Linux 学习笔记(一):内网穿透

软件安装

frp 是一个可用于内网穿透的高性能的反向代理应用,支持 tcp, udp, http, https 协议。

下载并安装

  • 获取 VPS 的处理器架构

依据处理器架构选择对应版本的 frp、下载并解压

[jiong@centos7 ~]$ arch
[jiong@centos7 ~]$ wget https://github.com/fatedier/frp/releases/download/v0.21.0/frp_0.21.0_linux_amd64.tar.gz
[jiong@centos7 ~]$ tar -xzvf frp_0.21.0_linux_amd64.tar.gz

原理介绍

Linux 学习笔记(一):内网穿透

  • 在具有公网 IP 的 机器上使用 frps 服务
  • 在内网机器上使用 frpc 服务,将其「注册」到 frps 的机器上
  • 外部用户便可以通过具有公网 IP 的 frps 机器访问到内网的机器,这实际上就是一个方向代理的过程

连接内网机器

# frpc.ini
[common]
server_addr = 123.123.123.123
server_port = 7000
log_file    = ./frps.log

[ssh]
type = tcp
local_ip = 127.0.0.1
local_port = 22
remote_port = 6000
  • 内网机器通过「x.x.x.x」与 frps 代理机器建立连接
  • 内网机器通过 「frpc.ini」在 frps 代理机器上「注册」了一个代理服务,监听 6000 端口
  • 当外部用户通过 SSH 连接代理机器的 6000 端口,便连接到了内网机器,这是一个方向代理了内网机器的过程。

通过查看事实日子可以看到 frp 的交互流程

[root@host frp]# tail -f frps.log 

2018/11/15 00:47:18 [I] [service.go:130] frps tcp listen on 0.0.0.0:7000
2018/11/15 00:47:18 [I] [root.go:207] Start frps success
2018/11/15 00:48:33 [I] [service.go:319] client login info: ip [112.5.201.153:52355] version [0.21.0] hostname [] os [windows] arch [amd64]
2018/11/15 00:49:17 [I] [service.go:319] client login info: ip [211.97.128.100:3722] version [0.21.0] hostname [] os [windows] arch [amd64]
2018/11/15 00:56:16 [I] [service.go:319] client login info: ip [112.5.201.153:52652] version [0.21.0] hostname [] os [linux] arch [amd64]
2018/11/15 00:56:16 [I] [proxy.go:217] [5571d58b034abea2] [ssh] tcp proxy listen port [6000]
2018/11/15 00:56:16 [I] [control.go:335] [5571d58b034abea2] new proxy [ssh] success
2018/11/15 00:57:33 [I] [proxy.go:87] [5571d58b034abea2] [ssh] get a new work connection: [112.5.201.153:52652]
2018/11/15 00:59:17 [I] [proxy.go:87] [5571d58b034abea2] [ssh] get a new work connection: [112.5.201.153:52652]
2018/11/15 01:00:55 [I] [proxy.go:87] [5571d58b034abea2] [ssh] get a new work connection: [112.5.201.153:52652]
2018/11/15 01:20:19 [I] [proxy.go:87] [5571d58b034abea2] [ssh] get a new work connection: [112.5.201.153:52652]
2018/11/15 01:22:21 [I] [control.go:220] [9f010fa9d8b9ea9b] control writer is closing
2018/11/15 01:22:21 [I] [control.go:292] [9f010fa9d8b9ea9b] client exit success
2018/11/15 01:23:03 [I] [proxy.go:87] [5571d58b034abea2] [ssh] get a new work connection: [112.5.201.153:52652]
2018/11/15 01:23:48 [I] [proxy.go:87] [5571d58b034abea2] [ssh] get a new work connection: [112.5.201.153:52652]
2018/11/15 01:24:35 [I] [service.go:319] client login info: ip [211.97.128.100:3724] version [0.21.0] hostname [] os [windows] arch [amd64]
2018/11/15 02:01:13 [I] [control.go:220] [3166cd00e061258b] control writer is closing
2018/11/15 02:01:13 [I] [control.go:292] [3166cd00e061258b] client exit success
2018/11/15 02:08:16 [I] [control.go:220] [4972517f0d8c09db] control writer is closing
2018/11/15 02:08:16 [I] [control.go:292] [4972517f0d8c09db] client exit success
2018/11/15 02:08:18 [I] [service.go:319] client login info: ip [112.5.201.153:52900] version [0.21.0] hostname [] os [windows] arch [amd64]
2018/11/15 02:08:19 [W] [control.go:332] [9168626ea7c7ca07] new proxy [ssh] error: port already used
2018/11/15 02:08:19 [I] [proxy.go:401] [9168626ea7c7ca07] [home] stcp proxy custom listen success

以上配置实现了外部用户 SSH 连接内网无公共 IP 的虚拟机

外部用户指:未允许 frp 的机器

配置仪表盘

仪表盘: Dashboard
[common]
server_addr    = 123.123.123.123
server_port    = 7000
log_file       = ./frps.log
dashboard_port = 7500
dashboard_user = admin
dashboard_pwd  = admin

