Deploying FRP from Scratch: Access Intranet Services Anywhere

This is a complete tutorial on deploying frp (Fast Reverse Proxy). Through this tutorial, you can easily expose your home NAS or local test server to the public internet, enabling access from anywhere.

Must-read before proceeding:

1. Please confirm you have a cloud server with a fixed public IPv4 address.
2. Tutorial commands include sudo where appropriate. If you encounter permission denied during deployment, add sudo before the command.
3. This tutorial uses the mainstream x86_64 (amd64) architecture Linux as an example.
4. Windows deployment instructions will be added later.

---

Phase 1: Cloud Server (frps) Deployment

1. Install Basic Dependencies

First, we need to install the software packages we’ll use. Choose the command based on your Linux distribution.

Debian / Ubuntu family:

Update package sources:

sudo apt update

Install required packages:

sudo apt install curl tar -y

RHEL / Fedora / CentOS / Rocky and other Red Hat family:

Update package sources:

sudo dnf update

Install required packages:

sudo dnf install curl tar -y

2. Download and Extract frp

We need to download the version matching our server’s system and architecture. Personal computers and most cloud servers are amd64 (i.e., x86_64).

Choose a directory to store files. Here we use /home/your-username/Documents/ (you can place it anywhere, just remember the path).

Navigate to the directory:

cd ~/Documents

Next, download the frp archive. The official download address is provided below. If GitHub access is slow in your region, you can use the accelerated proxy I’ve provided.

Download using official URL:

curl -O https://github.com/fatedier/frp/releases/download/v0.67.0/frp_0.67.0_linux_amd64.tar.gz

Or download using the accelerated proxy:

curl -O https://proxy.kokode.su/github/fatedier/frp/releases/download/v0.67.0/frp_0.67.0_linux_amd64.tar.gz

Extract the downloaded archive:

tar -zxvf frp_0.67.0_linux_amd64.tar.gz

For easier management, rename the extracted folder to frps and enter it:

Rename the folder:

mv frp_0.67.0_linux_amd64 frps

Enter the frps directory:

cd frps

Remove client files not needed on the server to keep the directory clean:

rm -rf frpc*

Use ls to confirm only server files remain:

ls

Expected output:

frps  frps.toml  LICENSE

3. Configure frps.toml

As a precaution, let’s back up the default configuration, clear it, and check the status:

Backup and clear configuration:

cp frps.toml frps.toml.bak && echo -n > frps.toml && cat frps.toml

Note: If the config file is successfully cleared, there will be no output in the terminal.

Edit the configuration file with vim:

vim frps.toml

Tip: Press i to enter vim’s edit mode, then paste the following content. You can reference my configuration, but be sure to modify the password and token according to your needs.

bindPort = 7000 
transport.tls.force = true 
auth.token = "your_strong_token" 

# Server Dashboard (optional): A web management panel to view frp service status
webServer.addr = "0.0.0.0" 
webServer.port = 7500 
webServer.user = "admin" 
webServer.password = "your_password" 

# Log configuration
log.to = "/var/log/frps.log" 
log.level = "info" 
log.maxDays = 3 
log.disablePrintColor = false

After pasting and modifying, press Esc to exit edit mode, type :wq and press Enter to save and exit.

4. Set Up Systemd Auto-Start

To ensure frps runs automatically after server restarts, we need to register it as a system service.

Create and edit the service configuration file:

sudo vim /etc/systemd/system/frps.service

Absolute Path Warning: Systemd configuration files cannot use ~ to represent the user directory! Be sure to replace /home/your-username/ below with the actual absolute path where you stored frps.

Press i to enter edit mode, then paste the following:

[Unit]
Description=FRP Server
After=network.target

[Service]
Type=simple
User=root
WorkingDirectory=/home/your-username/Documents/frps
ExecStart=/home/your-username/Documents/frps/frps -c /home/your-username/Documents/frps/frps.toml
Restart=on-failure

[Install]
WantedBy=multi-user.target

Press Esc to exit edit mode, type :wq and press Enter to save and exit.

Reload systemd configuration:

sudo systemctl daemon-reload

Enable auto-start and start the service immediately:

sudo systemctl enable --now frps.service

Common service management commands:

Check if the service is running normally:

sudo systemctl status frps.service

Stop the service:

sudo systemctl stop frps.service

Restart the service:

sudo systemctl restart frps.service

Disable auto-start:

sudo systemctl disable frps.service

At this point, the cloud server configuration is complete!

---

Phase 2: Local Client (frpc) Deployment

Assuming the local device we need to penetrate (server / NAS) also runs Linux. The frpc client deployment process is similar to frps. Here are the specific steps.

