding application and port forwarding rules in the internal network.

Another way to do this is to use specialized intranet penetration software. These software typically require the installation of a proxy client in the internal network and a proxy server on the public network. Users can connect to the proxy server through a proxy client and then access applications running on the internal network. This is relatively straightforward, but requires additional installation and configuration of software.

Intranet penetration is widely used, such as remote desktop, file sharing, monitoring systems, etc. Especially during the epidemic, remote work has become a trend, and intranet penetration technology has been more widely used.

However, intranet penetration also presents some security risks. Since intranet penetration technology can expose applications in the internal network to the public network, if not properly secured, it can lead to problems such as cyberattacks and data breaches. Therefore, when using intranet penetration technology, it is necessary to pay attention to strengthening network security, such as restricting access to IP addresses, encrypting data transmission, etc.

FRP introduction

FRP is an open-source, concise and easy-to-use, high-performance intranet penetration and reverse proxy software, supporting TCP, UDP, HTTP, HTTPS and other protocols.

The official website of the FRP project is https://github.com/fatedier/frp, Chinese official document address: https://gofrp.org/docs/. In addition to the installation process, Chinese documentation has been introduced in great detail about the use process, if you encounter problems, it is recommended to check the official documentation first.

FRP works by:

1. The server runs, listens on a main port, and waits for the client to connect;
2. The client connects to the main port of the server, and tells the server the port and forwarding type to listen on.
3. The server forks the new process listening on the port specified by the client;
4. The user on the Internet connects to the port specified by the client, and the server forwards data to the client through the connection with the client.
5. The client process then forwards the data to the local service, thereby realizing the ability of the internal network to expose the service to the outside world.

Other intranet penetration tools

In addition to the open source FRP, there are also the following intranet penetration/remote control tools:

• ngrok: ngrok is also a well-known intranet penetration tool, and its reputation has declined since version 2.x is no longer open source. The Ngrok website also offers free penetration tunnels, but domestic connections are slower. Tools such as NATAPP and Sunny-Ngrok are based on the secondary development of ngrok;
• ZeroTier: A zero-configuration intranet penetration tool that provides the same advanced network virtualization and management capabilities as enterprise SDN switches, connecting any device and program across local and wide area networks. However, because ZeroTier's servers are abroad, the domestic connection speed is often very touching, and you need to build Moon yourself to solve it;
• V2ray: V2ray is a powerful network platform that provides functions such as proxy, reverse proxy, and intranet penetration. This site has V2ray related resources before: V2ray tutorial, V2ray advanced tutorial: traffic disguise and V2ray client download;
• Peanut shell/sunflower: I believe that most people who have tossed routers have heard of peanut shell DDNS, and may also know sunflower remote control software. Peanut shell and sunflower are products of Beirui Technology, and you can experience the intranet penetration function for free after registering an account;
• TeamViewer: TeamViewer is a well-known remote control and remote conference software at home and abroad, which provides additional practical functions such as file upload and download, which is easier to use than QQ remote assistance 10,000 times. Although the personal version is free, now the commercialization of TeamViewer is gone, and it is more and more disgusting to use;
• SAKURA FRP: A free intranet penetration tool based on FRP, also available for a fee. Netizens had mixed reviews for this family's behavior. If you don't have your own server, you can try this.

FRP intranet penetration tutorial

1. Preparation is required before deployment

1.1、Prepare a server that can be accessed by the public network (the server can be directly accessed through IP), a test machine on the internal network (your own computer), the server I use is a HUAWEI CLOUD Linux server, the IP is 124.5.23.6, and the test machine is a Win10 system.

1.2、Visit the official project address: Releases · fatedier/frp · GitHub downloads the latest package:

Download the corresponding package according to the system type

2. Deploy the server

2.1. Extract frp_0.48.0_linux_386 .tar.gz (if the server is window, decompress frp_0.48.0_windows_386.zip) and keep the following three files

2.2. Modify the configuration file, open the FRPS .ini file with the editor, and make the following modifications

[common]
#服务器监听穿口
bind_port = 15000
#身份认证 后面客户端连接也需配置这个token  还有另一种oidc验证比较复杂，可以参考官方文档
token=332361857
#web界面端口
dashboard_port = 15001
# dashboard 用户名密码，可选，默认为空
dashboard_user = admin
dashboard_pwd = admin332361857
#设置每个代理可以创建的连接池上限，避免大量资源占用，客户端设置超过此配置后会被调整到当前值
max_pool_count = 5
#端口白名单
allow_ports = 15000,15001,15002-15009
#http监听的端口
vhost_http_port = 15003
#日志文件配置
log_file = ./frps.log
#日志级别配置
log_level = info

           

