Stcp on K-Life Hack | Systems Architecture & DevOpshttps://klifehack.com/en/tags/stcp/Recent content in Stcp on K-Life Hack | Systems Architecture & DevOpsHugo -- gohugo.ioenFri, 05 Jun 2026 14:14:35 +0900Exposing Local Services Behind NAT and Implementing STCP Secure Tunneling Using FRPhttps://klifehack.com/en/p/frp-reverse-proxy-stcp-setup/Fri, 05 Jun 2026 14:14:35 +0900https://klifehack.com/en/p/frp-reverse-proxy-stcp-setup/<h3 id="1-introduction">1. Introduction </h3><p>During software development and testing phases, it often becomes necessary to make local server services operating under private IP addresses accessible from external networks. To address this challenge, <b>FRP (Fast Reverse Proxy)</b> provides an easy-to-configure, high-performance reverse proxy solution.</p> <p>FRP features a built-in web-based dashboard for real-time monitoring of active tunnel connections, traffic statistics, and system health. Configuration details and system architecture for FRP deployment:</p> <hr> <h3 id="2-frp-overview">2. FRP Overview </h3><h4 id="21-definition">2.1 Definition </h4><p>FRP is a reverse proxy application designed to securely expose local servers behind NAT (Network Address Translation) or restrictive firewalls to the public internet. It acts as a relay for external user access to local services on machines that do not have a public static IP address.</p> <h4 id="22-core-components">2.2 Core Components </h4><p>FRP client-server architecture binaries:</p> <ul> <li><b><code>frps</code> (FRP Server):</b> Runs on a cloud server or similar host with a public IP address. It functions as a listener waiting for connection requests from clients and external users.</li> <li><b><code>frpc</code> (FRP Client):</b> Runs on the local server within the private network where the actual target services (SSH, web server, database, etc.) are running. It establishes an outbound connection to <code>frps</code> to build a secure tunnel.</li> </ul> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>+------------------+ +------------------+ +------------------+ </span></span><span style="display:flex;"><span>| Local Server | | Public Server | | External User | </span></span><span style="display:flex;"><span>| (FRP Client) | --[Outbound]--&amp;gt; | (FRP Server) | &amp;lt;---[Inbound]--- | (SSH/Browser) | </span></span><span style="display:flex;"><span>| [frpc] | | [frps] | | | </span></span><span style="display:flex;"><span>+------------------+ +------------------+ +------------------+ </span></span></code></pre></div><h4 id="23-operating-principle-and-workflow">2.3 Operating Principle and Workflow </h4><p>Traffic routing steps via FRP:</p> <ol> <li><b>Connection Establishment:</b> <code>frpc</code> within the private network initiates an outbound connection to <code>frps</code> on the public cloud. Because it is an outbound connection, it can bypass most inbound firewall rules and NAT restrictions.</li> <li><b>Port Binding:</b> Upon receiving the connection, <code>frps</code> binds the specified port (e.g., port <code>3500</code>) and prepares to forward inbound traffic to that port to <code>frpc</code> via the active tunnel.</li> <li><b>Data Transfer:</b> When an external user attempts to connect to <code>CLOUD_PUBLIC_IP:3500</code> on the public server, <code>frps</code> intercepts the traffic and forwards it to <code>frpc</code> through the established tunnel.</li> <li><b>Response Return:</b> <code>frpc</code> receives the forwarded data and passes it to the local service (such as an SSH daemon on port <code>22</code>). It collects the response from the service, sends it back to <code>frps</code> through the tunnel, and it is ultimately delivered to the external user.</li> </ol> <h4 id="24-key-features">2.4 Key Features </h4><ul> <li><b>Multi-protocol Support:</b> Supports TCP, UDP, HTTP, HTTPS, and domain-based virtual host routing.</li> <li><b>P2P Connection (<code>xtcp</code>):</b> Supports a peer-to-peer communication mode directly between clients without going through a relay server after the initial handshake, saving bandwidth.</li> <li><b>Security Features:</b> Supports in-tunnel encryption, data compression, and token-based authentication.</li> <li><b>Management Dashboard:</b> Provides a Web UI to visualize tunnel status and bandwidth usage.</li> </ul> <hr> <h3 id="3-installation">3. Installation </h3><p>Obtain the release package corresponding to the target system&rsquo;s architecture from the official repository.