This shows you the differences between two versions of the page.
Last revision Both sides next revision | |||
vpn [2020/08/13 13:23] robm created |
vpn [2021/11/01 14:08] robm Add Fast Reliable Proxy (frp_ |
||
---|---|---|---|
Line 210: | Line 210: | ||
</ | </ | ||
+ | |||
+ | ===== KCP Tunnelling via Fast Reverse Proxy (frp) ===== | ||
+ | |||
+ | [[https:// | ||
+ | |||
+ | * It supports [[https:// | ||
+ | * KCP reduces latency on lossy links by implementing error **correction** instead of just the error **detection** of TCP. This is achieved by using more bandwidth to send [[https:// | ||
+ | * This is especially useful on cellular / mobile networks (3G, 4G, etc) | ||
+ | * It can NAT-bust, even when **both** parties are behind NAT. | ||
+ | * This does require a public, non-NAT, server both parties can initiate contact with | ||
+ | |||
+ | Download and unpack [[https:// | ||
+ | |||
+ | I drive them with this bash script, which I call '' | ||
+ | |||
+ | < | ||
+ | #!/bin/bash | ||
+ | # | ||
+ | # FRP: Fast Reverse Proxy (cf. https:// | ||
+ | # | ||
+ | # XTCP: Creates a direct connection between hosts which are behind NAT gateways | ||
+ | # by getting both to contact a public server they can both access, and then | ||
+ | # (ab)using a UDP connection directly to one another. Because UDP is stateless, | ||
+ | # both sides can send a packet to the other and thereby get their NAT gateway | ||
+ | # to set up a session (temporary port forward) for any return traffic. Voila, | ||
+ | # you now have holes in both NAT gateways and the clients (frpc) can talk to | ||
+ | # each other directly. | ||
+ | |||
+ | SERVER_PORT=29900 | ||
+ | SERVER_ADDR=203.0.113.0: | ||
+ | TOKEN=yourtokenhere | ||
+ | SECRET_KEY=yoursecrethere | ||
+ | |||
+ | case $1 in | ||
+ | public-server) | ||
+ | CMD=( | ||
+ | ./frps | ||
+ | --bind_udp_port=7001 | ||
+ | --kcp_bind_port=${SERVER_PORT} | ||
+ | --token=${TOKEN} | ||
+ | );; | ||
+ | |||
+ | ssh-server) | ||
+ | CMD=( | ||
+ | ./frpc xtcp | ||
+ | |||
+ | # Public server details and auth token | ||
+ | --server_addr=${SERVER_ADDR} | ||
+ | --protocol=kcp | ||
+ | --token=${TOKEN} | ||
+ | |||
+ | # Proxy entry to publish for other hosts (also behind NAT) to | ||
+ | # access, thus making us act as a server. | ||
+ | --role=server | ||
+ | --proxy_name=ssh_p2p | ||
+ | --sk=${SECRET_KEY} | ||
+ | # Service to connect incoming tunnelled connections to | ||
+ | --local_ip=127.0.0.1 | ||
+ | --local_port=22 | ||
+ | );; | ||
+ | |||
+ | ssh-client) | ||
+ | CMD=( | ||
+ | ./frpc xtcp | ||
+ | |||
+ | # Public server details and auth token | ||
+ | --server_addr=${SERVER_ADDR} | ||
+ | --protocol=kcp | ||
+ | --token=${TOKEN} | ||
+ | |||
+ | # Proxy entry (published by another client) within the server we want to | ||
+ | # use, and server secret key | ||
+ | --server_name=ssh_p2p | ||
+ | --sk=${SECRET_KEY} | ||
+ | # As a visitor, we are trying to access something published by another | ||
+ | # | ||
+ | # where to put the listening end of our P2P tunnel: apps on our network | ||
+ | # will connect to this to be tunnelled through FRP and it's NAT hole. | ||
+ | # | ||
+ | # Also note that KCP protocol runs over UDP, but very few applications | ||
+ | # | ||
+ | # | ||
+ | --role=visitor | ||
+ | --bind_addr=127.0.0.1 | ||
+ | --bind_port=29922 | ||
+ | );; | ||
+ | |||
+ | *) | ||
+ | echo " | ||
+ | exit 1 | ||
+ | ;; | ||
+ | |||
+ | esac | ||
+ | |||
+ | cd $(dirname $0) | ||
+ | exec " | ||
+ | </ | ||
+ | |||
+ | and if you like, here's a systemd file for it, '' | ||
+ | |||
+ | < | ||
+ | [Unit] | ||
+ | Description=Fast Reliable Proxy Server | ||
+ | After=network.target | ||
+ | |||
+ | [Service] | ||
+ | Type=simple | ||
+ | User=nobody | ||
+ | Restart=on-failure | ||
+ | RestartSec=5s | ||
+ | ExecStart=/ | ||
+ | |||
+ | [Install] | ||
+ | WantedBy=multi-user.target | ||
+ | </ | ||
+ | |||
+ | To install it: | ||
+ | |||
+ | sudo ln -s $(readlink -f frp.service) / | ||
+ | sudo systemctl daemon-reload | ||
+ | sudo systemctl enable frp.service | ||
+ | sudo systemctl start frp.service |