Features

• transport.wireProtocol = "v2" now also applies to UDP-based proxy payloads, including ordinary UDP and SUDP, so their payload framing is consistent with the selected wire protocol.
• Improved SUDP compatibility during mixed transport.wireProtocol deployments, allowing frps to bridge payloads between v1/default and v2 SUDP clients.
• XTCP work connection NatHoleSid messages now follow the selected transport.wireProtocol.

Compatibility Notes

• When enabling transport.wireProtocol = "v2" for SUDP, upgrade both the proxy and visitor frpc instances first, or keep them on v1 until both sides are upgraded.

Compatibility Policy

Starting with v0.69.0, each minor release is supported until there are nine newer minor releases. For example, v0.69.0 will be supported until v0.78.0 is released. Within this window, frpc v0.69.0 is guaranteed to work with any frps from v0.61.0 to v0.77.0, and vice versa. Patch releases within the same minor are always compatible. Versions outside the support window may continue to work on a best-effort basis, but compatibility is no longer guaranteed.

For mixed-version deployments, upgrade frps first, then upgrade frpc. This keeps the server side ready for newer client-side protocol behavior before clients start using it.

Notes

This release introduces wire protocol v2 as a transition path for future frpc/frps protocol changes. The existing wire protocol is difficult to extend without compatibility risk, and upcoming changes, including replacing deprecated stream encryption methods, require a versioned protocol.

The default value of transport.wireProtocol remains v1 in this release. Users can keep the default for now. To test v2 early, upgrade both frpc and frps to versions that support it, then set transport.wireProtocol = "v2" in frpc. A v2-enabled frpc cannot connect to an older frps.

When transport.wireProtocol = "v2" is enabled, the control channel uses negotiated AEAD encryption after the login handshake. Both frpc and frps must be upgraded to this release to use v2.

v1 will be deprecated when v2 becomes the default in a future release. It will continue to be supported until v0.78.0 is released, and may be removed in v0.78.0 or later.

Features

• Added transport.wireProtocol for frpc to select the internal message protocol used between frpc and frps. Supported values are v1 and v2.
• Added client protocol visibility in the frps dashboard and /api/clients API. Online clients now report their negotiated protocol as v1 or v2.
• Wire protocol v2 now negotiates AEAD control-channel encryption. Supported algorithms are xchacha20-poly1305 and aes-256-gcm; frpc advertises its preferred order based on local AES-GCM hardware support, and frps selects the first supported algorithm from that list.

Fixes

• Fixed a configuration-dependent authentication bypass in type = "http" proxies when routeByHTTPUser is used together with httpUser / httpPassword. This affected proxy-style requests. Proxy-style authentication failures now return 407 Proxy Authentication Required.

Features

• Added a built-in store capability for frpc, including persisted store source ([store] path = "..."), Store CRUD admin APIs (/api/store/proxies*, /api/store/visitors*) with runtime reload, and Store management pages in the frpc web dashboard.

Improvements

• Kept proxy/visitor names as raw config names during completion; moved user-prefix handling to explicit wire-level naming logic.
• Added noweb build tag to allow compiling without frontend assets. make build now auto-detects missing web/*/dist directories and skips embedding, so a fresh clone can build without running make web first. The dashboard gracefully returns 404 when assets are not embedded.
• Improved config parsing errors: for .toml files, syntax errors now return immediately with parser position details (line/column when available) instead of falling through to YAML/JSON parsing, and TOML type mismatches report field-level errors without misleading line numbers.
• OIDC auth now caches the access token and refreshes it before expiry, avoiding a new token request on every heartbeat. Falls back to per-request fetch when the provider omits expires_in.

Features

• frpc now supports a clientID option to uniquely identify client instances. The server dashboard displays all connected clients with their online/offline status, connection history, and metadata, making it easier to monitor and manage multiple frpc deployments.
• Redesigned the frp web dashboard with a modern UI, dark mode support, and improved navigation.

Fixes

• Fixed UDP proxy protocol sending header on every packet instead of only the first packet of each session.

Features

• HTTPS proxies now support load balancing groups. Multiple HTTPS proxies can be configured with the same loadBalancer.group and loadBalancer.groupKey to share the same custom domain and distribute traffic across multiple backend services, similar to the existing TCP and HTTP load balancing capabilities.
• Individual frpc proxies and visitors now accept an enabled flag (defaults to true), letting you disable specific entries without relying on the global start list—disabled blocks are skipped when client configs load.
• OIDC authentication now supports a tokenSource field to dynamically obtain tokens from external sources. You can use type = "file" to read a token from a file, or type = "exec" to run an external command (e.g., a cloud CLI or secrets manager) and capture its stdout as the token. The exec type requires the --allow-unsafe=TokenSourceExec CLI flag for security reasons.

Improvements

• VirtualNet: Implemented intelligent reconnection with exponential backoff. When connection errors occur repeatedly, the reconnect interval increases from 60s to 300s (max), reducing unnecessary reconnection attempts. Normal disconnections still reconnect quickly at 10s intervals.

Fixes

• Fix deadlock issue when TCP connection is closed. Previously, sending messages could block forever if the connection handler had already stopped.

Features

• Add NAT traversal configuration options for XTCP proxies and visitors. Support disabling assisted addresses to avoid using slow VPN connections during NAT hole punching.
• Enhanced OIDC client configuration with support for custom TLS certificate verification and proxy settings. Added trustedCaFile, insecureSkipVerify, and proxyURL options for OIDC token endpoint connections.
• Added detailed Prometheus metrics with proxy_counts_detailed metric that includes both proxy type and proxy name labels, enabling monitoring of individual proxy connections instead of just aggregate counts.

Features

• Support tokenSource for loading authentication tokens from files.

Fixes

• Fix SSH tunnel gateway incorrectly binding to proxyBindAddr instead of bindAddr, which caused external connections to fail when proxyBindAddr was set to 127.0.0.1.

Features

• Support for YAML merge functionality (anchors and references with dot-prefixed fields) in strict configuration mode without requiring --strict-config=false parameter.
• Support for proxy protocol in UDP proxies to preserve real client IP addresses.

Bug Fixes

• VirtualNet: Resolved various issues related to connection handling, TUN device management, and stability in the virtual network feature.