</p> <ul> <li><b>Reference Source:</b> <a class="link" href="https://github.com/fatedier/frp/releases" target="_blank" rel="noopener" >FRP GitHub Releases</a></li> <li><b>Verified Version:</b> <code>0.67.0</code> (Assuming a Linux 64-bit environment)</li> </ul> <p>Binary extraction commands for server and client:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># FRPパッケージのダウンロードと展開</span> </span></span><span style="display:flex;"><span>wget https://github.com/fatedier/frp/releases/download/v0.67.0/frp_0.67.0_linux_amd64.tar.gz </span></span><span style="display:flex;"><span>tar -zxvf frp_0.67.0_linux_amd64.tar.gz </span></span><span style="display:flex;"><span>cd frp_0.67.0_linux_amd64 </span></span></code></pre></div><hr> <h3 id="4-server-side-configuration">4. Server-Side Configuration </h3><p>💡 <b>Target Host:</b> Cloud server with a public IP address</p> <h4 id="41-editing-the-configuration-file-frpstoml">4.1 Editing the Configuration File (<code>frps.toml</code>) </h4><p>Server configuration using TOML format (v0.52.0 and later):</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 設定ファイルの配置ディレクトリ作成と編集</span> </span></span><span style="display:flex;"><span>mkdir -p /etc/frp </span></span><span style="display:flex;"><span>cp frps.toml /etc/frp/frps.toml </span></span><span style="display:flex;"><span>vi /etc/frp/frps.toml </span></span></code></pre></div><p>Configuration parameters for the server:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span><span style="color:#75715e"># frps.toml</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">bindPort</span> = <span style="color:#ae81ff">7000</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">auth</span>.<span style="color:#a6e22e">token</span> = <span style="color:#e6db74">&#34;your_secure_token&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># 管理ダッシュボードの設定</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">webServer</span>.<span style="color:#a6e22e">addr</span> = <span style="color:#e6db74">&#34;0.0.0.0&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">webServer</span>.<span style="color:#a6e22e">port</span> = <span style="color:#ae81ff">7500</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">webServer</span>.<span style="color:#a6e22e">user</span> = <span style="color:#e6db74">&#34;admin&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">webServer</span>.<span style="color:#a6e22e">password</span> = <span style="color:#e6db74">&#34;admin_password&#34;</span> </span></span></code></pre></div><h4 id="42-firewall-configuration">4.2 Firewall Configuration </h4><p>In your cloud provider&rsquo;s security groups and local firewall (<code>ufw</code> or <code>firewalld</code>), allow inbound traffic to the following ports:</p> <ul> <li><b>Port <code>7000</code>:</b> Required for the control connection between <code>frpc</code> and <code>frps</code>.</li> <li><b>Port <code>7500</code>:</b> Required to access the management dashboard.</li> <li><b>Service Ports:</b> Any ports requested by <code>frpc</code> for public exposure (e.g., <code>6000</code>, <code>6500</code>, etc.).</li> </ul> <h4 id="43-background-execution-configuration-with-systemd">4.3 Background Execution Configuration with <code>systemd</code> </h4><p>Register as a <code>systemd</code> service to enable automatic recovery upon server reboot or abnormal process termination.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># systemdサービスファイルの作成</span> </span></span><span style="display:flex;"><span>sudo vi /etc/systemd/system/frps.service </span></span></code></pre></div><p>Service definition for systemd:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#66d9ef">[Unit]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Description</span><span style="color:#f92672">=</span><span style="color:#e6db74">FRP Server</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">After</span><span style="color:#f92672">=</span><span style="color:#e6db74">network.target</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">[Service]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Type</span><span style="color:#f92672">=</span><span style="color:#e6db74">simple</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">ExecStart</span><span style="color:#f92672">=</span><span style="color:#e6db74">/usr/local/bin/frps -c /etc/frp/frps.toml</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Restart</span><span style="color:#f92672">=</span><span style="color:#e6db74">on-failure</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">RestartSec</span><span style="color:#f92672">=</span><span style="color:#e6db74">5</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">[Install]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">WantedBy</span><span style="color:#f92672">=</span><span style="color:#e6db74">multi-user.target</span> </span></span></code></pre></div><p>Enable and start the service.