The above are the parameters needed for this test, the detailed parameters are as follows:

parameter	type	illustrate	Default value	Optional value	remark
bind_addr	string	The server listening address	0.0.0.0
bind_port	int	The server listens on the port	7000	Receive a connection to FRPC
bind_udp_port	int	The server listens on the UDP port	Used to assist in the creation of P2P connections
kcp_bind_port	int	The server listens on the KCP protocol port	Used to receive FRPCs with KCP connections
quic_bind_port	int	The server listens on the QUIC protocol port	Used to receive frpcs with QUIC connections
quic_keepalive_period	int	QUIC protocol keepalive interval, unit: seconds	10
quic_max_idle_timeout	int	The maximum idle timeout for the quic protocol, in seconds	30
quic_max_incoming_streams	int	The maximum number of concurrent streams for the quic protocol	100000
proxy_bind_addr	string	Agent listening address	Same as bind_addr	You can enable the agent to listen on different NIC addresses
log_file	string	Log file address	./frps.log	If set to console, the log is printed in standard output
log_level	string	Log level	info	trace, debug, info, warn, error
log_max_days	int	Number of days to retain log files	3
disable_log_color	bool	Disables the log color in standard output	false
detailed_errors_to_client	bool	The server returns detailed error information to the client	true
tcp_mux_keepalive_interval	int	tcp_mux interval between heartbeats	60	Unit: seconds
tcp_keepalive	int	The keepalive interval between the underlying TCP connection and the client, in seconds	7200	Negative numbers are not enabled
heartbeat_timeout	int	The timeout period for the heartbeat connection between the server and the client	90	Unit: seconds
user_conn_timeout	int	The timeout period to wait for a response from the client after the user establishes a connection	10	Unit: seconds
udp_packet_size	int	The maximum packet length supported when proxing UDP services	1500	The values of the server and client must be the same
tls_cert_file	string	TLS server-side certificate file path
tls_key_file	string	TLS server-side key file path
tls_trusted_ca_file	string	TLS CA certification path

2.3. Upload three files to the specified directory on the server and run the command

./frps -c frps.ini           

Run the following command to indicate that the server is running successfully:

2023/03/31 10:59:01 [I] [root.go:206] frps uses config file: /home/web/frp/frps.ini
2023/03/31 10:59:01 [I] [service.go:200] frps tcp listen on 0.0.0.0:15000
2023/03/31 10:59:01 [I] [service.go:261] http service listen on 0.0.0.0:15003
2023/03/31 10:59:01 [I] [service.go:317] Dashboard listen on 0.0.0.0:15001
2023/03/31 10:59:01 [I] [root.go:215] frps started successfully
           

2.4. Access the web interface 124.5.23.6:15001, as follows:

2.5、The server configuration is successful

3. Basic client configuration

3.1. Extract frp_0.48.0_windows_386 .zip (if the server is window, decompress frp_0.48.0_linux_386.tar.gz) and retain the following three files

3.2. Modify the configuration file, open the FRPC .ini file with an editor, and make the following modifications

[common]
#外网-服务器端ip
server_addr = 124.5.23.6
#外网-服务器端监听的端口(必须与frps.ini中的配置一致)
server_port = 15000
#token验证需与服务端配置的一致
token=332361857
#日志文件配置
log_file = ./frps.log
#日志级别配置
log_level = info
#连接池大小
pool_count=5
#客户端的web界面
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin           

The above are the parameters needed for this test, the detailed parameters are as follows:

parameter	type	illustrate	Default value	Optional value	remark
server_addr	string	The address of the connected server	0.0.0.0
server_port	int	The port on which the server is connected	7000
connect_server_local_ip	string	The local IP address bound when connecting to the server
dial_server_timeout	int	The timeout period for connecting to the server	10
dial_server_keepalive	int	The keepalive interval between the underlying TCP connection and the server, in seconds	7200	Negative numbers are not enabled
http_proxy	string	The proxy address used by the connection server	The format is {protocol}://user:[email protected]:8080 protocol currently supports HTTP, Socks5, NTLM
log_file	string	Log file address	./frpc.log	If set to console, the log is printed in standard output
log_level	string	Log level	info	trace, debug, info, warn, error
log_max_days	int	Number of days to retain log files	3
disable_log_color	bool	Disables the log color in standard output	false
pool_count	int	Connection pool size
user	string	User name	When this parameter is set, the proxy name is modified to {user}. {proxyName} to avoid proxy name and other user conflicts
dns_server	string	Use DNS server addresses	By default, the system-configured DNS server is used, and specifying this parameter can be forced to replace it with a custom DNS server address
login_fail_exit	bool	Whether to exit after the first failed login	true
protocol	string	The communication protocol that connects the server	tcp	tcp, kcp, quic, websocket
quic_keepalive_period	int	QUIC protocol keepalive interval, unit: seconds	10
quic_max_idle_timeout	int	The maximum idle timeout for the quic protocol, in seconds	30
quic_max_incoming_streams	int	The maximum number of concurrent streams for the quic protocol	100000
tls_enable	bool	Enable the TLS protocol to encrypt the connection	false
tls_cert_file	string	TLS client certificate file path
tls_key_file	string	TLS client secret file path
tls_trusted_ca_file	string	TLS CA certification path
tls_server_name	string	TLS Server Name	If empty, server_addr is used
disable_custom_tls_first_byte	bool	TLS does not send 0x17	false	When true, port multiplexing is not possible
tcp_mux_keepalive_interval	int	tcp_mux interval between heartbeats	60	Unit: seconds
heartbeat_interval	int	The interval between sending heartbeat packets to the server	30	We recommend that you enable tcp_mux_keepalive_interval and set this value to -1
heartbeat_timeout	int	The timeout period for the server-side heartbeat	90
udp_packet_size	int	The maximum packet length supported when proxing UDP services	1500	The values of the server and client must be the same
start	string	Specifies that some agents are enabled	When more agents are configured, but only some of them are enabled, you can specify this parameter, which is enabled by default
meta_xxx	map	Additional metadata	It will be passed to the server-side plug-in to provide additional capabilities

