VTWORAY 批量转socks5到PPTP（原创）

最近一个需求，需要装socks5协议转成PPTP来使用，本来考虑是使用tproxy的，但配起来没有那么顺畅（后来发现是socks5服务器没有搭好）最后用vtworay搭建成功，单进程可以转换多个，比tproxy多进程更方便

vtworay配置文件

// Config file of vtworay. This file follows standard JSON format, with comments support.
// Uncomment entries below to satisfy your needs. Also read our manual for more detail at
// https://www.vtworay.com/
{
  "log": {
    // By default, vtworay writes access log to stdout.
     "access": "/var/log/vtworay/access.log",

    // By default, vtworay write error log to stdout.
    // "error": "/var/log/vtworay/error.log",

    // Log level, one of "debug", "info", "warning", "error", "none"
    "loglevel": "warning"
  },
  // List of inbound proxy configurations.
  "inbounds": [{
    // Port to listen on. You may need root access if the value is less than 1024.
    "port": 1080,

    // IP address to listen on. Change to "0.0.0.0" to listen on all network interfaces.
    "listen": "127.0.0.1",

    // Tag of the inbound proxy. May be used for routing.
    "tag": "socks-inbound",

    // Protocol name of inbound proxy.
    "protocol": "socks",

    // Settings of the protocol. Varies based on protocol.
    "settings": {
      "auth": "noauth",
      "udp": false,
      "ip": "127.0.0.1"
    },

    // Enable sniffing on TCP connection.
    "sniffing": {
      "enabled": true,
      // Target domain will be overriden to the one carried by the connection, if the connection is HTTP or HTTPS.
      "destOverride": ["http", "tls"]
    }
  },{
    "tag":"iptables",
      "port": 8888, //透明代理开放的端口号
      "protocol": "dokodemo-door",
      "settings": {
        "followRedirect": true //这里要为true才能接受来自iptables的流量
      },
      "sniffing": {
        "enabled": true,
        "destOverride": ["http", "tls"]
      }
    }

],
  // List of outbound proxy configurations.
  "outbounds": [{
    // Protocol name of the outbound proxy.
    "protocol": "freedom",

    // Settings of the protocol. Varies based on protocol.
    "settings": {},

    // Tag of the outbound. May be used for routing.
    "tag": "direct"
  },{
    "protocol": "blackhole",
    "settings": {},
    "tag": "blocked"
  },{

    "protocol":"socks",
    "settings":{
        "servers":[{
        "address": "106.13.20.201",
        "port": 1080
        }]
    },
    "tag":"socksout"
    
}
],

  // Transport is for global transport settings. If you have multiple transports with same settings
  // (say mKCP), you may put it here, instead of in each individual inbound/outbounds.
  //"transport": {},

  // Routing controls how traffic from inbounds are sent to outbounds.
  "routing": {
    "domainStrategy": "IPOnDemand",
    "rules":[
      {
        // Blocks access to private IPs. Remove this if you want to access your router.
        "type": "field",
        "ip": ["geoip:private"],
        "outboundTag": "blocked"
      },
      {
        // Blocks major ads.
        "type": "field",
        "domain": ["geosite:category-ads"],
        "outboundTag": "blocked"
      },
    {
        "type":"field",
    //    "inboundTag":"iptables",
        "source":[
            "10.10.10.1"
        ],
        "outboundTag":"socksout"
    },

    {
        "type":"field",
    //    "inboundTag":"iptables",
        "source":[
            "10.10.10.2"
        ],
        "outboundTag":"direct"
    }
    ]
  },

  // Dns settings for domain resolution.
  "dns": {
    // Static hosts, similar to hosts file.
    "hosts": {
      // Match vtworay.com to another domain on CloudFlare. This domain will be used when querying IPs for vtworay.com.
      "domain:vtworay.com": "www.vicemc.net",

      // The following settings help to eliminate DNS poisoning in mainland China.
      // It is safe to comment these out if this is not the case for you.
      "domain:github.io": "pages.github.com",
      "domain:wikipedia.org": "www.wikimedia.org",
      "domain:瞎逗socks.org": "electronicsrealm.com"
    },
    "servers": [
      "1.1.1.1",
      {
        "address": "114.114.114.114",
        "port": 53,
        // List of domains that use this DNS first.
        "domains": [
          "geosite:cn"
        ]
      },
      "8.8.8.8",
      "localhost"
    ]
  },

  // Policy controls some internal behavior of how vtworay handles connections.
  // It may be on connection level by user levels in 'levels', or global settings in 'system.'
  "policy": {
    // Connection policys by user levels
    "levels": {
      "0": {
        "uplinkOnly": 0,
        "downlinkOnly": 0
      }
    },
    "system": {
      "statsInboundUplink": false,
      "statsInboundDownlink": false,
      "statsOutboundUplink": false,
      "statsOutboundDownlink": false
    }
  },

  // Stats enables internal stats counter.
  // This setting can be used together with Policy and Api. 
  //"stats":{},

  // Api enables gRPC APIs for external programs to communicate with vtworay instance.
  //"api": {
    //"tag": "api",
    //"services": [
    //  "HandlerService",
    //  "LoggerService",
    //  "StatsService"
    //]
  //},

