VTWORAY 批量转socks5到PPTP(原创)
最近一个需求,需要装socks5协议转成PPTP来使用,本来考虑是使用tproxy的,但配起来没有那么顺畅(后来发现是socks5服务器没有搭好)最后用vtworay搭建成功,单进程可以转换多个,比tproxy多进程更方便
vtworay配置文件
// Config file of vtworay. This file follows standard JSON format, with comments support. // Uncomment entries below to satisfy your needs. Also read our manual for more detail at // https://www.vtworay.com/ { "log": { // By default, vtworay writes access log to stdout. "access": "/var/log/vtworay/access.log", // By default, vtworay write error log to stdout. // "error": "/var/log/vtworay/error.log", // Log level, one of "debug", "info", "warning", "error", "none" "loglevel": "warning" }, // List of inbound proxy configurations. "inbounds": [{ // Port to listen on. You may need root access if the value is less than 1024. "port": 1080, // IP address to listen on. Change to "0.0.0.0" to listen on all network interfaces. "listen": "127.0.0.1", // Tag of the inbound proxy. May be used for routing. "tag": "socks-inbound", // Protocol name of inbound proxy. "protocol": "socks", // Settings of the protocol. Varies based on protocol. "settings": { "auth": "noauth", "udp": false, "ip": "127.0.0.1" }, // Enable sniffing on TCP connection. "sniffing": { "enabled": true, // Target domain will be overriden to the one carried by the connection, if the connection is HTTP or HTTPS. "destOverride": ["http", "tls"] } },{ "tag":"iptables", "port": 8888, //透明代理开放的端口号 "protocol": "dokodemo-door", "settings": { "followRedirect": true //这里要为true才能接受来自iptables的流量 }, "sniffing": { "enabled": true, "destOverride": ["http", "tls"] } } ], // List of outbound proxy configurations. "outbounds": [{ // Protocol name of the outbound proxy. "protocol": "freedom", // Settings of the protocol. Varies based on protocol. "settings": {}, // Tag of the outbound. May be used for routing. "tag": "direct" },{ "protocol": "blackhole", "settings": {}, "tag": "blocked" },{ "protocol":"socks", "settings":{ "servers":[{ "address": "106.13.20.201", "port": 1080 }] }, "tag":"socksout" } ], // Transport is for global transport settings. If you have multiple transports with same settings // (say mKCP), you may put it here, instead of in each individual inbound/outbounds. //"transport": {}, // Routing controls how traffic from inbounds are sent to outbounds. "routing": { "domainStrategy": "IPOnDemand", "rules":[ { // Blocks access to private IPs. Remove this if you want to access your router. "type": "field", "ip": ["geoip:private"], "outboundTag": "blocked" }, { // Blocks major ads. "type": "field", "domain": ["geosite:category-ads"], "outboundTag": "blocked" }, { "type":"field", // "inboundTag":"iptables", "source":[ "10.10.10.1" ], "outboundTag":"socksout" }, { "type":"field", // "inboundTag":"iptables", "source":[ "10.10.10.2" ], "outboundTag":"direct" } ] }, // Dns settings for domain resolution. "dns": { // Static hosts, similar to hosts file. "hosts": { // Match vtworay.com to another domain on CloudFlare. This domain will be used when querying IPs for vtworay.com. "domain:vtworay.com": "www.vicemc.net", // The following settings help to eliminate DNS poisoning in mainland China. // It is safe to comment these out if this is not the case for you. "domain:github.io": "pages.github.com", "domain:wikipedia.org": "www.wikimedia.org", "domain:瞎逗socks.org": "electronicsrealm.com" }, "servers": [ "1.1.1.1", { "address": "114.114.114.114", "port": 53, // List of domains that use this DNS first. "domains": [ "geosite:cn" ] }, "8.8.8.8", "localhost" ] }, // Policy controls some internal behavior of how vtworay handles connections. // It may be on connection level by user levels in 'levels', or global settings in 'system.' "policy": { // Connection policys by user levels "levels": { "0": { "uplinkOnly": 0, "downlinkOnly": 0 } }, "system": { "statsInboundUplink": false, "statsInboundDownlink": false, "statsOutboundUplink": false, "statsOutboundDownlink": false } }, // Stats enables internal stats counter. // This setting can be used together with Policy and Api. //"stats":{}, // Api enables gRPC APIs for external programs to communicate with vtworay instance. //"api": { //"tag": "api", //"services": [ // "HandlerService", // "LoggerService", // "StatsService" //] //}, // You may add other entries to the configuration, but they will not be recognized by vtworay. "other": {} }
iptables配置文件
