frp is a lightweight, open-source reverse proxy tool designed to expose local servers behind NATs or firewalls to the internet. It is primarily used by developers, DevOps engineers, and system administrators who need to access internal services—such as SSH, web apps, or APIs—from external networks without configuring complex port forwarding or VPNs. Built in Go, frp provides a client-server architecture with minimal overhead and supports multiple protocols including TCP, UDP, HTTP, and HTTPS.
The tool operates via a central frps server (on a publicly accessible machine) and frpc clients (on internal networks), communicating over encrypted channels. It integrates with Prometheus for monitoring, supports TLS, KCP, QUIC, and HTTP-based multiplexing, and offers a dashboard and admin UI for real-time proxy management. frp can be deployed on Linux, macOS, and Windows, and is compatible with Docker, Kubernetes, and cloud environments.
What You Get
- TCP/UDP Reverse Proxy - Expose any TCP or UDP service (e.g., SSH, databases, game servers) from behind NAT using port mapping between local and remote ports.
- HTTP/HTTPS Tunneling - Forward HTTP and HTTPS traffic to internal web services and enable custom domains, SSL termination, and HTTP header manipulation.
- P2P Mode - Establish direct peer-to-peer connections between clients when possible, reducing server load and latency for high-throughput applications.
- Server Dashboard & Client Admin UI - Real-time monitoring of active proxies, connection stats, and client health via a built-in web interface accessible at :7500.
- Token and OIDC Authentication - Secure client-server communication with token-based auth or integration with OAuth2/OIDC identity providers like Keycloak or Auth0.
- TLS Encryption & Compression - Encrypt all traffic with TLS and reduce bandwidth usage via gzip compression for HTTP payloads.
- TCP Stream Multiplexing - Multiple TCP connections can share a single persistent connection to the server, reducing connection overhead and improving efficiency.
- Port Reuse with TCPMux - Expose multiple SSH or TCP services on the same public port using HTTP CONNECT multiplexing via custom domains.
- Bandwidth Limiting per Proxy - Enforce per-proxy bandwidth caps to prevent resource exhaustion on shared servers.
- Service Health Checks - Automatically detect and remove unhealthy upstream services to ensure traffic is only routed to responsive endpoints.
- HTTP Host Header Rewriting & Custom Headers - Modify or inject HTTP headers (e.g., X-Forwarded-For, X-Real-IP) for compatibility with backend services.
- Proxy Protocol Support - Forward the original client IP address to backend services using the Proxy Protocol v1/v2, essential for logging and access control.
- Port Range Mapping - Map entire ranges of local ports (e.g., 6000-6100) to remote ranges in a single configuration, ideal for batch exposure.
- Client Plugins - Extend frpc functionality with custom plugins (e.g., for dynamic DNS updates or cloud API integrations).
- Virtual Network (VirtualNet) - Create a virtual overlay network between frpc clients and the frps server, enabling direct client-to-client communication.
- Hot-Reloading Configuration - Reload frpc configuration without restarting the process, enabling zero-downtime updates in production.
- KCP and QUIC Protocol Support - Use KCP for high-loss network optimization and QUIC for faster connection establishment and improved performance over unstable networks.
- Connection Pooling - Reuse existing connections to reduce latency and server resource consumption under high concurrency.
- Load Balancing - Distribute incoming traffic across multiple backend instances of the same service for redundancy and scalability.
- SSH Tunnel Gateway - Use frp as a secure gateway to access internal SSH servers without exposing port 22 to the public internet.
- Proxy via HTTP/SOCKS Proxy - Route frpc traffic through an intermediate HTTP or SOCKS proxy when direct outbound connections are restricted.
Common Use Cases
- Remote SSH Access to Home Lab - A home user exposes their Raspberry Pi’s SSH server via frp to access it from work without opening ports on their router.
- Expose Local Development Servers - A developer runs a local React or Node.js app and uses frp to share a public URL with teammates for real-time testing.
- Access Internal APIs Behind Corporate Firewall - An enterprise engineer exposes a private REST API to external partners using frp without modifying firewall rules.
- Run Public Web Services from Private Cloud - A small business hosts a WordPress site on a private VPS and uses frp to serve it via a custom domain with HTTPS.
- Multi-User SSH Access on Shared Port - A DevOps team shares a single public IP to allow 10 developers to SSH into their individual VMs using unique subdomains.
- Secure Monitoring Dashboard Access - A sysadmin exposes a local Grafana instance via frp with HTTP Basic Auth and TLS to monitor infrastructure from anywhere.
- P2P File Transfer Between Branch Offices - Two offices use frp’s P2P mode to directly transfer files between internal servers without routing through a central server.
- Expose UDP-Based Services - A gamer or VoIP service provider exposes a Minecraft server or SIP service through NAT using frp’s UDP tunneling capability.
Under The Hood
Architecture
- Clear separation of concerns through distinct client and server binaries with modular, independently developed components
- Plugin-based extensibility using interface-driven extension points that enable dynamic protocol and transport handling without core modifications
- Dependency inversion via abstract proxy interfaces, allowing runtime swapping of TCP, UDP, HTTP, and STCP implementations
- Configuration-driven composition that decouples network topology from implementation details, enabling flexible deployment topologies
- Single-codebase multi-binary build system leveraging Go build tags and conditional compilation for clean compilation boundaries
- Heavy use of Go’s native concurrency primitives to efficiently manage thousands of concurrent tunnels with low overhead
Tech Stack
- Go as the core language, leveraging standard libraries and CGO-disabled builds for cross-platform portability
- Modern Vue 3 and Element Plus frontend with Vite and automatic component registration for responsive administration interfaces
- Comprehensive static analysis tooling with GolangCI-Run enforcing code quality, security, and idiomatic Go practices
- Automated release pipelines via Goreleaser with checksum verification and custom packaging
- Makefile-driven build system integrating Vite-based frontend compilation with unified test and deployment targets
- E2E testing framework using shell scripts to validate version compatibility and rollback scenarios across environments
Code Quality
- Extensive test coverage spanning unit, integration, and end-to-end scenarios with deterministic, reusable test components
- Robust error handling with custom error types and precise error matching to ensure predictable failure modes
- Strong type safety through structured configuration validation and template-based parsing that prevents invalid states
- Consistent, descriptive naming conventions and clear package boundaries across configuration, testing, and mock layers
- Well-structured CI-ready test architecture with BDD-style specs, centralized setup, and isolated test environments for parallel safety
What Makes It Unique
- Unified configuration API that abstracts proxy sources (local, store, remote) into a single CRUD interface for seamless cross-environment orchestration
- Dynamic, protocol-aware health check UI that auto-adapts form inputs and parses headers in real time, eliminating manual config editing
- Context-aware proxy detail views that auto-detect origin and surface relevant metadata without separate UI paths
- Reusable, themable statistic cards that visually encode system metrics with gradient icons and accessible design
- Decoupled frontend architecture treating the web interface as a first-class management layer for both client and server
- Visual status indicators and error banners that surface operational issues directly in the UI, removing dependency on log inspection