Me muke cewa ga Allah na IPv6?
Haka ne, za mu ce iri ɗaya ga allahn ɓoyewa a yau.
Anan za mu yi magana game da rami na IPv4 wanda ba a ɓoye ba, amma ba game da "fitila mai dumi" ba, amma game da "LED" na zamani. Kuma akwai kuma danyen kwasfa masu walƙiya a nan, kuma ana ci gaba da aiki tare da fakiti a cikin sararin mai amfani.
Akwai ka'idodin tunneling N don kowane dandano da launi:
- mai salo, gaye, matasa
- multifunctional, kamar wukake na Swiss, OpenVPN da SSH
- tsoho kuma ba mugunta GRE
- mafi sauƙaƙa, sauri, gabaɗaya ba a ɓoye IPIP ba
- rayayye tasowa
- wasu da dama.
Amma ni mai shirye-shirye ne, don haka zan ƙara N kawai ta hanyar juzu'i, kuma in bar haɓaka ƙa'idodi na gaske ga masu haɓaka Kommersant.
A cikin daya ba a haifa ba Abin da nake yi yanzu shine isa ga runduna a bayan NAT daga waje. Yin amfani da ka'idoji tare da cryptography na manya don wannan, ba zan iya girgiza jin cewa kamar harbin sparrows ne daga igwa ba. Domin Ana amfani da rami don mafi yawan ɓangaren kawai don yin ramuka a cikin NAT-e, zirga-zirgar cikin gida galibi ana ɓoyewa, amma har yanzu suna nutsewa cikin HTTPS.
Yayin da nake binciken ka'idoji daban-daban na tunneling, hankalin masu kamala na ciki ya ja hankalin IPIP akai-akai saboda karancin abin da ke sama. Amma yana da babban koma baya ɗaya da rabi ga ayyuka na:
- yana buƙatar IPs na jama'a a bangarorin biyu,
- kuma babu wani tabbaci a gare ku.
Saboda haka, an kori mai kamala zuwa cikin duhun kusurwar kwanyar, ko duk inda ya zauna a can.
Sannan wata rana, yayin karanta labarai akan a cikin Linux na ci karo da FOU (Foo-over-UDP), watau. komai, nannade cikin UDP. Ya zuwa yanzu, IPIP da GUE (Generic UDP Encapsulation) ne kawai ake tallafawa.
“Ga harsashin azurfa! IPIP mai sauƙi ya ishe ni." - Na yi tunani.
Hasali ma harsashin ya zama bai cika azurfa ba. Encapsulation a cikin UDP yana magance matsala ta farko - za ku iya haɗawa da abokan ciniki a bayan NAT daga waje ta amfani da haɗin da aka riga aka kafa, amma a nan rabin na gaba na IPIP blossoms a cikin wani sabon haske - kowa daga cibiyar sadarwa mai zaman kansa zai iya ɓoye a bayan bayyane. jama'a IP da abokin ciniki tashar jiragen ruwa (a cikin tsantsar IPIP wannan matsalar ba ta wanzu).
Don magance wannan matsala ɗaya da rabi, an haifi mai amfani . Yana aiwatar da tsarin da aka yi a gida don tabbatar da mai watsa shiri mai nisa, ba tare da rushe aikin kernel FOU ba, wanda zai aiwatar da fakiti cikin sauri da inganci a sararin kwaya.
Ba ma buƙatar rubutun ku!
Ok, idan kun san tashar tashar jama'a da IP na abokin ciniki (misali, duk wanda ke bayansa baya zuwa ko'ina, NAT yayi ƙoƙarin taswirar tashar jiragen ruwa 1-in-1), zaku iya ƙirƙirar rami IPIP-over-FOU tare da bin umarni, ba tare da wani rubutun ba.
akan uwar garken:
# Подгрузить модуль ядра FOU
modprobe fou
# Создать IPIP туннель с инкапсуляцией в FOU.
# Модуль ipip подгрузится автоматически.
ip link add name ipipou0 type ipip
remote 198.51.100.2 local 203.0.113.1
encap fou encap-sport 10000 encap-dport 20001
mode ipip dev eth0
# Добавить порт на котором будет слушать FOU для этого туннеля
ip fou add port 10000 ipproto 4 local 203.0.113.1 dev eth0
# Назначить IP адрес туннелю
ip address add 172.28.0.0 peer 172.28.0.1 dev ipipou0
# Поднять туннель
ip link set ipipou0 up
a kan abokin ciniki:
modprobe fou
ip link add name ipipou1 type ipip
remote 203.0.113.1 local 192.168.0.2
encap fou encap-sport 10001 encap-dport 10000 encap-csum
mode ipip dev eth0
# Опции local, peer, peer_port, dev могут не поддерживаться старыми ядрами, можно их опустить.
# peer и peer_port используются для создания соединения сразу при создании FOU-listener-а.
ip fou add port 10001 ipproto 4 local 192.168.0.2 peer 203.0.113.1 peer_port 10000 dev eth0
ip address add 172.28.0.1 peer 172.28.0.0 dev ipipou1
ip link set ipipou1 up
inda
ipipou*- sunan cibiyar sadarwar rami na gida203.0.113.1- uwar garken IP na jama'a198.51.100.2- jama'a IP na abokin ciniki192.168.0.2- abokin ciniki IP da aka sanya don dubawa eth010001- tashar abokin ciniki na gida don FOU20001- tashar jiragen ruwa na jama'a don FOU10000- tashar jiragen ruwa na jama'a don FOUencap-csum- zaɓi don ƙara adadin rajistan UDP zuwa fakitin UDP da aka rufe; za a iya maye gurbinsu danoencap-csum, ba a ma maganar ba, an riga an sarrafa mutuncin ta wurin rufewa na waje (yayin da fakitin yana cikin rami)eth0- mahaɗar gida wanda za a ɗaure ramin ipip172.28.0.1- IP na abokin ciniki tunnel interface (mai zaman kansa)172.28.0.0- Ƙwararrun uwar garken rami na IP (na sirri)
Muddin haɗin UDP yana raye, ramin zai kasance cikin tsari, amma idan ya karye, za ku yi sa'a - idan IP ɗin abokin ciniki: tashar jiragen ruwa ya kasance iri ɗaya - zai rayu, idan sun canza - zai karye.
Hanya mafi sauƙi don mayar da komai baya shine a sauke kayan kwaya: modprobe -r fou ipip
Ko da ba a buƙatar tabbatarwa ba, adireshin IP na jama'a na abokin ciniki da tashar jiragen ruwa ba koyaushe ake san su ba kuma galibi ba su da tabbas ko canzawa (dangane da nau'in NAT). Idan ka tsallake encap-dport a gefen uwar garken, rami ba zai yi aiki ba, ba shi da wayo don ɗaukar tashar haɗin kai mai nisa. A wannan yanayin, ipipou kuma zai iya taimakawa, ko WireGuard da sauran makamantan su na iya taimaka muku.
Yaya ta yi aiki?
Abokin ciniki (wanda yawanci ke bayan NAT) yana buɗe rami (kamar yadda yake a cikin misalin da ke sama), kuma ya aika fakitin tantancewa zuwa uwar garken domin ya daidaita rami a gefensa. Dangane da saitunan, wannan na iya zama fakitin fanko (kawai don uwar garke ta iya ganin IP na jama'a: tashar haɗin gwiwa), ko tare da bayanan da uwar garken zai iya gano abokin ciniki. Bayanan na iya zama kalmar wucewa mai sauƙi a cikin madaidaicin rubutu (kwatankwacin da HTTP Basic Auth ya zo a hankali) ko keɓaɓɓen bayanan da aka sanya hannu tare da maɓalli na sirri (mai kama da HTTP Digest Auth kawai ya fi ƙarfi, duba aiki client_auth a cikin code).
A kan uwar garke (gefen tare da IP na jama'a), lokacin da ipipou ya fara, yana ƙirƙirar mai sarrafa layin nfqueue kuma yana saita netfilter don aika fakitin da suka dace inda yakamata su kasance: fakiti waɗanda ke ƙaddamar da haɗi zuwa layin nfqueue, kuma [kusan] duk sauran su tafi kai tsaye zuwa ga mai sauraro FOU.
Ga waɗanda ba a sani ba, nfqueue (ko NetfilterQueue) wani abu ne na musamman ga masu son waɗanda ba su san yadda ake haɓaka kernel modules ba, waɗanda ke amfani da netfilter (nftables/iptables) yana ba ku damar tura fakitin cibiyar sadarwa zuwa sararin mai amfani da sarrafa su a can ta amfani da su. na farko a hannu: gyara (na zaɓi) kuma mayar da shi ga kwaya, ko jefar da shi.
Ga wasu harsunan shirye-shirye akwai ɗaurin aiki tare da nfqueue, don bash babu (heh, ba abin mamaki ba), dole ne in yi amfani da python: ipipou yana amfani da .
Idan aikin ba shi da mahimmanci, ta amfani da wannan abu za ku iya gwada sauri da sauƙi don ƙirƙirar dabarun ku don yin aiki tare da fakiti a ƙaramin ƙaramin matakin, misali, ƙirƙiri ƙa'idodin canja wurin bayanai na gwaji, ko kewaya sabis na gida da na nesa tare da halayen da ba daidai ba.