3.3. Run with cmd

frpc -c frpc.ini           

3.4. When accessing the management http://127.0.0.1:7400/, the following description appears as follows

4. Agent configuration

4.1、The basic configuration of the agent is as follows:

parameter	type	illustrate	Whether it is necessary or not	Default value	Optional value	remark
type	string	Agent type	be	tcp	tcp, udp, http, https, stcp, sudp, xtcp, tcpmux
use_encryption	bool	Whether encryption is enabled	not	false	When enabled, the communication between the agent and the server will be encrypted and transmitted
use_compression	bool	Whether compression is enabled	not	false	When enabled, the communication between the agent and the server will be compressed and transmitted
proxy_protocol_version	string	The version of the proxy protocol enabled	not	v1, v2	If enabled, FRPC and the local service will send the proxy protocol protocol after establishing a connection, including the IP address and port of the original request
bandwidth_limit	string	Set bandwidth throttling for a single proxy	not	The unit is MB or KB, 0 means no limit, if enabled, the corresponding FRPC will be applied
bandwidth_limit_mode	string	The type of throttling, client-side throttling or server-side throttling	not	client	client, server

4.2. Local service configuration of the agent

The configuration of local_ip and plugin must be configured one, and only one can be valid, if plugin is configured, the local_ip configuration is invalid.

parameter	type	illustrate	Whether it is necessary or not	Default value	Optional value	remark
local_ip	string	On-premises service IP	be	127.0.0.1	The IP address of the local service that needs to be proxied can be any IP address that can be accessed by the frpc where it is located
local_port	int	Local service port	be	Cooperate with local_ip
plugin	string	Client plug-in name	not	See the function description of the client plugin	The ability to extend FRPC by providing some simple local services that have no effect on local_ip and local_port if plugins are configured, and only one can be configured
plugin_params	map	Client plug-in parameters	not	Map structure, key needs to start with "plugin_", each plugin requires different parameters, see the client plugin parameters for details

4.3. Load balancing and health check of agents

parameter	type	illustrate	Whether it is necessary or not	Default value	Optional value	remark
group	string	The name of the load balancing group	not	User requests are sent to agents in the same group in a round-robin fashion
group_key	string	Server Load Balancing group keys	not	Used to authenticate a load balancing group, group_key the same agent will be added to the same group
health_check_type	string	Health check type	not	tcp,http	After the health check function is enabled, TCP is considered service health if the connection is successful, and HTTP requires an excuse to return a 2xx status code to consider the service healthy
health_check_timeout_s	int	Health check timeout (seconds)	not	3	The timeout period for performing the inspection task
health_check_max_failed	int	The number of consecutive health check errors	not	1	How many times in a row the error is considered unhealthy
health_check_interval_s	int	Health check period (seconds)	not	10	How often to do health checks
health_check_url	string	The HTTP interface for health checks	not	If the health_check_type type is HTTP, you need to configure this parameter to specify the URL to send the HTTP request, such as "/health"

4.4. TCP configuration of the proxy, below we configure SSH to access the intranet.

4.4.1、Continue to modify the configuration file FRPC .ini the previous section, and add it on the basis of the previous one

#代理名称 注意代理名称不能重复，配置多个需要区分，如[ssh] [ssh1] [ssh2]
[ssh]
#配置类型为http协议
type = tcp
#内网机器的IP
local_ip = 127.0.0.1
#内网需要监听的端口（win10所启服务端口）
local_port = 22
remote_port = 15002
#是否开启加密
use_encryption = true
#是否开启压缩
use_compression = true           

4.4.2、After running the client

ssh -p 15002  [email protected]            

4.4.3 Successful access

4.5. Http configuration of the proxy, below we configure an example to access the intranet web

4.5.1、Continue to modify the configuration file FRPC .ini in the previous section, and add it on the basis of the previous one

[web]
type = http
#本地端口
local_port = 8080
#服务器绑定自定义域名，需把域名解析到服务器ip
custom_domains = proxy.test.com            

4.5.2、After running the client, you can access the local HTTP service, 15003 is the HTTP listening port configured on the server

4.6, frp can also agent STCP\SUDP\XTCP\TCPMUX\UDP, because I haven't used it temporarily, I will share it with you when I use it, and if you have questions, you can raise it in the comment area, thank you!

Finally, share some of the techniques involved in the configuration process:

1. If FRP boot self-start is required, you can refer to: FRP boot self-start

2. All configured port servers in the configuration need to open the firewall, refer to: Linux firewall configuration

1