Video tutorial coming soon.
Deploy FRP (Fast Reverse Proxy) on Ubuntu to tunnel services from your home network through a public VPS — no port forwarding, no static IP, full TCP/UDP/HTTP support.
Grab the automated bash script from GitHub to follow along with the video.
wget https://raw.githubusercontent.com/mhmdali94/Docker/main/networking/frp/frp-ubuntu.sh
chmod +x frp-ubuntu.sh
sudo bash frp-ubuntu.shwget https://raw.githubusercontent.com/mhmdali94/Docker/main/networking/frp/frp-ubuntu.shchmod +x frp-ubuntu.shThe script installs Docker if needed, then deploys frps (the FRP server) on your public VPS. You then run frpc (the client) on your home server.
sudo bash frp-ubuntu.shOpen your browser and navigate to:
http://<your-server-ip>:7500Configure frpc on your home server to tunnel services through the frps public server — each service gets its own proxy definition.
| Port | Purpose |
|---|---|
| 7000 | FRP Control Port (frps — required) |
| 7500 | FRP Dashboard (internal — optional) |
| varies | Forwarded Service Ports (configured per tunnel) |
FRP (Fast Reverse Proxy) is a high-performance reverse proxy tunnel that lets you expose services running on a private network through a public VPS. It works by running frps (server) on a VPS with a public IP and frpc (client) on your home server. The client establishes an outbound connection to the server, which then forwards incoming traffic back through the tunnel. Supports TCP, UDP, HTTP, HTTPS, and STCP.
FRP solves the fundamental problem of self-hosting behind a home ISP: no static IP, carrier-grade NAT, or blocked inbound ports. Instead of fighting your ISP, FRP tunnels your traffic through a cheap VPS ($5/month) that does have a public IP. Unlike Cloudflare Tunnels, FRP is entirely self-hosted — no third-party dependency on your traffic path.
frps requires port 7000 for the control connection (TCP — frpc connects here). Port 7500 is the optional dashboard (internal only). Forwarded service ports are whatever you configure per proxy — open only the ports your services need. On your home server, no inbound ports need to be opened.
Cloudflare Tunnel (no VPS needed, no UDP, Cloudflare dependency), Rathole (Rust-based, more efficient), ngrok (cloud, rate-limited free tier), Bore (simpler, Go), WireGuard (VPN, different use case). FRP is the best self-hosted option when you need UDP support or want zero third-party dependencies.
If you have a static IP and can port-forward, you don't need FRP — just open the ports. If you're okay with Cloudflare managing your traffic, Cloudflared is simpler to set up. If all you need is SSH access, WireGuard or Tailscale VPN is a better fit than a full reverse proxy tunnel.
PrismaTechWork provides end-to-end infrastructure services — from initial deployment and security hardening to ongoing monitoring, automated backups, and dedicated support. Whether you need a single-server setup or a multi-site network, our team ensures your infrastructure is built right, secured properly, and maintained reliably.
Yes. frps (the server component) must run on a machine with a public IP address — a VPS from any cloud provider works. frpc (the client) runs on your home server. Budget VPS plans starting at $3–5/month from providers like Hetzner, DigitalOcean, or Vultr are sufficient.
Both solve the same problem (exposing services behind NAT), but FRP is entirely self-hosted — your traffic only touches your VPS, not a third-party network. Cloudflare Tunnel routes traffic through Cloudflare's infrastructure, which adds DDoS protection and CDN benefits but also means Cloudflare can inspect your traffic. FRP also supports UDP; Cloudflare Tunnel does not.
Yes. FRP supports UDP proxy type for tunneling UDP traffic — useful for game servers, DNS, VoIP, and WireGuard relays. Cloudflare Tunnel does not support UDP, making FRP the go-to choice for UDP-based services.
As many as you want — each service is a separate proxy definition in frpc.toml with its own bind port on the VPS. A single frpc-frps connection can multiplex many tunnels simultaneously. The only practical limit is the VPS bandwidth and available ports.
The control channel between frpc and frps can be encrypted with TLS (recommended). The data channel for each proxy can also use TLS. However, HTTP proxies without TLS on the VPS end transmit data unencrypted between the VPS and the visitor. Use HTTPS on your services for end-to-end encryption.
WireGuard creates a VPN tunnel — all your traffic routes through the VPN, and remote devices appear on your local network. FRP is a reverse proxy — it exposes specific services publicly without giving remote clients network-level access. Use FRP for public-facing services; use WireGuard when you need full network access.
All tunneled services become unreachable since frpc can't establish a connection to frps. FRP's frpc has a built-in reconnect loop — when the VPS comes back, the tunnel reconnects automatically without intervention. Consider using a monitoring service like Uptime Kuma to alert you if the VPS goes down.
Run `docker compose pull && docker compose up -d` on the VPS for frps and on your home server for frpc. Keep both versions in sync — FRP doesn't guarantee backward compatibility between major versions. Check the GitHub releases page before upgrading.