Raw soket suna aiki hannu da hannu tare da nfqueue, alal misali, lokacin da aka riga aka tsara rami kuma FOU tana sauraron tashar da ake so, ba za ku iya aika fakiti daga tashar jiragen ruwa ɗaya ba a hanyar da aka saba - yana aiki, amma za ka iya ɗauka da aika fakitin da aka ƙirƙira kai tsaye zuwa cibiyar sadarwa ta hanyar amfani da danyen soket, ko da yake samar da irin wannan fakitin zai buƙaci ƙarin tinkering. Wannan shine yadda ake ƙirƙira fakiti tare da ingantaccen aiki a ipipou.
Tun da ipipou yana aiwatar da fakiti na farko kawai daga haɗin gwiwa (da waɗanda suka sami damar shiga cikin jerin gwano kafin a kafa haɗin gwiwa), aikin kusan baya wahala.
Da zaran uwar garken ipipou ta sami ingantacciyar fakiti, an ƙirƙiri rami kuma duk fakitin da ke cikin haɗin an riga an sarrafa su ta kernel ta wucewa nfqueue. Idan haɗin ya kasa, to za a aika fakiti na farko na na gaba zuwa layin nfqueue, dangane da saitunan, idan ba fakiti ba tare da tantancewa ba, amma daga tashar IP da abokin ciniki na ƙarshe da aka tuna, ko dai za a iya wucewa. akan ko a jefar da shi. Idan ingantaccen fakiti ya fito daga sabon IP da tashar jiragen ruwa, an sake saita rami don amfani da su.
IPIP-over-FOU na yau da kullun yana da ƙarin matsala yayin aiki tare da NAT - ba shi yiwuwa a ƙirƙiri ramukan IPIP guda biyu waɗanda ke cikin UDP tare da IP iri ɗaya, saboda samfuran FOU da IPIP sun keɓanta da juna. Wadancan. abokan ciniki biyu da ke bayan IP iri ɗaya na jama'a ba za su iya haɗawa lokaci guda zuwa sabar iri ɗaya ta wannan hanyar ba. Nan gaba, , za a warware shi a matakin kwaya, amma wannan ba tabbas ba ne. A halin yanzu, NAT na iya magance matsalolin NAT - idan ya faru cewa adiresoshin IP guda biyu sun riga sun mamaye wani rami, ipipou zai yi NAT daga jama'a zuwa madadin IP mai zaman kansa, voila! - zaku iya ƙirƙirar ramuka har sai tashoshin jiragen ruwa sun ƙare.
Domin Ba duk fakitin da ke cikin haɗin yanar gizon ba ne aka sanya hannu, to wannan kariyar mai sauƙi tana da rauni ga MITM, don haka idan akwai ɗan iska da ke ɓoye a kan hanya tsakanin abokin ciniki da uwar garken wanda zai iya sauraron zirga-zirgar zirga-zirga kuma ya sarrafa shi, zai iya tura fakitin da aka inganta ta hanyar. wani adireshin kuma ƙirƙirar rami daga mai masaukin da ba a amince da shi ba.
Idan wani yana da ra'ayoyi kan yadda za a gyara wannan yayin barin yawancin zirga-zirgar ababen hawa a cikin ainihin, kada ku yi shakka yin magana.
Af, encapsulation a cikin UDP ya tabbatar da kansa sosai. Idan aka kwatanta da encapsulation akan IP, ya fi kwanciyar hankali kuma sau da yawa cikin sauri duk da ƙarin abin da ke kan UDP. Wannan shi ne saboda gaskiyar cewa yawancin runduna akan Intanet suna aiki da kyau kawai tare da manyan mashahuran ka'idoji guda uku: TCP, UDP, ICMP. Bangaren zahiri na iya watsar da komai gaba ɗaya, ko sarrafa shi a hankali, saboda an inganta shi kawai don waɗannan ukun.
Misali, wannan shine dalilin da ya sa KYAUTA, wanda HTTP/3 ya dogara, an ƙirƙira shi akan saman UDP, kuma ba akan saman IP ba.
To, isassun kalmomi, lokaci ya yi don ganin yadda yake aiki a cikin "ainihin duniya".
Yaƙi
An yi amfani da shi don yin koyi da ainihin duniya iperf3. Dangane da matakin kusanci ga gaskiya, wannan kusan daidai yake da yin koyi da ainihin duniyar a Minecraft, amma a yanzu zai yi.
