easy port-forwarding with frp

· ahwx's blog


frp #

Initially I used NGINX streams, as that seemed to work great. As I've been getting time outs for about 2 minutes twice a day, I wanted to do something else. I first tried SSH tunnels, but those kept failing. After seeing zvava.org -> frp, I wanted to try frp.

I essentially use frp to bind homeserver-ip:80 and homeserver-ip:443 to vps-ip:80 and vps-ip:443, because I don't feel like exposing my home ip address and because I really dislike CloudFlare.

server config #

The server config is pretty simple, I just used UFW to secure my VPS further than the token.

1bindPort = 7000
2
3auth.method = "token"
4auth.token = ""

client config (nixos) #

For NixOS, luckily there's a NixOS module for frp. It works pretty cool, the following code is what I used:

 1pkgs, config, lib, ... }:
 2{
 3  services.frp = {
 4    enable = true;
 5    role = "client";
 6    settings = {
 7      serverAddr = "vps-ip";
 8      serverPort = 7000;
 9      auth.method = "token";
10      auth.token = "";
11      transport.protocol = "tcp";
12      proxies = [
13        {
14          name = "http";
15          type = "tcp";
16          localIP = "localhost";
17          localPort = 80;
18          remotePort = 80;
19        }
20        {
21          name = "https";
22          type = "tcp";
23          localIP = "localhost";
24          localPort = 443;
25          remotePort = 443;
26        }
27      ];
28    };
29  };
30}

That was all for me, it works great!

client config (normal linux) #

 1serverAddr = ""
 2serverPort = 7000
 3auth.method = "token"
 4auth.token = ""
 5
 6[[proxies]]
 7name = "http"
 8type = "tcp"
 9localIP = "localhost"
10localPort = 80
11remotePort = 80
12
13[[proxies]]
14name = "https"
15type = "tcp"
16localIP = "localhost"
17localPort = 443
18remotePort = 443

UFW config #

Like I said, I used UFW to further harden/secure my VPS. I did the following:

1ufw default deny incoming 
2ufw allow in ssh # or: ufw allow in $whatever_your_ssh_port_is
3ufw allow 80 
4ufw allow 443 
5ufw allow from homeserver-ip
6ufw limit sshport/tcp
7ufw enable

That'd be all, I hope that helps :)