FRP: The Complete Guide to Exposing Local Servers to the Internet
In today’s interconnected world, accessing your local services from anywhere has become increasingly important. Whether you’re a developer needing to showcase work to clients, a system administrator managing remote infrastructure, or simply someone wanting to access home devices while traveling, the challenge remains the same: How do you securely expose services behind NAT networks and firewalls to the internet?
This is where FRP (Fast Reverse Proxy) comes in—a powerful, flexible, and user-friendly solution for creating secure tunnels to your local services. In this comprehensive guide, we’ll explore everything you need to know about FRP, from basic concepts to advanced deployments with practical, real-world examples.
Understanding the Problem: NAT and Firewalls
Before diving into FRP, let’s understand the problem it solves.
Most home and office networks use NAT (Network Address Translation) to share a single public IP address among multiple devices. While this works well for outgoing connections, it creates challenges for incoming connections because the router doesn’t know which internal device should receive incoming traffic.
Additionally, firewalls block incoming connections by default as a security measure. This combination of NAT and firewalls makes it difficult to access your local services from the outside world.
Traditional solutions include:
- Port forwarding: Configuring your router to forward specific ports to internal devices
- Dynamic DNS: Using services that keep track of your changing public IP address
- VPN: Setting up a Virtual Private Network for secure access to your entire network
Each approach has limitations—port forwarding requires router access and static internal IPs; dynamic DNS doesn’t help with restrictive firewalls; and VPNs can be complex to set up and maintain.
Enter FRP: A Better Solution
FRP addresses these challenges with an elegant client-server architecture that works across virtually any network setup. Here’s how it works:
- The FRP server (frps) runs on a machine with a public IP address
- The FRP client (frpc) runs on your local machine behind NAT/firewall
- The client initiates and maintains a connection to the server
- When someone connects to the server, the traffic is forwarded through the established tunnel to your local service
This approach offers several advantages:
- Works regardless of your local network configuration
- Doesn’t require router configuration or port forwarding
- Provides secure, encrypted connections
- Supports multiple protocols (TCP, UDP, HTTP, HTTPS)
- Offers advanced features like load balancing and connection pooling
Getting Started with FRP: Basic Setup
Let’s walk through a complete setup of FRP, starting with the basics.
Step 1: Download FRP
First, download the appropriate version for your operating system from the FRP releases page. FRP is available for Windows, macOS, Linux, and more.
Extract the downloaded archive to get the following files:
frps: The server executablefrpc: The client executablefrps.toml: Server configuration templatefrpc.toml: Client configuration template
Step 2: Set Up the FRP Server (frps)
The server component needs to run on a machine with a public IP address. This could be a cloud VPS, a dedicated server, or any machine accessible from the internet.
Create a basic server configuration file named frps.toml:
|
1 2 3 |
# Basic configuration for frps bindPort = 7000 |
This configuration tells frps to listen on port 7000 for client connections.
For more security, you might want to add authentication:
|
1 2 3 4 5 |
# Enhanced configuration with authentication bindPort = 7000 auth.method = "token" auth.token = "your-secure-token-here" |
Start the server with:
|
1 2 |
./frps -c ./frps.toml |
If all goes well, you should see output indicating that frps is running and listening on port 7000.
Step 3: Set Up the FRP Client (frpc)
Now, on your local machine (the one with services you want to expose), create a client configuration file named frpc.toml:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# Basic client configuration serverAddr = "your-server-ip" serverPort = 7000 # If you set up token authentication on the server auth.method = "token" auth.token = "your-secure-token-here" # Define your first proxy [[proxies]] name = "ssh" type = "tcp" localIP = "127.0.0.1" localPort = 22 remotePort = 6000 |
This configuration:
- Connects to your FRP server at the specified IP and port
- Creates a TCP proxy named “ssh”
- Forwards traffic from port 6000 on your server to port 22 (SSH) on your local machine
Start the client with:
|
1 2 |
./frpc -c ./frpc.toml |
If the connection is successful, you should see output indicating that the client has connected to the server and registered the ssh proxy.
Step 4: Connect to Your Service
Now, anyone can connect to your local SSH service using:
|
1 2 |
ssh -p 6000 username@your-server-ip |
Traffic arriving at port 6000 on your server will be securely forwarded through the FRP tunnel to port 22 on your local machine.