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># バイナリのシステムパスへの配置</span> </span></span><span style="display:flex;"><span>sudo cp frps /usr/local/bin/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># サービスの有効化および起動</span> </span></span><span style="display:flex;"><span>sudo systemctl daemon-reload </span></span><span style="display:flex;"><span>sudo systemctl enable frps </span></span><span style="display:flex;"><span>sudo systemctl start frps </span></span><span style="display:flex;"><span>sudo systemctl status frps </span></span></code></pre></div><h4 id="44-verifying-the-dashboard">4.4 Verifying the Dashboard </h4><p>Dashboard access and credential verification:</p> <ul> <li><b>URL:</b> <code>http://CLOUD_PUBLIC_IP:7500</code></li> <li><b>Username:</b> <code>admin</code></li> <li><b>Password:</b> <code>admin_password</code></li> </ul> <hr> <h3 id="5-client-side-configuration">5. Client-Side Configuration </h3><p>💡 <b>Target Host:</b> Local server with a private IP address</p> <h4 id="51-editing-the-configuration-file-frpctoml">5.1 Editing the Configuration File (<code>frpc.toml</code>) </h4><p>Client configuration for destination server and local services:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 設定ファイルの配置ディレクトリ作成と編集</span> </span></span><span style="display:flex;"><span>mkdir -p /etc/frp </span></span><span style="display:flex;"><span>cp frpc.toml /etc/frp/frpc.toml </span></span><span style="display:flex;"><span>vi /etc/frp/frpc.toml </span></span></code></pre></div><p>Client configuration parameters:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span><span style="color:#75715e"># frpc.toml</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">serverAddr</span> = <span style="color:#e6db74">&#34;CLOUD_PUBLIC_IP&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">serverPort</span> = <span style="color:#ae81ff">7000</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">auth</span>.<span style="color:#a6e22e">token</span> = <span style="color:#e6db74">&#34;your_secure_token&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[[<span style="color:#a6e22e">proxies</span>]] </span></span><span style="display:flex;"><span><span style="color:#a6e22e">name</span> = <span style="color:#e6db74">&#34;ssh&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">type</span> = <span style="color:#e6db74">&#34;tcp&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">localIP</span> = <span style="color:#e6db74">&#34;127.0.0.1&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">localPort</span> = <span style="color:#ae81ff">22</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">remotePort</span> = <span style="color:#ae81ff">6000</span> </span></span></code></pre></div><h4 id="52-background-execution-configuration-with-systemd">5.2 Background Execution Configuration with <code>systemd</code> </h4><p>Systemd service construction for the client:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># systemdサービスファイルの作成</span> </span></span><span style="display:flex;"><span>sudo vi /etc/systemd/system/frpc.service </span></span></code></pre></div><div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#66d9ef">[Unit]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Description</span><span style="color:#f92672">=</span><span style="color:#e6db74">FRP Client</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">After</span><span style="color:#f92672">=</span><span style="color:#e6db74">network.target</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">[Service]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Type</span><span style="color:#f92672">=</span><span style="color:#e6db74">simple</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">ExecStart</span><span style="color:#f92672">=</span><span style="color:#e6db74">/usr/local/bin/frpc -c /etc/frp/frpc.toml</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">Restart</span><span style="color:#f92672">=</span><span style="color:#e6db74">on-failure</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">RestartSec</span><span style="color:#f92672">=</span><span style="color:#e6db74">5</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">[Install]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">WantedBy</span><span style="color:#f92672">=</span><span style="color:#e6db74">multi-user.target</span> </span></span></code></pre></div><p>Enable and start the client service.