内网穿透

发布于 2022-04-23  302 次阅读


内网穿透

frp 及 natapp

windows 服务器 穿透 连接本地windows计算机

下载链接:

Release v0.41.0 · fatedier/frp (github.com)

官方文档:

https://github.com/fatedier/frp

根据对应的操作系统及架构 从Release 页面下载最新版的程序

  • frps 及 frps.ini 放到具有公网IP的·机器上 及服务器
  • frpc 及 frpc.ini 放到处于内网环境的机器上

windows

服务器

frps.ini

[common]
#内网穿透服务器端监听的IP地址,可以省略,默认为127.0.0.1
bind_addr = 127.0.0.1
#服务器端监听的端口,默认是7000,可自定义
bind_port = 7000

启动 : frps.exe

frps.exe

本地:

frpc.ini

[common]
#外网-服务器端ip
server_addr = adminzhang.top
#外网-服务器端监听的端口(必须与Frps.ini中的配置一致)
server_port = 7000

[TMCAT]
type = tcp
local_ip = 127.0.0.1
local_port = 8080
remote_port = 18080

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000

[mysql]
type = tcp
local_ip = 127.0.0.1
local_port = 3306
remote_port = 13306

启动 frpc.exe

frpc.exe -c frpc.ini

NATAPP

https://natapp.cn/

注册 登录 购买隧道

image-20211212002730455

下载客户端工具

image-20211212003056571

解压后得到一个 natapp.exe 可执行文件

在该目录下打开命令行工具(cmd 管理员模式)

输入:

natapp -authtoken=上面获取的密码(token)

回车后:如图代表启动成功

image-20211212003901742

frp Linux

Linux 服务器 穿透 连接本地windows计算机

下载: frp_0.41.0_linux_amd64.tar.gz

服务器端配置

下载完成后 上传到 Linux 服务器 解压frp压缩包

解压命令: tar -zxvf frp_0.41.0_linux_amd64.tar.gz

image-20220421110934673

进入解压目录:

cd frp_0.41.0_linux_amd64/

打开配置文件(服务器端):

vim frps.ini

修改内容为:

[common]
# frp监听的端口,默认是7000,可以改成其他的
bind_port = 7000
# 授权码,这个token之后在客户端会用到
token = 123456

# frp管理后台端口,按需求更改
dashboard_port = 7500
# frp管理后台用户名和密码
dashboard_user = admin
dashboard_pwd = root
enable_prometheus = true

# frp日志配置
log_file = /var/log/frps.log
log_level = info
log_max_days = 3

保存 退出

image-20220421112035557

注:图片显示有误 6000 是 7500 ---- token: 123456

修改 frps 文件的权限

chmod 777 frps

设置和启动服务:

sudo mkdir -p /etc/frp
sudo cp frps.ini /etc/frp
sudo cp frps /usr/bin
sudo cp systemd/frps.service /usr/lib/systemd/system/
sudo systemctl enable frps
sudo systemctl start frps

开放 linux 端口

7000 7500

firewall-cmd --zone=public --add-port=7000/tcp --permanent

重启防火墙

systemctl restart firewalld.service

查看开放的端口

firewall-cmd --list-ports

访问:

http://www.xiaotao.cloud:7500/

image-20220423132951236

客户端配置

下载 windows 版

frp_0.41.0_windows_amd64

打开 frpc.ini
[common]
server_addr = www.xiaotao.cloud
server_port = 7000
token = 123456

# 配置ssh服务
[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 3389
# 这个自定义,之后再ssh连接的时候要用
remote_port = 33890

[web]
type = tcp
local_ip = 127.0.0.1
local_port = 8080
subdomain = www.xiaotao.cloud
remote_port = 18080
win + r cmd

frpc.exe -c frpc.ini

image-20220423150910026

查看 linux 日志
2022/04/23 14:58:59 [I] [service.go:450] [66e39b233f9b19cc] client login info: ip [106.92.242.75:4612] version [0.41.0] hostname [] os [windows] arch [amd64]
2022/04/23 14:58:59 [I] [tcp.go:64] [66e39b233f9b19cc] [ssh] tcp proxy listen port [33890]
2022/04/23 14:58:59 [I] [control.go:465] [66e39b233f9b19cc] new proxy [ssh] success
2022/04/23 14:58:59 [I] [tcp.go:64] [66e39b233f9b19cc] [web] tcp proxy listen port [18080]
2022/04/23 14:58:59 [I] [control.go:465] [66e39b233f9b19cc] new proxy [web] success