Real-World Examples: Beyond Basic SSH
While SSH forwarding is a common use case, FRP is capable of much more. Let’s explore several practical examples to showcase its versatility.
Example 1: Exposing a Web Development Server
As a web developer, you often need to show your work-in-progress to clients or colleagues. With FRP, you can expose your local development server without deploying to staging.
|
1 2 3 4 5 6 7 8 9 10 |
# frpc.toml serverAddr = "your-server-ip" serverPort = 7000 [[proxies]] name = "web-dev" type = "http" localPort = 3000 customDomains = ["dev.yourdomain.com"] |
In this example:
- Your local web server is running on port 3000
- FRP exposes it via the HTTP protocol
- It’s accessible through the custom domain dev.yourdomain.com
For this to work:
- Add a DNS A record for dev.yourdomain.com pointing to your server IP
- Configure your frps.toml to include
vhostHTTPPort = 80
Now clients can view your development website by simply visiting http://dev.yourdomain.com.
Example 2: Hosting a Game Server for Friends
Want to host a game server for friends without renting dedicated hardware? FRP makes it easy:
|
1 2 3 4 5 6 7 8 9 10 11 |
# frpc.toml serverAddr = "your-server-ip" serverPort = 7000 [[proxies]] name = "minecraft" type = "tcp" localIP = "127.0.0.1" localPort = 25565 remotePort = 25565 |
With this configuration:
- Your local Minecraft server running on port 25565
- Is exposed on the same port on your FRP server
- Friends connect using your-server-ip:25565 as the server address
This approach works for virtually any game server that uses TCP or UDP protocols.
Example 3: Securing Access with HTTPS
For web services that contain sensitive information, adding HTTPS encryption is crucial:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 |
# frpc.toml serverAddr = "your-server-ip" serverPort = 7000 [[proxies]] name = "secure-app" type = "https" localPort = 8080 customDomains = ["secure.yourdomain.com"] [proxies.plugin] type = "https2https" localAddr = "127.0.0.1:8080" crtPath = "./server.crt" keyPath = "./server.key" |
This configuration:
- Takes your local web service running on port 8080
- Exposes it with HTTPS encryption
- Uses your own SSL certificate for secure connections
You’ll need to:
- Configure your frps.toml to include
vhostHTTPSPort = 443 - Obtain an SSL certificate for your domain
- Set up the appropriate DNS records
Example 4: Creating a Private Service with Authentication
Sometimes you want to expose a service but restrict who can access it. FRP offers several ways to do this:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# frpc.toml serverAddr = "your-server-ip" serverPort = 7000 [[proxies]] name = "private-web" type = "http" localPort = 8000 customDomains = ["private.yourdomain.com"] httpUser = "username" httpPassword = "secure-password" |
This adds HTTP Basic Authentication to your web service, requiring users to enter the username and password before accessing the content.
Example 5: Load Balancing Multiple Instances
Running multiple instances of your application for redundancy or performance? FRP can distribute traffic between them:
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# frpc-instance1.toml serverAddr = "your-server-ip" serverPort = 7000 [[proxies]] name = "web-service-1" type = "http" localPort = 8080 customDomains = ["service.yourdomain.com"] loadBalancer.group = "web-service" loadBalancer.groupKey = "your-group-key" |
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# frpc-instance2.toml serverAddr = "your-server-ip" serverPort = 7000 [[proxies]] name = "web-service-2" type = "http" localPort = 8080 customDomains = ["service.yourdomain.com"] loadBalancer.group = "web-service" loadBalancer.groupKey = "your-group-key" |
With these configurations running on different machines:
- Both instances register to the same group “web-service”
- FRP distributes incoming requests between them
- If one instance fails, traffic automatically routes to the healthy one
This provides simple load balancing and high availability without additional infrastructure.
Advanced FRP Features
Now that we’ve covered basic and practical examples, let’s explore some of FRP’s more advanced features.