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># バイナリのシステムパスへの配置</span> </span></span><span style="display:flex;"><span>sudo cp frpc /usr/local/bin/ </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#75715e"># サービスの有効化および起動</span> </span></span><span style="display:flex;"><span>sudo systemctl daemon-reload </span></span><span style="display:flex;"><span>sudo systemctl enable frpc </span></span><span style="display:flex;"><span>sudo systemctl start frpc </span></span><span style="display:flex;"><span>sudo systemctl status frpc </span></span></code></pre></div><hr> <h3 id="6-advanced-configuration-and-security">6. Advanced Configuration and Security </h3><h4 id="61-generating-a-secure-authentication-token">6.1 Generating a Secure Authentication Token </h4><p>To prevent unauthorized access to the FRP control port, it is recommended to use a cryptographically secure random token. Generation of a 24-character Base64 encoded string using OpenSSL:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 安全なランダムトークンの生成</span> </span></span><span style="display:flex;"><span>openssl rand -base64 <span style="color:#ae81ff">24</span> </span></span></code></pre></div><h4 id="62-exposing-multiple-ports-and-services">6.2 Exposing Multiple Ports and Services </h4><p>Definition of multiple <code>[[proxies]]</code> blocks in <code>frpc.toml</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span><span style="color:#75715e"># frpc.toml (複数サービス構成例)</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">serverAddr</span> = <span style="color:#e6db74">&#34;CLOUD_PUBLIC_IP&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">serverPort</span> = <span style="color:#ae81ff">7000</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">auth</span>.<span style="color:#a6e22e">token</span> = <span style="color:#e6db74">&#34;your_secure_token&#34;</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[[<span style="color:#a6e22e">proxies</span>]] </span></span><span style="display:flex;"><span><span style="color:#a6e22e">name</span> = <span style="color:#e6db74">&#34;ssh&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">type</span> = <span style="color:#e6db74">&#34;tcp&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">localIP</span> = <span style="color:#e6db74">&#34;127.0.0.1&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">localPort</span> = <span style="color:#ae81ff">22</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">remotePort</span> = <span style="color:#ae81ff">6000</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span>[[<span style="color:#a6e22e">proxies</span>]] </span></span><span style="display:flex;"><span><span style="color:#a6e22e">name</span> = <span style="color:#e6db74">&#34;web&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">type</span> = <span style="color:#e6db74">&#34;tcp&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">localIP</span> = <span style="color:#e6db74">&#34;127.0.0.1&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">localPort</span> = <span style="color:#ae81ff">80</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">remotePort</span> = <span style="color:#ae81ff">6500</span> </span></span></code></pre></div><p>After changing the configuration, restart the client service.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># クライアントサービスの再起動</span> </span></span><span style="display:flex;"><span>sudo systemctl restart frpc </span></span></code></pre></div><p>⚠️ <b>Note:</b> You must allow inbound communication for all exposed <code>remotePort</code>s (e.g., <code>6000</code>, <code>6500</code>) on the public server&rsquo;s firewall.</p> <h4 id="63-specifying-port-ranges-in-bulk">6.3 Specifying Port Ranges in Bulk </h4><p>Bulk port exposure using ranges or commas:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span><span style="color:#75715e"># frpc.toml (ポート範囲指定例)</span> </span></span><span style="display:flex;"><span>[[<span style="color:#a6e22e">proxies</span>]] </span></span><span style="display:flex;"><span><span style="color:#a6e22e">name</span> = <span style="color:#e6db74">&#34;range_ports&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">type</span> = <span style="color:#e6db74">&#34;tcp&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">localIP</span> = <span style="color:#e6db74">&#34;127.0.0.1&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">localPort</span> = <span style="color:#e6db74">&#34;8000-8080&#34;</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">remotePort</span> = <span style="color:#e6db74">&#34;8000-8080&#34;</span> </span></span></code></pre></div><h4 id="64-restricting-bind-ports-on-the-server-side">6.4 Restricting Bind Ports on the Server Side </h4><p>Server-side bind port restrictions:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-toml" data-lang="toml"><span style="display:flex;"><span><span style="color:#75715e"># frps.toml (ポート制限設定)</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">allowPorts</span> = [ </span></span><span style="display:flex;"><span> { <span style="color:#a6e22e">start</span> = <span style="color:#ae81ff">6000</span>, <span style="color:#a6e22e">end</span> = <span style="color:#ae81ff">7000</span> } </span></span><span style="display:flex;"><span>] </span></span></code></pre></div><h4 id="65-connection-troubleshooting">6.5 Connection Troubleshooting </h4><p>If you cannot connect despite having no issues with the configuration, packet filtering on the public server side may be the cause.