image-20220423151126524

设置开机自启

frpc.exe 同级目录下 新建 start.bat

image-20220425142406595

start.bat 内容如下

@echo off
:home
frpc -c frpc.ini
goto home

作用:后台运行 如果遇到错误 自动重启

打开控制面板 搜索计划任务

image-20220425142932877

image-20220425142957719

image-20220425143112374

image-20220425143140639

image-20220425143212006

image-20220425143233949

image-20220425143331781

完成后 点击确认,frp 开机自启配置完成

重启电脑后 在任务管理器就可以看到 frpc.exe

image-20220425143522257

使用另一台电脑

image-20220425143735294

点击连接 即可成功连接

frps 的完整配置文件(服务器)

# [常见]是积分部分
[常见]
#必须将 IPv6 的文本地址或主机名括起来
# 在方括号中,如“[::1]:80”、“[ipv6-host]:http” 或 “[ipv6-host%zone]:80”
#对于单个“bind_addr”字段,不需要方括号,如“bind_addr = ::”。
bind_addr = 0.0.0.0
bind_port = 7000

# udp 端口,以帮助使 udp 孔穿透 nat
bind_udp_port = 7001

# udp 端口用于 kcp 协议,它可以与 'bind_port' 相同
# 如果未设置,则在 frps 中禁用 kcp
kcp_bind_port = 7000

# 指定代理将侦听的地址,默认值与bind_addr
# proxy_bind_addr = 127.0.0.1

# 如果要支持虚拟主机,必须设置 http 端口进行侦听(可选)
#注意:http 端口和 https 端口可以与bind_port
vhost_http_port = 80
vhost_https_port = 443

# vhost http 服务器的响应标头超时(秒),默认值为 60s
# vhost_http_timeout = 60

# tcpmux_httpconnect_port 指定服务器侦听 TCP 的端口
#HTTP 连接请求。如果值为 0,则服务器将不会多路复用 TCP
# 单个端口上的请求。如果不是 - 它将侦听此值
#HTTP 连接请求。默认情况下,此值为 0。
# tcpmux_httpconnect_port = 1337

# 设置dashboard_addr和dashboard_port以查看frps的仪表板
# dashboard_addr的默认值与bind_addr相同
# 仪表板仅在设置dashboard_port时可用
dashboard_addr = 0.0.0.0
dashboard_port = 7500

# 仪表板用户和 passwd 用于基本身份验证保护
dashboard_user = 管理员
dashboard_pwd = 管理员

# enable_prometheus将在 /metrics api 中的 {dashboard_addr}:{dashboard_port} 上导出 prometheus 指标。
enable_prometheus = 真

# 仪表盘资产目录(仅限调试模式)
# assets_dir = ./静态

# 控制台或真实日志文件路径,如 ./frps.log
log_file = ./frps.log

# 跟踪、调试、信息、警告、错误
log_level = 信息

log_max_days = 3

# 禁用日志颜色,log_file为控制台,默认值为假
disable_log_color = 假

#详细错误客户端定义是否将特定错误(带有调试信息)发送到 frpc。默认情况下,此值为 true。
detailed_errors_to_client = 真

# authentication_method 指定使用哪种身份验证方法对 frpc 进行身份验证。
#如果指定了“令牌” - 令牌将被读入登录消息。
#如果指定了“oidc” - 将使用 OIDC 设置颁发 OIDC(开放 ID 连接)令牌。默认情况下,此值为“令牌”。
authentication_method = 令牌

# authenticate_heartbeats 指定是否在发送到 frps 的检测信号中包含身份验证令牌。默认情况下,此值为 false。
authenticate_heartbeats = 假

#AuthenticateNewWorkConns 指定是否在发送到 frps 的新工作连接中包含身份验证令牌。默认情况下,此值为 false。
authenticate_new_work_conns = 假

