BestHub
Sign in
Information Security 9 min read

Master NPS: Deploy Secure Intranet Penetration with Docker and TLS

This guide explains what NPS (Network Penetration Service) is, why it’s needed, its core advantages, and provides step‑by‑step instructions for deploying the server and client on Linux, Windows, or Docker, configuring TLS, managing tunnels, and troubleshooting common issues.

Xiao Liu Lab
Xiao Liu Lab
Xiao Liu Lab
Master NPS: Deploy Secure Intranet Penetration with Docker and TLS

Intranet Penetration and NPS Overview

Network address translation (NAT) often isolates internal services from the public Internet. Intranet penetration tools expose these services without altering network topology. NPS (Network Proxy Server) is a lightweight, high‑performance, open‑source solution (MIT license) maintained by yisier that adds TLS encryption, IP blacklisting, traffic visualization, and multi‑protocol support.

Key Technical Features

Protocol support : TCP, UDP, HTTP, HTTPS, WebSocket, etc.

Real‑time traffic monitoring via the web UI.

TLS encrypted tunnels for secure data transfer.

IP black/white‑list to block malicious scans.

Cross‑platform binaries for Windows, Linux, macOS, ARM.

Web management interface for configuring tunnels and users.

Deploying the NPS Server

1. Server Requirements

A cloud server with a public IP (overseas recommended for Chinese users) and opened ports (default 80, 443, 8080, 8024). Minimum specifications: 1 CPU, 2 GB RAM, 5 Mbps bandwidth.

2. Binary Installation (Linux/Windows)

# Download the latest release (v0.26.27)
wget https://github.com/yisier/nps/releases/download/v0.26.27/linux_amd64_server.tar.gz
# Extract
tar -zxvf linux_amd64_server.tar.gz

On Windows run nps.exe -server.

3. Docker Deployment

# Pull the official image
docker pull yisier1/nps
# Create a configuration directory
mkdir -p /home/nps/conf
# Start the container (host network for simplicity)
docker run -d --restart=always --name nps \
  --net=host \
  -v /home/nps/conf:/conf \
  -v /etc/localtime:/etc/localtime:ro \
  yisier1/nps

Copy the default configuration from the container: docker cp nps:/conf/nps.conf /home/nps/conf/ Edit /home/nps/conf/nps.conf to set the management UI port, authentication, bridge ports, TLS, flow limits, and blacklists. Example:

# Web management panel
web_port=8081
web_username=admin
web_password=StrongPassword

# Communication ports
bridge_port=8024
tls_bridge_port=8025
tls_enable=true

# Flow limit (in MB) and IP blacklist
flow_limit=10240
black_ip=192.168.1.100,10.0.0.1

# Enable login captcha
open_captcha=true

Apply changes by restarting the container:

docker restart nps

Configuring the NPS Client (Penetrated Device)

1. Binary Installation

# Linux client
wget https://github.com/yisier/nps/releases/download/v0.26.27/linux_amd64_client.tar.gz
tar -zxvf linux_amd64_client.tar.gz
chmod +x npc

2. Docker Deployment

# Pull client image
docker pull yisier1/npc

# Basic client (non‑TLS)
docker run -d --restart=always --name npc_client \
  --net=host \
  yisier1/npc -server=YOUR_SERVER_IP:8024 -vkey=YOUR_VKEY

# TLS‑enabled client
docker run -d --restart=always --name npc_tls \
  --net=host \
  yisier1/npc -server=YOUR_SERVER_IP:8025 -vkey=YOUR_VKEY -tls_enable=true

Common maintenance commands:

View logs: docker logs npc_client Restart: docker restart npc_client Update image: docker pull yisier1/npc then recreate the container.

Creating a Penetration Tunnel

Log into the web UI (e.g., http://SERVER_IP:8081) to add a tunnel. Specify the local service port, remote port, and optional domain name. The UI displays real‑time traffic statistics.

Advanced Feature: HTTPS & Wildcard Domain

NPS can load custom SSL certificates to expose tunneled services over HTTPS. Set tls_enable=true and provide the certificate files via the configuration directory.

Common Troubleshooting (FAQ)

Q1: Frequent disconnections

Check network stability, increase the client heartbeat interval in npc.conf (parameter heartbeat_interval), and consider upgrading server resources.

Q2: WebSocket traffic cannot be tunneled

Ensure you are using NPS version v0.26.14 or newer (WebSocket support fixed) and verify that no upstream proxy blocks WebSocket connections.

Q3: Docker container fails to start

# View container logs
docker logs nps
# Check if required ports are already in use
netstat -tuln | grep 8080
# Run an interactive container for debugging
docker run -it --net=host -v /home/nps/conf:/conf yisier1/nps /bin/sh

Q4: Client container cannot connect to server

Confirm the server IP and port are correct, ensure firewalls allow the ports, verify the verification key ( -vkey) matches the entry on the server, and inspect client logs for error messages.

Q5: Updating NPS Docker images

# Server update
docker pull yisier1/nps
docker stop nps && docker rm nps
# Re‑run with original parameters (see Docker start command above)

# Client update
docker pull yisier1/npc
docker stop npc_client && docker rm npc_client
# Re‑run with original parameters
network securityDocker deploymentintranet penetrationNPSTLS encryption
Xiao Liu Lab
Written by

Xiao Liu Lab

An operations lab passionate about server tinkering 🔬 Sharing automation scripts, high-availability architecture, alert optimization, and incident reviews. Using technology to reduce overtime and experience to avoid major pitfalls. Follow me for easier, more reliable operations!

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.

Sign in to comment