</p> <h5 id="step-1-explicitly-allowing-port-7000-with-iptables">Step 1: Explicitly Allowing Port 7000 with <code>iptables</code> </h5><p>Insertion of a rule at the top of the input chain:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># ポート7000の通信を許可</span> </span></span><span style="display:flex;"><span>sudo iptables -I INPUT -p tcp --dport <span style="color:#ae81ff">7000</span> -j ACCEPT </span></span></code></pre></div><h5 id="step-2-persisting-the-rules">Step 2: Persisting the Rules </h5><p>Persistence of rules using <code>iptables-persistent</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># ルールの永続化保存</span> </span></span><span style="display:flex;"><span>sudo DEBIAN_FRONTEND<span style="color:#f92672">=</span>noninteractive apt-get install -y iptables-persistent </span></span><span style="display:flex;"><span>sudo netfilter-persistent save </span></span></code></pre></div><h5 id="step-3-verifying-connectivity-from-the-outside">Step 3: Verifying Connectivity from the Outside </h5><p>Connectivity verification using <code>netcat</code> (<code>nc</code>):</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># 外部端末からの疎通テスト</span> </span></span><span style="display:flex;"><span>nc -zv CLOUD_PUBLIC_IP <span style="color:#ae81ff">7000</span> </span></span></code></pre></div><hr> <h3 id="7-stcp-secure-tcp-configuration">7. STCP (Secure TCP) Configuration </h3><p>Standard TCP proxies globally expose ports on the public server side, making them susceptible to port scanning and unauthorized access. In an <b>STCP (Secure TCP)</b> configuration, no public ports are exposed on the public server; instead, communication is routed through an encrypted tunnel. The accessing client terminal (Visitor) also runs <code>frpc</code> and binds to a local port to relay the traffic.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-text" data-lang="text"><span style="display:flex;"><span>+------------------+ +------------------+ +------------------+ </span></span><span style="display:flex;"><span>| Service Host | | Public Server | | Visitor Host | </span></span><span style="display:flex;"><span>| (FRP Client) | --[STCP Tunnel]-&amp;gt;| (FRP Server) | &amp;lt;-[STCP Tunnel]- | (FRP Client) | </span></span><span style="display:flex;"><span>| [frpc (service)]| | [frps] | | [frpc (visitor)]| </span></span><span style="display:flex;"><span>+------------------+ +------------------+ +------------------+ </span></span></code></pre></div><h4 id="71-stcp-architectural-configuration">7.1 STCP Architectural Configuration </h4><ul> <li><b>Service (Private Server):</b> Runs the target service to be exposed and the <code>frpc</code> acting as the STCP provider.</li> <li><b>frps (Relay Server):</b> Runs on a public IP and relays communication without directly exposing ports to the outside.</li> <li><b>Visitor (Accessing Terminal):</b> Runs on the developer&rsquo;s local PC or similar, running <code>frpc</code> as an STCP visitor to bind a local port.</li> </ul> <h4 id="72-configuration-files-in-ini-format">7.2 Configuration Files in INI Format </h4><p>Configuration examples in INI format:</p> <h5 id="1-service-provider-configuration-frpc_serviceini">1. Service Provider Configuration (<code>frpc_service.ini</code>) </h5><p>Placed on the private server side.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#75715e"># frpc_service.ini</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">[common]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">server_addr</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">CLOUD_PUBLIC_IP</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">server_port</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">7000</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">token</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">your_secure_token</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">[ssh_stcp]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">type</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">stcp</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">sk</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">secret_key_here</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">local_ip</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">127.0.0.1</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">local_port</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">22</span> </span></span></code></pre></div><p>⚠️ <b>Security Note:</b> The secret key (<code>sk</code>) functions as a pre-shared key for the tunnel. Set a unique, complex string for each service.</p> <h5 id="2-relay-server-configuration-frpsini">2. Relay Server Configuration (<code>frps.ini</code>) </h5><p>Placed on the public server side.