1. Download and Extract

Basic dependency installation is the same as above. Download and extract files to your preferred directory (still using /home/your-username/Documents/ as an example):

Navigate to the directory:

cd ~/Documents

Download the archive (using proxy URL as an example):

curl -O https://proxy.kokode.su/github/fatedier/frp/releases/download/v0.67.0/frp_0.67.0_linux_amd64.tar.gz

Extract the file:

tar -zxvf frp_0.67.0_linux_amd64.tar.gz

This time, rename it to frpc and enter the directory:

Rename the folder:

mv frp_0.67.0_linux_amd64 frpc

Enter the frpc directory:

cd frpc

Remove unused server files:

rm -rf frps*

Use ls to confirm only client files remain:

ls

Expected output:

frpc  frpc.toml  LICENSE

2. Configure frpc.toml

As a precaution, let’s back up and clear the default configuration:

Backup and clear configuration:

cp frpc.toml frpc.toml.bak && echo -n > frpc.toml && cat frpc.toml

Edit the configuration file with vim:

vim frpc.toml

Press i to enter edit mode, paste the following client configuration reference. Read the comments carefully to understand the modular configuration logic:

# --- Global Configuration ---
transport.tls.enable = true         
serverAddr = "114.114.114.114"      # [Required] Enter your cloud server's fixed public IPv4 address
serverPort = 7000                   # Must match bindPort in cloud frps.toml
auth.token = "your_strong_token"    # Must match auth.token in cloud frps.toml

# --- Penetration Service Configuration Modules ---
# Note: Each [[proxies]] below is an independent port penetration task.
# To add new mappings in the future, simply copy a block and modify it.

[[proxies]]
name = "ssh"                        # Task name, must be globally unique, no duplicates!
type = "tcp"                        # Protocol type: tcp or udp
localPort = 22                      # Real local intranet port to be mapped
remotePort = 2222                   # Port mapped to public internet (access server-IP:2222 to connect to local SSH)

[[proxies]]
name = "server_a"
type = "tcp"
localPort = 1234
remotePort = 5678

[[proxies]]
name = "server_b"
type = "udp"
localPort = 2345
remotePort = 6789

After pasting and modifying, press Esc to exit edit mode, type :wq and press Enter to save and exit.
Note: To add new configurations, you only need to add the following block:

[[proxies]]
name = "server_c"
type = "tcp"
localPort = 3456
remotePort = 7890

Pitfall Guide:

1. When adding new configurations, name must never be duplicated.
2. The remotePort in the configuration (e.g., 2222, 5678, 6789) must be allowed in your cloud provider’s console (Alibaba Cloud/Tencent Cloud, etc.) firewall/security group, otherwise even if it starts successfully, you won’t be able to connect!

After each configuration change, be sure to restart the client service for it to take effect:
Supplement: If errors occur, refer to “3. Set Up Systemd Auto-Start” to configure Systemd

sudo systemctl restart frpc.service

3. Set Up Systemd Auto-Start

Similarly, register it as a system service:

Create and edit the service configuration file:

sudo vim /etc/systemd/system/frpc.service

Reminder again: Replace all /home/your-username/ below with actual absolute paths.

Press i to enter edit mode, paste the following:

[Unit]
Description=Frp Client Service
After=network.target

[Service]
Type=simple
DynamicUser=yes 
Restart=on-failure
RestartSec=5s
WorkingDirectory=/home/your-username/Documents/frpc
ExecStart=/home/your-username/Documents/frpc/frpc -c /home/your-username/Documents/frpc/frpc.toml
ExecReload=/home/your-username/Documents/frpc/frpc reload -c /home/yui/Documents/dev/kokode-blog/source/en/_posts/frpc/frpc.toml
LimitNOFILE=1048576

[Install]
WantedBy=multi-user.target

(Note: If you encounter permission issues during startup, comment out DynamicUser=yes and replace with User=your-username)

Press Esc to exit edit mode, type :wq and press Enter to save and exit.

Reload systemd configuration:

sudo systemctl daemon-reload

Enable auto-start and start the service immediately:

sudo systemctl enable --now frpc.service

Confirm the client is running normally:

sudo systemctl status frpc.service

If you see active (running), the intranet penetration has been successfully deployed! You can now test connecting to your local service via the public IP.

[Supplement] Advanced Tips: How to Update Configuration Without Disconnecting?

In actual use, if you want to add a penetration port without restarting frpc (which would disconnect ongoing connections like SSH or large file transfers), consider these two approaches:

Option A: Use Hot Reload (Recommended)

FRP supports reloading configuration files without stopping the service. Since we’ve already written the ExecReload directive in the Systemd configuration, you just need to:

1. Modify frpc.toml to add new configuration.
2. Execute in terminal:

   sudo systemctl reload frpc.service

   Effect: FRP will automatically read the new configuration and apply it, while existing connections remain uninterrupted.

Option B: Multi-Instance Parallel (Suitable for Categorized Management)

If you want to physically isolate different services (e.g., one config file for NAS, another for development servers), you can run multiple frpc instances:

1. Create new config: Create a new config file in the directory, e.g., frpc2.toml.
2. Register new service: Copy and create a new Systemd service file:

   sudo cp /etc/systemd/system/frpc.service /etc/systemd/system/frpc2.service

3. Modify new service file: Point ExecStart in frpc2.service to the new frpc2.toml.
4. Start new service:

   sudo systemctl enable --now frpc2.service

   Note: Even with different instances, as long as they connect to the same frps server, the name (task name) in the configuration must never be duplicated, otherwise connection will fail.