自定义账户密码,使用服务端IP:Dashboard端口便可访问

123.123.123.123:7500

在仪表盘界面可以很方便地看到连接池地状态连接数等

代理远程桌面

服务名称、转发端口不能重复,因为都是注册在「frps」上的

  1. 「frpc-1」在「frps」上注册了「home」、「company_visitor」这两个服务
  2. 当「frpc-2」在「frps」上某一注册服务的「sk」与「frpc-1」的「sk」一致时,代理到「frpc-1」的「3389端口」
# frpc-1

[common]
server_addr = 93.179.97.24
server_port = 7000
log_file    = ./frpc.log

[home]
type            = stcp
sk              = mstsc
local_ip        = 127.0.0.1
local_port      = 3389
use_encryption  = true
use_compression = true

[company_visitor]
type            = stcp
sk              = mstsc
role            = visitor
server_name     = company
bind_addr       = 127.0.0.1
bind_port       = 1116
use_encryption  = true
use_compression = true
  1. 「frpc-2」在「frps」上注册了「company」、「home_visitor」这两个服务
  2. 当「frpc-1」在「frps」上某一注册服务的「sk」与「frpc-1」的「sk」一致时,代理到「frpc-2」的「3389端口」
# frpc-2

[common]
server_addr = 93.179.97.24
server_port = 7000
log_file    = ./frpc.log

[company]
type            = stcp
sk              = mstsc
local_ip        = 127.0.0.1
local_port      = 3389
use_encryption  = true
use_compression = true

[home_visitor]
type            = stcp
sk              = mstsc
role            = visitor
server_name     = home
bind_addr       = 127.0.0.1
bind_port       = 1118
use_encryption  = true
use_compression = true

以上配置实现了「frpc-2」、「frpc-1」互相远程桌面

后台运行

  • WINDOWS 后台运行——注册服务

简而言之,winsw 能将 windows 的程序注册到服务中,此处用来自启及后台运行 frpc

下载winsw,在相应目录下编写 XML 配置文件

<service>
    <id>frp</id>
    <name>内网穿透</name>
    <description>内网穿透</description>
    <executable>frpc</executable>
    <arguments>-c frpc.ini</arguments>
    <onfailure action="restart" delay="60 sec"/>
    <onfailure action="restart" delay="120 sec"/>
    <logmode>reset</logmode>
</service>

执行命令注册为 windows 服务

winsw install
  • WINDOWS 后台运行——计划任务

创建 bat 脚本

@echo off

mode con cols=60 lines=20

color a

title 服务监听工具

:frpc

D:\frpc\frpc.exe -c d:\frpc\frpc.ini

ping -n 2 127.1 >nul

cls

goto frpc

控制面板创建计划任务,具体参见:创建windows计划任务使FRP开机启动

  • Linux 后台运行

后台运行的四种方法

supervisor
rc.local
systemd
nohup

使用 systemctl 设置开机自启

[root@host system]# vi /etc/systemd/system/frps.service

编写 frps.service 使用 systemctl 设置开机自启

[Unit]
Description=frps daemon

[Service]
Type=simple
ExecStart=/opt/frps/frps -c /opt/frps/frps.ini

[Install]
WantedBy=multi-user.target
[root@host system]# systemctl start frps
[root@host system]# systemctl enable frps

热更新

[common]
admin_addr = 127.0.0.1
admin_port = 7400

启用了 admin 端口后

frpc reload -c ./frpc.ini

# reload success

需要注意的是,在windows下使用服务自启或计划任务自启时,使用 reload 会提示一下信息

frpc reload error: Get http://127.0.0.1:7400/api/reload: dial tcp 127.0.0.1:7400: connectex: No connection could be made because the target machine actively refused it.

解决办法是:关闭进程重启

查看代理状态

同样需要启动 admin 端口

[common]
admin_addr = 127.0.0.1
admin_port = 7400

启用了 admin 端口后

frpc status -c ./frpc.ini

# Proxy Status...
# TCP
# Name    Status   LocalAddr           Plugin  RemoteAddr         Error
# vmshop  running  192.168.108.129:80          93.179.97.24:3333

# STCP
# Name    Status   LocalAddr          Plugin  RemoteAddr  Error
# home    running  127.0.0.1:3389

代理内网服务

使用的也是 tcp

[common]
server_addr = 93.179.97.24
server_port = 7000
log_file    = ./frpc.log

...

[web]
type        = tcp
local_ip    = 192.168.0.1
local_port  = 80
remote_port = 6000

于是在外部就可以使用

93.179.97.24:6000

访问到 web

相关文章

Linux 学习笔记(一):内网穿透
Linux 学习笔记(二):搭建个人Git服务器
Linux 学习笔记(三):Ubuntu 操作系统
Linux 学习笔记(四):Docker
Linux 学习笔记(五):Redis
Linux 学习笔记(六):Linux

相关推荐