Feature 1: Health Checking
For critical services, you can add health checking to ensure availability:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 |
[[proxies]] name = "web-app" type = "http" localPort = 8080 customDomains = ["app.yourdomain.com"] # Health check configuration healthCheck.type = "http" healthCheck.path = "/health" healthCheck.intervalSeconds = 10 healthCheck.timeoutSeconds = 3 healthCheck.maxFailed = 3 |
With this configuration:
- FRP checks your service’s /health endpoint every 10 seconds
- If it fails 3 times in a row, the proxy is temporarily removed
- When the service becomes healthy again, the proxy is automatically restored
This prevents users from being directed to a non-functioning service.
Feature 2: Bandwidth Limiting
To prevent a single service from consuming all available bandwidth:
|
1 2 3 4 5 6 7 |
[[proxies]] name = "file-server" type = "tcp" localPort = 8000 remotePort = 8000 transport.bandwidthLimit = "5MB" |
This limits the bandwidth to 5 MB/s, ensuring other services have adequate network resources.
Feature 3: P2P Mode for Direct Connections
For large file transfers or low-latency applications, the P2P mode can bypass the FRP server once the connection is established:
|
1 2 3 4 5 6 7 8 9 10 11 |
# frpc.toml (on machine A) serverAddr = "your-server-ip" serverPort = 7000 [[proxies]] name = "p2p-transfer" type = "xtcp" secretKey = "your-secret-key" localIP = "127.0.0.1" localPort = 3389 |
|
1 2 3 4 5 6 7 8 9 10 11 12 |
# frpc.toml (on machine B) serverAddr = "your-server-ip" serverPort = 7000 [[visitors]] name = "p2p-visitor" type = "xtcp" serverName = "p2p-transfer" secretKey = "your-secret-key" bindAddr = "127.0.0.1" bindPort = 6000 |
With this setup:
- Machine B can connect to services on Machine A
- After initial connection through the FRP server, traffic flows directly between the machines
- This reduces latency and server bandwidth usage
Feature 4: Port Multiplexing
FRP allows multiple services to share the same port through protocol detection:
|
1 2 3 4 5 |
# frps.toml bindPort = 7000 vhostHTTPPort = 80 vhostHTTPSPort = 443 |
With this server configuration, both HTTP and HTTPS traffic can use the same ports, with FRP automatically directing traffic to the appropriate service based on the protocol.
Feature 5: Custom Subdomain Routing
For teams or organizations with multiple services:
|
1 2 3 4 5 |
# frps.toml bindPort = 7000 vhostHTTPPort = 80 subDomainHost = "frp.yourdomain.com" |
|
1 2 3 4 5 6 7 8 9 10 |
# frpc.toml serverAddr = "your-server-ip" serverPort = 7000 [[proxies]] name = "user1-web" type = "http" localPort = 8080 subdomain = "user1" |
This makes the service available at http://user1.frp.yourdomain.com, allowing each team member or department to have their own subdomain.
Setting Up a Complete FRP Infrastructure
Now let’s put everything together to create a complete FRP infrastructure for a small organization or development team.
Server Configuration (frps.toml)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 |
# Network settings bindAddr = "0.0.0.0" bindPort = 7000 vhostHTTPPort = 80 vhostHTTPSPort = 443 # Authentication auth.method = "token" auth.token = "your-secure-token-here" # Dashboard for monitoring webServer.addr = "0.0.0.0" webServer.port = 7500 webServer.user = "admin" webServer.password = "secure-admin-password" # Allow specific ports only to prevent abuse allowPorts = [ { start = 6000, end = 7000 }, { single = 8080 }, { single = 9090 } ] # Enable detailed logging log.to = "./frps.log" log.level = "info" log.maxDays = 3 # Performance tuning transport.maxPoolCount = 50 transport.tcpMux = true |
This comprehensive server configuration:
- Listens for client connections on port 7000
- Serves HTTP and HTTPS traffic on standard ports
- Requires token authentication for client connections
- Provides a web dashboard for monitoring proxies
- Restricts which ports can be used for remote port mapping
- Includes logging and performance optimizations
Client Configurations for Different Use Cases
Development Team Member (frpc-dev.toml)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 |
serverAddr = "your-server-ip" serverPort = 7000 auth.method = "token" auth.token = "your-secure-token-here" # Local development server [[proxies]] name = "john-dev-server" type = "http" localPort = 3000 subdomain = "john-dev" # API testing endpoint [[proxies]] name = "john-api" type = "http" localPort = 8080 subdomain = "john-api" locations = ["/api"] |