  // You may add other entries to the configuration, but they will not be recognized by vtworay.
  "other": {}
}

iptables配置文件

# Generated by iptables-save v1.4.21 on Mon Dec 21 17:48:35 2020
*filter
:INPUT ACCEPT [1061:156114]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [780:202895]
COMMIT
# Completed on Mon Dec 21 17:48:35 2020
# Generated by iptables-save v1.4.21 on Mon Dec 21 17:48:35 2020
*nat
:PREROUTING ACCEPT [18:1251]
:INPUT ACCEPT [18:1251]
:OUTPUT ACCEPT [12:732]
:POSTROUTING ACCEPT [12:732]
:SSTCP - [0:0]
-A PREROUTING -p tcp -j SSTCP
-A SSTCP -d 0.0.0.0/8 -j RETURN
-A SSTCP -d 10.0.0.0/8 -j RETURN
-A SSTCP -d 127.0.0.0/8 -j RETURN
-A SSTCP -d 169.254.0.0/16 -j RETURN
-A SSTCP -d 172.16.0.0/12 -j RETURN
-A SSTCP -d 192.168.0.0/16 -j RETURN
-A SSTCP -d 224.0.0.0/4 -j RETURN
-A SSTCP -d 240.0.0.0/4 -j RETURN
-A SSTCP  -i ppp+  -p tcp -j REDIRECT --to-ports 8888
-A POSTROUTING -s 10.10.10.0/24 -o eth0 -j MASQUERADE
COMMIT
# Completed on Mon Dec 21 17:48:35 2020

　　pptpd配置文件

###############################################################################
# $Id: pptpd.conf,v 1.11 2011/05/19 00:02:50 quozl Exp $
#
# Sample Poptop configuration file /etc/pptpd.conf
#
# Changes are effective when pptpd is restarted.
###############################################################################

# TAG: ppp
#    Path to the pppd program, default '/usr/sbin/pppd' on Linux
#
#ppp /usr/sbin/pppd

# TAG: option
#    Specifies the location of the PPP options file.
#    By default PPP looks in '/etc/ppp/options'
#
option /etc/ppp/options.pptpd

# TAG: debug
#    Turns on (more) debugging to syslog
#
#debug

# TAG: stimeout
#    Specifies timeout (in seconds) on starting ctrl connection
#
# stimeout 10

# TAG: noipparam
#       Suppress the passing of the client's IP address to PPP, which is
#       done by default otherwise.
#
#noipparam

# TAG: logwtmp
#    Use wtmp(5) to record client connections and disconnections.
#
logwtmp

# TAG: vrf <vrfname>
#    Switches PPTP & GRE sockets to the specified VRF, which must exist
#    Only available if VRF support was compiled into pptpd.
#
#vrf test

# TAG: bcrelay <if>
#    Turns on broadcast relay to clients from interface <if>
#
#bcrelay eth1

# TAG: delegate
#    Delegates the allocation of client IP addresses to pppd.
#
#       Without this option, which is the default, pptpd manages the list of
#       IP addresses for clients and passes the next free address to pppd.
#       With this option, pptpd does not pass an address, and so pppd may use
#       radius or chap-secrets to allocate an address.
#
#delegate

# TAG: connections
#       Limits the number of client connections that may be accepted.
#
#       If pptpd is allocating IP addresses (e.g. delegate is not
#       used) then the number of connections is also limited by the
#       remoteip option.  The default is 100.
#connections 100

# TAG: localip
# TAG: remoteip
#    Specifies the local and remote IP address ranges.
#
#    These options are ignored if delegate option is set.
#
#       Any addresses work as long as the local machine takes care of the
#       routing.  But if you want to use MS-Windows networking, you should
#       use IP addresses out of the LAN address space and use the proxyarp
#       option in the pppd options file, or run bcrelay.
#
#    You can specify single IP addresses seperated by commas or you can
#    specify ranges, or both. For example:
#
#        192.168.0.234,192.168.0.245-249,192.168.0.254
#
#    IMPORTANT RESTRICTIONS:
#
#    1. No spaces are permitted between commas or within addresses.
#
#    2. If you give more IP addresses than the value of connections,
#       it will start at the beginning of the list and go until it
#       gets connections IPs.  Others will be ignored.
#
#    3. No shortcuts in ranges! ie. 234-8 does not mean 234 to 238,
#       you must type 234-238 if you mean this.
#
#    4. If you give a single localIP, that's ok - all local IPs will
#       be set to the given one. You MUST still give at least one remote
#       IP for each simultaneous client.
#
# (Recommended)
localip 10.10.10.254 
remoteip 10.10.10.1-100

PPTP帐号密码

# Secrets for authentication using CHAP
# client    server    secret            IP addresses
u1    *     p1    10.10.10.1 
u2    *     p2    10.10.10.2 

对于 vtworay,使用routing字段，针对source ip地址和outboundTag进行路由实现公网SOCKS5出口对内网PPTP的IP

附vtworay的路由属性：

{
  "type": "field",
  "domain": [
    "baidu.com",
    "qq.com",
    "geosite:cn"
  ],
  "ip": [
    "0.0.0.0/8",
    "10.0.0.0/8",
    "fc00::/7",
    "fe80::/10",
    "geoip:cn"
  ],
  "port": "53,443,1000-2000",
  "network": "tcp",
  "source": [
    "10.0.0.1"
  ],
  "user": [
    "love@vtworay.com"
  ],
  "inboundTag": [
    "tag-vmess"
  ],
  "protocol":["http", "tls", "bittorrent"],
  "attrs": "attrs[':method'] == 'GET'",
  "outboundTag": "direct",
  "balancerTag": "balancer"
}