# 身份验证令牌
令牌 = 12345678

# oidc_issuer 指定要验证 OIDC 令牌的颁发者。
#默认情况下,此值为 “”。
oidc_issuer =

# oidc_audience 指定 OIDC 令牌在验证时应包含的受众。
#默认情况下,此值为 “”。
oidc_audience =

# oidc_skip_expiry_check 指定是否跳过检查 OIDC 令牌是否过期。
#默认情况下,此值为 false。
oidc_skip_expiry_check = 假

# oidc_skip_issuer_check 指定是否跳过检查 OIDC 令牌的颁发者声明是否与 OidcIssuer 中指定的颁发者匹配。
#默认情况下,此值为 false。
oidc_skip_issuer_check = 假

# 心跳配置,不建议修改默认值
# heartbeat_timeout的默认值为 90。设置负值以禁用它。
# heartbeat_timeout = 90

# user_conn_timeout配置,不建议修改默认值
# user_conn_timeout默认值为10
# user_conn_timeout = 10

# only allow frpc to bind ports you list, if you set nothing, there won't be any limit
allow_ports = 2000-3000,3001,3003,4000-50000

# 如果每个代理中的pool_count超过最大值,它们将更改为max_pool_count
max_pool_count = 5

# 每个客户端可以使用的最大端口数,默认值为 0 表示无限制
max_ports_per_client = 0

# tls_only 指定是否只接受 TLS 加密的连接。默认情况下,该值为 false。
tls_only = 假

# tls_cert_file = server.crt
# tls_key_file = 服务器.key
# tls_trusted_ca_file = ca.crt

# 如果subdomain_host不为空,则可以在 frpc 的配置文件中键入 http 或 https 时设置子域
# 当子域为测试时,路由使用的主机 test.frps.com
subdomain_host = frps.com

# 如果使用 tcp 流多路复用,则默认值为 true
# tcp_mux = 真

# 指定 tcp 多路复用器的保持活动间隔。
# 仅当tcp_mux为真时才有效。
# tcp_mux_keepalive_interval = 60

# tcp_keepalive 指定 frpc 和 frps 之间活动网络连接的保持活动探测器之间的时间间隔。
#如果为阴性,则禁用保持活动状态的探测器。
# tcp_keepalive = 7200

# HTTP请求的自定义404页面
# custom_404_page = /path/to/404.html

# 指定 udp 数据包大小,单位为字节。如果未设置,则默认值为 1500。
#客户端和服务器之间的此参数应相同。
#它会影响 udp 和 sudp 代理。
udp_packet_size = 1500

#在仪表板侦听器中启用 golang pprof 处理程序。
#必须首先设置仪表板端口
pprof_enable = 假

[插件.用户管理器]
地址 = 127.0.0.1:9000
路径 = /处理程序
操作 = 登录

[plugin.port-manager]
地址 = 127.0.0.1:9001
路径 = /处理程序
ops = NewProxy

frpc(客户端)的完整配置文件

# [common] is integral section
[common]
# A literal address or host name for IPv6 must be enclosed
# in square brackets, as in "[::1]:80", "[ipv6-host]:http" or "[ipv6-host%zone]:80"
# For single "server_addr" field, no need square brackets, like "server_addr = ::".
server_addr = 0.0.0.0
server_port = 7000

# The maximum amount of time a dial to server will wait for a connect to complete. Default value is 10 seconds.
# dial_server_timeout = 10

# dial_server_keepalive specifies the interval between keep-alive probes for an active network connection between frpc and frps.
# If negative, keep-alive probes are disabled.
# dial_server_keepalive = 7200

# if you want to connect frps by http proxy or socks5 proxy or ntlm proxy, you can set http_proxy here or in global environment variables
# it only works when protocol is tcp
# http_proxy = http://user:passwd@192.168.1.128:8080
# http_proxy = socks5://user:passwd@192.168.1.128:1080
# http_proxy = ntlm://user:passwd@192.168.1.128:2080

# console or real logFile path like ./frpc.log
log_file = ./frpc.log

# trace, debug, info, warn, error
log_level = info

log_max_days = 3

# disable log colors when log_file is console, default is false
disable_log_color = false

# for authentication, should be same as your frps.ini
# authenticate_heartbeats specifies whether to include authentication token in heartbeats sent to frps. By default, this value is false.
authenticate_heartbeats = false

# authenticate_new_work_conns specifies whether to include authentication token in new work connections sent to frps. By default, this value is false.
authenticate_new_work_conns = false

# auth token
token = 12345678

# oidc_client_id specifies the client ID to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
# By default, this value is "".
oidc_client_id =

# oidc_client_secret specifies the client secret to use to get a token in OIDC authentication if AuthenticationMethod == "oidc".
# By default, this value is "".
oidc_client_secret =

# oidc_audience specifies the audience of the token in OIDC authentication if AuthenticationMethod == "oidc". By default, this value is "".
oidc_audience =