Operations Team (frpc-ops.toml)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
serverAddr = "your-server-ip" serverPort = 7000 auth.method = "token" auth.token = "your-secure-token-here" # Internal monitoring dashboard [[proxies]] name = "monitoring" type = "https" localPort = 3000 customDomains = ["monitoring.yourdomain.com"] httpUser = "ops" httpPassword = "secure-ops-password" # SSH access to internal servers [[proxies]] name = "gateway-ssh" type = "tcp" localIP = "192.168.1.10" localPort = 22 remotePort = 6022 |
Marketing Team (frpc-marketing.toml)
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 |
serverAddr = "your-server-ip" serverPort = 7000 auth.method = "token" auth.token = "your-secure-token-here" # Campaign landing page [[proxies]] name = "campaign-page" type = "http" localPort = 8000 customDomains = ["campaign.yourdomain.com"] # File sharing for marketing materials [[proxies]] name = "marketing-files" type = "tcp" localPort = 8080 remotePort = 7080 [proxies.plugin] type = "static_file" localPath = "/marketing/materials" stripPrefix = "files" httpUser = "marketing" httpPassword = "secure-marketing-password" |
With these configurations, each team can expose their specific services while maintaining security and isolation between different parts of the organization.
Logical Flow of FRP Connections
To fully understand FRP, it helps to examine the logical flow of connections:
- Initialization Phase
- frps starts on the server, listening on the bindPort (7000 in our examples)
- frpc starts on the client machine and connects to frps
- frpc authenticates using the configured method (token in our examples)
- frpc registers its configured proxies with frps
- frps acknowledges the registrations and prepares to accept external connections
- Connection Phase
- An external user attempts to connect to a service (e.g., visiting http://john-dev.frp.yourdomain.com)
- The request reaches frps on the vhostHTTPPort (80)
- frps examines the host header to determine which proxy should receive the connection
- frps identifies the client (frpc) that registered the matching proxy
- Tunneling Phase
- frps creates a new connection request and sends it to the appropriate frpc
- frpc receives the connection request
- frpc establishes a connection to the local service (e.g., localhost:3000)
- frpc begins relaying data between the local service and frps
- frps relays data between frpc and the external user
- Maintenance Phase
- frpc sends periodic heartbeats to frps to maintain the connection
- frps monitors proxy health through configured health checks
- If a client disconnects, frps removes its registered proxies
- When a client reconnects, it re-registers its proxies
This logical flow ensures secure and reliable tunneling of traffic from the internet to your local services, regardless of NAT or firewall restrictions.
Best Practices for FRP Deployment
To get the most out of FRP while ensuring security and performance, follow these best practices:
Security Best Practices
- Always use authentication: Configure token authentication at minimum, and consider OIDC for enterprise deployments
- Enable TLS for the frpc-frps connection: This encrypts the control channel between client and server
- Restrict allowed ports: Use the allowPorts configuration to prevent abuse
- Add HTTP authentication for sensitive web services
- Regularly update FRP to get the latest security patches
- Run frpc with limited privileges: Don’t run it as root/administrator unless necessary
Performance Best Practices
- Enable TCP multiplexing: This reduces the number of connections needed
- Configure appropriate bandwidth limits: Prevent a single service from consuming all bandwidth
- Use connection pooling for services with many short-lived connections
- Monitor dashboard metrics to identify performance bottlenecks
- Consider P2P mode for high-bandwidth applications to reduce server load
Reliability Best Practices
- Implement health checks for critical services
- Set up load balancing for important applications
- Configure logging to help troubleshoot issues
- Use a systemd service (Linux) or Windows Service to ensure frp starts automatically
- Consider running redundant frps instances for high-availability deployments
Troubleshooting Common FRP Issues
Even with the best setup, issues can arise. Here’s how to troubleshoot common problems:
1. Connection Failures
If frpc can’t connect to frps:
- Verify network connectivity (can you ping the server?)
