{"id":144,"date":"2019-10-31T19:37:23","date_gmt":"2019-10-31T19:37:23","guid":{"rendered":"http:\/\/blog.davcloud.top\/?p=144"},"modified":"2020-01-26T17:03:40","modified_gmt":"2020-01-26T17:03:40","slug":"internal-network-penetration-with-frp-service","status":"publish","type":"post","link":"https:\/\/blog.davcloud.top\/?p=144","title":{"rendered":"Internal network penetration with Frp Service"},"content":{"rendered":"\n

Abstract<\/h2>\n\n\n\n

This article aims at introducing what is internal network penetration, and how to achieve it with the open source project Frp on Github on Linux system.<\/p>\n\n\n\n

What is Internal Network Penetration\uff1f<\/h2>\n\n\n\n

Internal network penetration, which is called Network Address Translation(NAT) penetration as well. It is used to build the connection between the device in public network and internal network.<\/p>\n\n\n\n

Why we need Internal Network Penetration?<\/h2>\n\n\n\n

In order to access the internet, each device should have an address so that the communication between internet and device can be built, which the address is named public IP address. The public IP address are commonly used now is IPv4 address, with the format like xxx.xxx.xxx.xxx. With these addresses, different devices on the internet can access to the internet or access between each other. In the diagram below, Device 1, 2 and 3 can access to the internet, and they can access to each other across the internet as well.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

However, with the increasing of devices access to the internet, the public IPv4 addresses are not enough to support so much devices. Therefore, to avoid this problem, network operators use Network Address Translation(NAT) techonology. It build a internal network with one public IPv4 address, and many devices in the internal sharing the same public IPv4 address to access the internet. In the diagram below, Device 1, 2 and 3 in NAT 1 can access to the internet with sharing IP address 1, and Device 4, 5 and 6 in NAT 2 can access to the internet with sharing IP address 2. However, because of NAT shielding, devices in two NAT cannot access to devices in another NAT because there is no specific IP address for each device in the same NAT.<\/p>\n\n\n\n

\"\"<\/figure><\/div>\n\n\n\n

To solve the problem, internal network penetration allows device in a NAT to be mapped to the public network, and accessed by any devices can access to the internet.<\/p>\n\n\n\n

The most famous internal network penetration service is Ngrok, which the first generation project is opened on Github. However, the second generation is not an open source. Therefore, in this article, we use another open source internal network penetration service Frp instead.<\/p>\n\n\n\n

What is Frp?<\/h2>\n\n\n\n

Frp is a fast reverse proxy to help you expose a local server behind a NAT or firewall to the internet. As of now, it supports tcp & udp, as well as http and https protocols, where requests can be forwarded to internal services by domain name.<\/p>\n\n\n\n

The Github project: https:\/\/github.com\/fatedier\/frp<\/a> <\/p>\n\n\n\n

What can it do?<\/h2>\n\n\n\n

With Frp, we can map the service in internal network to the public network. For example, a web page is deploy on the raspberry pi in a internal network, we can map it on a cloud server with public IP address, and then we can access it by the public IP address.<\/p>\n\n\n\n

Deploy Frp service<\/h2>\n\n\n\n

Requirement<\/h3>\n\n\n\n
  1. A service deploy on the port_internal<\/code><\/em> port of the device with internal IP address ip_internal<\/code><\/em> in the internal network. Take raspberry pi with raspbian as example.<\/li>
  2. A server with independent public IP address ip_public<\/code><\/em>, and service map to port_public<\/code><\/em> port. Take CentOS 7 as example.<\/li>
  3. Frp server and client download from Github.<\/li>
  4. Assume port_internal<\/code><\/em> is 7001, ip_internal<\/code><\/em> is 192.168.123.101, ip_public<\/code> is 123.456.789.100, port_public<\/code> is 7010.<\/li><\/ol>\n\n\n\n

    Step 1. Check internal network access<\/h3>\n\n\n\n

    Check whether the service in internal network can be accessed by the web address: http:\/\/192.168.123.101:7001<\/code><\/em>, make sure it can work correctly.<\/p>\n\n\n\n

    Step 2. Download Frp from Github<\/h3>\n\n\n\n

    Download the latest or required version of Frp from Github, pay attention to the operating system.<\/p>\n\n\n\n

    Step 3. Deploy Frp server<\/h3>\n\n\n\n

    Allow 7000 and 7010 port in firewall on the server management system.<\/p>\n\n\n\n

    Upload frps, frps.ini to the server, put them into dir ~\/frp_server<\/code><\/em>.<\/p>\n\n\n\n

    cd ~\nmkdir frp_server\nmv frps frp_server\nmv frps.ini frp_server<\/code><\/pre>\n\n\n\n
    Modify frps.ini: <\/p>\n\n\n\n
    # frps.ini\n[common]\n# frps server port\nbind_port = 7000<\/code><\/pre>\n\n\n\n
    Start frps: <\/p>\n\n\n\n
    .\/frps -c .\/frps.ini<\/code><\/pre>\n\n\n\n
    Step 4. Deploy Frp client<\/h3>\n\n\n\n
    Allow 7001 in firewall on raspberry pi, we use ufw to manage the firewall. Details of ufw firewall configuration, see my article below:<\/p>\n\n\n\n
    \n
    Use ufw to config the firewall on Debian<\/a><\/blockquote>