# oidc_token_endpoint_url specifies the URL which implements OIDC Token Endpoint.
# It will be used to get an OIDC token if AuthenticationMethod == "oidc". By default, this value is "".
oidc_token_endpoint_url =

# oidc_additional_xxx specifies additional parameters to be sent to the OIDC Token Endpoint.
# For example, if you want to specify the "audience" parameter, you can set as follow.
# frp will add "audience=<value>" "var1=<value>" to the additional parameters.
# oidc_additional_audience = https://dev.auth.com/api/v2/
# oidc_additional_var1 = foobar

# set admin address for control frpc's action by http api such as reload
admin_addr = 127.0.0.1
admin_port = 7400
admin_user = admin
admin_pwd = admin
# Admin assets directory. By default, these assets are bundled with frpc.
# assets_dir = ./static

# connections will be established in advance, default value is zero
pool_count = 5

# if tcp stream multiplexing is used, default is true, it must be same with frps
# tcp_mux = true

# specify keep alive interval for tcp mux.
# only valid if tcp_mux is true.
# tcp_mux_keepalive_interval = 60

# your proxy name will be changed to {user}.{proxy}
user = your_name

# decide if exit program when first login failed, otherwise continuous relogin to frps
# default is true
login_fail_exit = true

# communication protocol used to connect to server
# now it supports tcp, kcp and websocket, default is tcp
protocol = tcp

# set client binding ip when connect server, default is empty.
# only when protocol = tcp or websocket, the value will be used.
connect_server_local_ip = 0.0.0.0

# if tls_enable is true, frpc will connect frps by tls
tls_enable = true

# tls_cert_file = client.crt
# tls_key_file = client.key
# tls_trusted_ca_file = ca.crt
# tls_server_name = example.com

# specify a dns server, so frpc will use this instead of default one
# dns_server = 8.8.8.8

# proxy names you want to start separated by ','
# default is empty, means all proxies
# start = ssh,dns

# heartbeat configure, it's not recommended to modify the default value
# The default value of heartbeat_interval is 10 and heartbeat_timeout is 90. Set negative value
# to disable it.
# heartbeat_interval = 30
# heartbeat_timeout = 90

# additional meta info for client
meta_var1 = 123
meta_var2 = 234

# specify udp packet size, unit is byte. If not set, the default value is 1500.
# This parameter should be same between client and server.
# It affects the udp and sudp proxy.
udp_packet_size = 1500

# include other config files for proxies.
# includes = ./confd/*.ini

# By default, frpc will connect frps with first custom byte if tls is enabled.
# If DisableCustomTLSFirstByte is true, frpc will not send that custom byte.
disable_custom_tls_first_byte = false

# Enable golang pprof handlers in admin listener.
# Admin port must be set first.
pprof_enable = false

# 'ssh' is the unique proxy name
# if user in [common] section is not empty, it will be changed to {user}.{proxy} such as 'your_name.ssh'
[ssh]
# tcp | udp | http | https | stcp | xtcp, default is tcp
type = tcp
local_ip = 127.0.0.1
local_port = 22
# limit bandwidth for this proxy, unit is KB and MB
bandwidth_limit = 1MB
# true or false, if true, messages between frps and frpc will be encrypted, default is false
use_encryption = false
# if true, message will be compressed
use_compression = false
# remote port listen by frps
remote_port = 6001
# frps will load balancing connections for proxies in same group
group = test_group
# group should have same group key
group_key = 123456
# enable health check for the backend service, it support 'tcp' and 'http' now
# frpc will connect local service's port to detect it's healthy status
health_check_type = tcp
# health check connection timeout
health_check_timeout_s = 3
# if continuous failed in 3 times, the proxy will be removed from frps
health_check_max_failed = 3
# every 10 seconds will do a health check
health_check_interval_s = 10
# additional meta info for each proxy
meta_var1 = 123
meta_var2 = 234

[ssh_random]
type = tcp
local_ip = 127.0.0.1
local_port = 22
# if remote_port is 0, frps will assign a random port for you
remote_port = 0

# if you want to expose multiple ports, add 'range:' prefix to the section name
# frpc will generate multiple proxies such as 'tcp_port_6010', 'tcp_port_6011' and so on.
[range:tcp_port]
type = tcp
local_ip = 127.0.0.1
local_port = 6010-6020,6022,6024-6028
remote_port = 6010-6020,6022,6024-6028
use_encryption = false
use_compression = false