- Check that frps is running and listening on the configured port
- Confirm firewall rules allow the connection (both server and client)
- Verify authentication credentials match between client and server
2. Proxy Registration Failures
If proxies aren’t registering:
- Check for name conflicts (each proxy name must be unique across all clients)
- Verify the remotePort isn’t being used by another proxy or service
- Look for typos in the configuration files
3. Service Accessibility Issues
If you can’t access your service through the proxy:
- Confirm the local service is running and accessible directly on the client
- Verify the localIP and localPort in your configuration
- Check for any authorization or firewall rules that might block the connection
- Look at the logs for both frpc and frps for specific error messages
4. Performance Problems
If you’re experiencing slow connections:
- Check your bandwidth settings
- Consider enabling compression for text-based protocols
- Look at server resource usage (CPU, memory, network)
- Try the P2P mode for bandwidth-intensive applications
Extending FRP with Plugins
FRP’s plugin system allows you to extend its functionality beyond simple port forwarding. Here are some useful built-in plugins:
HTTP Proxy Plugin
|
1 2 3 4 5 6 7 8 9 10 |
[[proxies]] name = "http-proxy" type = "tcp" remotePort = 6000 [proxies.plugin] type = "http_proxy" httpUser = "username" httpPassword = "password" |
This creates an HTTP proxy server that can be used to route web traffic through your FRP server—useful for accessing region-restricted content or bypassing network restrictions.
SOCKS5 Plugin
|
1 2 3 4 5 6 7 8 9 10 |
[[proxies]] name = "socks5-proxy" type = "tcp" remotePort = 6010 [proxies.plugin] type = "socks5" username = "username" password = "password" |
Similar to the HTTP proxy but using the SOCKS5 protocol, which supports a wider range of applications including non-web traffic.
Static File Server
|
1 2 3 4 5 6 7 8 9 10 11 12 |
[[proxies]] name = "file-sharing" type = "tcp" remotePort = 6020 [proxies.plugin] type = "static_file" localPath = "/path/to/files" stripPrefix = "files" httpUser = "username" httpPassword = "password" |
This creates a simple file server, allowing you to share files from the client machine through the FRP server.
Unix Domain Socket Forwarding
|
1 2 3 4 5 6 7 8 9 |
[[proxies]] name = "docker-api" type = "tcp" remotePort = 6030 [proxies.plugin] type = "unix_domain_socket" unixPath = "/var/run/docker.sock" |
This allows you to expose Unix domain sockets as TCP services—particularly useful for Docker API access or other socket-based services.
Comparing FRP with Alternatives
While FRP is an excellent solution for exposing local services, it’s worth comparing it with alternatives to understand its strengths and limitations:
FRP vs. ngrok
ngrok:
- Commercial service with free tier
- Simple setup with minimal configuration
- Built-in analytics and inspection
- Managed infrastructure
FRP:
- Completely free and open-source
- Self-hosted with full control
- More flexible configuration options
- Support for more protocols and features
FRP vs. Cloudflare Tunnel (formerly Argo Tunnel)
Cloudflare Tunnel:
- Integrated with Cloudflare’s security services
- Simple setup for web services
- Built-in DDoS protection
- Limited to HTTP/HTTPS traffic
FRP:
- Supports more protocols (TCP, UDP, HTTP, HTTPS)
- No external dependencies or accounts required
- More configuration options
- Can be used in environments without internet access
FRP vs. SSH Tunnels
SSH Tunnels:
- Built into most systems
- Simple for technical users
- Limited to port forwarding
FRP:
- More user-friendly configuration
- Advanced features like load balancing and health checks
- Better handling of connection interruptions
- Web dashboard for monitoring
Conclusion: Building Your FRP Infrastructure
FRP offers a powerful, flexible solution for exposing local services to the internet, whether you’re a developer, system administrator, or enthusiast. By understanding its capabilities and following best practices, you can create a secure, reliable infrastructure for accessing your services from anywhere.
The key advantages of FRP include:
- Simplicity: Easy to set up and configure
- Flexibility: Supports multiple protocols and configurations
- Security: Provides authentication and encryption options
- Performance: Offers features like compression and P2P mode
- Extensibility: Plugin system for additional functionality
Start with a simple setup and gradually explore more advanced features as your needs grow. With the examples and best practices in this guide, you’re well-equipped to leverage FRP for all your port forwarding needs.
Remember to stay up-to-date with the latest FRP releases, as the project is actively developed with new features and security improvements regularly added.
Happy tunneling!