# Generated by iptables-save v1.4.21 on Mon Dec 21 17:48:35 2020 *filter :INPUT ACCEPT [1061:156114] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [780:202895] COMMIT # Completed on Mon Dec 21 17:48:35 2020 # Generated by iptables-save v1.4.21 on Mon Dec 21 17:48:35 2020 *nat :PREROUTING ACCEPT [18:1251] :INPUT ACCEPT [18:1251] :OUTPUT ACCEPT [12:732] :POSTROUTING ACCEPT [12:732] :SSTCP - [0:0] -A PREROUTING -p tcp -j SSTCP -A SSTCP -d 0.0.0.0/8 -j RETURN -A SSTCP -d 10.0.0.0/8 -j RETURN -A SSTCP -d 127.0.0.0/8 -j RETURN -A SSTCP -d 169.254.0.0/16 -j RETURN -A SSTCP -d 172.16.0.0/12 -j RETURN -A SSTCP -d 192.168.0.0/16 -j RETURN -A SSTCP -d 224.0.0.0/4 -j RETURN -A SSTCP -d 240.0.0.0/4 -j RETURN -A SSTCP -i ppp+ -p tcp -j REDIRECT --to-ports 8888 -A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE COMMIT # Completed on Mon Dec 21 17:48:35 2020
pptpd配置文件
############################################################################### # $Id: pptpd.conf,v 1.11 2011/05/19 00:02:50 quozl Exp $ # # Sample Poptop configuration file /etc/pptpd.conf # # Changes are effective when pptpd is restarted. ############################################################################### # TAG: ppp # Path to the pppd program, default '/usr/sbin/pppd' on Linux # #ppp /usr/sbin/pppd # TAG: option # Specifies the location of the PPP options file. # By default PPP looks in '/etc/ppp/options' # option /etc/ppp/options.pptpd # TAG: debug # Turns on (more) debugging to syslog # #debug # TAG: stimeout # Specifies timeout (in seconds) on starting ctrl connection # # stimeout 10 # TAG: noipparam # Suppress the passing of the client's IP address to PPP, which is # done by default otherwise. # #noipparam # TAG: logwtmp # Use wtmp(5) to record client connections and disconnections. # logwtmp # TAG: vrf <vrfname> # Switches PPTP & GRE sockets to the specified VRF, which must exist # Only available if VRF support was compiled into pptpd. # #vrf test # TAG: bcrelay <if> # Turns on broadcast relay to clients from interface <if> # #bcrelay eth1 # TAG: delegate # Delegates the allocation of client IP addresses to pppd. # # Without this option, which is the default, pptpd manages the list of # IP addresses for clients and passes the next free address to pppd. # With this option, pptpd does not pass an address, and so pppd may use # radius or chap-secrets to allocate an address. # #delegate # TAG: connections # Limits the number of client connections that may be accepted. # # If pptpd is allocating IP addresses (e.g. delegate is not # used) then the number of connections is also limited by the # remoteip option. The default is 100. #connections 100 # TAG: localip # TAG: remoteip # Specifies the local and remote IP address ranges. # # These options are ignored if delegate option is set. # # Any addresses work as long as the local machine takes care of the # routing. But if you want to use MS-Windows networking, you should # use IP addresses out of the LAN address space and use the proxyarp # option in the pppd options file, or run bcrelay. # # You can specify single IP addresses seperated by commas or you can # specify ranges, or both. For example: # # 192.168.0.234,192.168.0.245-249,192.168.0.254 # # IMPORTANT RESTRICTIONS: # # 1. No spaces are permitted between commas or within addresses. # # 2. If you give more IP addresses than the value of connections, # it will start at the beginning of the list and go until it # gets connections IPs. Others will be ignored. # # 3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238, # you must type 234-238 if you mean this. # # 4. If you give a single localIP, that's ok - all local IPs will # be set to the given one. You MUST still give at least one remote # IP for each simultaneous client. # # (Recommended) localip 10.10.10.254 remoteip 10.10.10.1-100
PPTP帐号密码
# Secrets for authentication using CHAP # client server secret IP addresses u1 * p1 10.10.10.1 u2 * p2 10.10.10.2
对于 vtworay,使用routing字段,针对source ip地址和outboundTag进行路由实现公网SOCKS5出口对内网PPTP的IP
附vtworay的路由属性:
{ "type": "field", "domain": [ "baidu.com", "qq.com", "geosite:cn" ], "ip": [ "0.0.0.0/8", "10.0.0.0/8", "fc00::/7", "fe80::/10", "geoip:cn" ], "port": "53,443,1000-2000", "network": "tcp", "source": [ "10.0.0.1" ], "user": [ "love@vtworay.com" ], "inboundTag": [ "tag-vmess" ], "protocol":["http", "tls", "bittorrent"], "attrs": "attrs[':method'] == 'GET'", "outboundTag": "direct", "balancerTag": "balancer" }