[dns]
type = udp
local_ip = 114.114.114.114
local_port = 53
remote_port = 6002
use_encryption = false
use_compression = false

[range:udp_port]
type = udp
local_ip = 127.0.0.1
local_port = 6010-6020
remote_port = 6010-6020
use_encryption = false
use_compression = false

# Resolve your domain names to [server_addr] so you can use http://web01.yourdomain.com to browse web01 and http://web02.yourdomain.com to browse web02
[web01]
type = http
local_ip = 127.0.0.1
local_port = 80
use_encryption = false
use_compression = true
# http username and password are safety certification for http protocol
# if not set, you can access this custom_domains without certification
http_user = admin
http_pwd = admin
# if domain for frps is frps.com, then you can access [web01] proxy by URL http://web01.frps.com
subdomain = web01
custom_domains = web01.yourdomain.com
# locations is only available for http type
locations = /,/pic
host_header_rewrite = example.com
# params with prefix "header_" will be used to update http request headers
header_X-From-Where = frp
health_check_type = http
# frpc will send a GET http request '/status' to local http service
# http service is alive when it return 2xx http response code
health_check_url = /status
health_check_interval_s = 10
health_check_max_failed = 3
health_check_timeout_s = 3

[web02]
type = https
local_ip = 127.0.0.1
local_port = 8000
use_encryption = false
use_compression = false
subdomain = web01
custom_domains = web02.yourdomain.com
# if not empty, frpc will use proxy protocol to transfer connection info to your local service
# v1 or v2 or empty
proxy_protocol_version = v2

[plugin_unix_domain_socket]
type = tcp
remote_port = 6003
# if plugin is defined, local_ip and local_port is useless
# plugin will handle connections got from frps
plugin = unix_domain_socket
# params with prefix "plugin_" that plugin needed
plugin_unix_path = /var/run/docker.sock

[plugin_http_proxy]
type = tcp
remote_port = 6004
plugin = http_proxy
plugin_http_user = abc
plugin_http_passwd = abc

[plugin_socks5]
type = tcp
remote_port = 6005
plugin = socks5
plugin_user = abc
plugin_passwd = abc

[plugin_static_file]
type = tcp
remote_port = 6006
plugin = static_file
plugin_local_path = /var/www/blog
plugin_strip_prefix = static
plugin_http_user = abc
plugin_http_passwd = abc

[plugin_https2http]
类型 =
custom_domains = test.yourdomain.com
plugin = https2http
plugin_local_addr = 127.0.0.1:80
plugin_crt_path = ./server.crt
plugin_key_path = ./服务器.key
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-从何处 = frp

[plugin_https2https]
类型 =
custom_domains = test.yourdomain.com
plugin = https2https
plugin_local_addr = 127.0.0.1:443
plugin_crt_path = ./server.crt
plugin_key_path = ./服务器.key
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-从何处 = frp

[plugin_http2https]
类型 = http
custom_domains = test.yourdomain.com
plugin = http2https
plugin_local_addr = 127.0.0.1:443
plugin_host_header_rewrite = 127.0.0.1
plugin_header_X-从何处 = frp

[secret_tcp]
#如果类型是秘密 tcp,则remote_port无用
#想要连接本地端口的人应该使用stcp代理部署另一个frpc,并且角色是访问者
类型 = stcp
# 用于访问者身份验证的 sk
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = 假
use_compression = 假

# frpc 的用户在 stcp 服务器和 stcp 访问者中应相同
[secret_tcp_visitor]
# frpc 角色访问者 -> frps -> frpc 角色服务器
角色 = 访客
类型 = stcp
# 您要访问的服务器名称
server_name = secret_tcp
sk = abcdefg
# 将此地址连接到访客 stcp 服务器
bind_addr = 127.0.0.1
bind_port = 9000
use_encryption = 假
use_compression = 假

[p2p_tcp]
类型 = xtcp
sk = abcdefg
local_ip = 127.0.0.1
local_port = 22
use_encryption = 假
use_compression = 假

[p2p_tcp_visitor]
角色 = 访客
类型 = xtcp
server_name = p2p_tcp
sk = abcdefg
bind_addr = 127.0.0.1
bind_port = 9001
use_encryption = 假
use_compression = 假

[tcpmuxhttpconnect]
type = tcpmux
多路复用器 = httpconnect
local_ip = 127.0.0.1
local_port = 10701
custom_domains

本当の声を響かせてよ