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#75715e"># frps.ini</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">[common]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">bind_port</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">7000</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">token</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">your_secure_token</span> </span></span></code></pre></div><h5 id="3-visitor-configuration-frpc_visitorini">3. Visitor Configuration (<code>frpc_visitor.ini</code>) </h5><p>Placed on the accessing local PC side.</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-ini" data-lang="ini"><span style="display:flex;"><span><span style="color:#75715e"># frpc_visitor.ini</span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">[common]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">server_addr</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">CLOUD_PUBLIC_IP</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">server_port</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">7000</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">token</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">your_secure_token</span> </span></span><span style="display:flex;"><span> </span></span><span style="display:flex;"><span><span style="color:#66d9ef">[ssh_stcp_visitor]</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">type</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">stcp</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">role</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">visitor</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">server_name</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">ssh_stcp</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">sk</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">secret_key_here</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">bind_addr</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">127.0.0.1</span> </span></span><span style="display:flex;"><span><span style="color:#a6e22e">bind_port</span> <span style="color:#f92672">=</span> <span style="color:#e6db74">6000</span> </span></span></code></pre></div><h4 id="73-connection-establishment">7.3 Connection Establishment </h4><p>When the STCP configuration is active, you connect to your own loopback address to access the remote service from the visitor terminal.</p> <p>Connection address for a remote application on port <code>4000</code>:</p> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span><span style="color:#75715e"># ビジター端末からの接続実行例</span> </span></span><span style="display:flex;"><span>ssh -p <span style="color:#ae81ff">6000</span> user@127.0.0.1 </span></span></code></pre></div><p>(*Please specify an appropriate loopback address, such as <code>127.0.0.1:6001</code>, depending on your network environment&rsquo;s bind settings.)</p> <h4 id="74-binary-startup-sequence">7.4 Binary Startup Sequence </h4><p>Recommended binary startup sequence:</p> <ol> <li><b>Start the Relay Server (<code>frps</code>):</b></li> </ol> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>./frps -c ./frps.ini </span></span></code></pre></div><ol start="2"> <li><b>Start the Service Provider Client (<code>frpc</code> - Private Server):</b></li> </ol> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>./frpc -c ./frpc_service.ini </span></span></code></pre></div><ol start="3"> <li><b>Start the Visitor Client (<code>frpc</code> - Local PC):</b></li> </ol> <div class="highlight"><pre tabindex="0" style="color:#f8f8f2;background-color:#272822;-moz-tab-size:4;-o-tab-size:4;tab-size:4;-webkit-text-size-adjust:none;"><code class="language-bash" data-lang="bash"><span style="display:flex;"><span>./frpc -c ./frpc_visitor.ini </span></span></code></pre></div><ol start="4"> <li><b>Run the Local Application:</b> Connection initiation to the local port via SSH client or browser:</li> </ol> <hr> <h3 id="8-operational-considerations">8. Operational Considerations </h3><ul> <li><b>Strict Token Management:</b> Since <code>auth.token</code> and STCP&rsquo;s <code>sk</code> are stored in plain text in the configuration files, restrict the configuration file permissions appropriately (e.g., <code>chmod 600</code>) and take measures to prevent accidental commits to repositories.</li> <li><b>Connection Maintenance and Timeouts:</b> Depending on the specifications of routers behind NAT, TCP connections may be disconnected if there is no communication for a certain period. If necessary, add keep-alive settings such as <code>keepalive_interval</code> to the <code>frpc</code> configuration to maintain the tunnel.</li> <li><b>Log Monitoring:</b> In the event of connection failures, use <code>systemctl status frps</code> and <code>systemctl status frpc</code> to check for authentication errors (<code>token is invalid</code>) or port conflicts (<code>port already in use</code>).</li> </ul>