Mahalarta gasar:
- tunani main channel
- jarumin wannan labarin shine ipipou
- BudeVPN tare da tantancewa amma babu boye-boye
- BudeVPN a cikin yanayin da ya haɗa duka
- WireGuard ba tare da PresharedKey ba, tare da MTU=1440 (tun IPv4-kawai)
Bayanan fasaha don geeks
Ana ɗaukar ma'auni tare da umarni masu zuwa:
a kan abokin ciniki:
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2 -u -b 12M; tail -1 "$CPULOG"
# Где "-b 12M" это пропускная способность основного канала, делённая на число потоков "-P", чтобы лишние пакеты не плодить и не портить производительность.
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2; tail -1 "$CPULOG"
Latency ICMP
ping -c 10 SERVER_IP | tail -1
akan uwar garken (yana gudana lokaci guda tare da abokin ciniki):
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
Tsarin rami
ipipou
sabar
/etc/ipipou/server.conf:
server
number 0
fou-dev eth0
fou-local-port 10000
tunl-ip 172.28.0.0
auth-remote-pubkey-b64 eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-secret topsecret
auth-lifetime 3600
reply-on-auth-ok
verb 3
systemctl start ipipou@server
abokin ciniki
/etc/ipipou/client.conf:
client
number 0
fou-local @eth0
fou-remote SERVER_IP:10000
tunl-ip 172.28.0.1
# pubkey of auth-key-b64: eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-key-b64 RuBZkT23na2Q4QH1xfmZCfRgSgPt5s362UPAFbecTso=
auth-secret topsecret
keepalive 27
verb 3
systemctl start ipipou@client
openvpn (babu boye-boye, tare da tabbaci)
sabar
openvpn --genkey --secret ovpn.key # Затем надо передать ovpn.key клиенту
openvpn --dev tun1 --local SERVER_IP --port 2000 --ifconfig 172.16.17.1 172.16.17.2 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
abokin ciniki
openvpn --dev tun1 --local LOCAL_IP --remote SERVER_IP --port 2000 --ifconfig 172.16.17.2 172.16.17.1 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
openvpn (tare da boye-boye, tabbatarwa, ta hanyar UDP, duk abin da aka sa ran)
An saita ta amfani da
wayayace
sabar
/etc/wireguard/server.conf:
[Interface]
Address=172.31.192.1/18
ListenPort=51820
PrivateKey=aMAG31yjt85zsVC5hn5jMskuFdF8C/LFSRYnhRGSKUQ=
MTU=1440
[Peer]
PublicKey=LyhhEIjVQPVmr/sJNdSRqTjxibsfDZ15sDuhvAQ3hVM=
AllowedIPs=172.31.192.2/32
systemctl start wg-quick@server
abokin ciniki
/etc/wireguard/client.conf:
[Interface]
Address=172.31.192.2/18
PrivateKey=uCluH7q2Hip5lLRSsVHc38nGKUGpZIUwGO/7k+6Ye3I=
MTU=1440
[Peer]
PublicKey=DjJRmGvhl6DWuSf1fldxNRBvqa701c0Sc7OpRr4gPXk=
AllowedIPs=172.31.192.1/32
Endpoint=SERVER_IP:51820
systemctl start wg-quick@client
Результаты
Damp mummuna alamar
Load ɗin CPU na uwar garken baya nuni sosai, saboda ... Akwai wasu ayyuka da yawa da ke gudana a wurin, wani lokacin suna cin albarkatu:
proto bandwidth[Mbps] CPU_idle_client[%] CPU_idle_server[%]
# 20 Mbps канал с микрокомпьютера (4 core) до VPS (1 core) через Атлантику
# pure
UDP 20.4 99.80 93.34
TCP 19.2 99.67 96.68
ICMP latency min/avg/max/mdev = 198.838/198.997/199.360/0.372 ms
# ipipou
UDP 19.8 98.45 99.47
TCP 18.8 99.56 96.75
ICMP latency min/avg/max/mdev = 199.562/208.919/220.222/7.905 ms
# openvpn0 (auth only, no encryption)
UDP 19.3 99.89 72.90
TCP 16.1 95.95 88.46
ICMP latency min/avg/max/mdev = 191.631/193.538/198.724/2.520 ms
# openvpn (full encryption, auth, etc)
UDP 19.6 99.75 72.35
TCP 17.0 94.47 87.99
ICMP latency min/avg/max/mdev = 202.168/202.377/202.900/0.451 ms
# wireguard
UDP 19.3 91.60 94.78
TCP 17.2 96.76 92.87
ICMP latency min/avg/max/mdev = 217.925/223.601/230.696/3.266 ms
## около-1Gbps канал между VPS Европы и США (1 core)
# pure
UDP 729 73.40 39.93
TCP 363 96.95 90.40
ICMP latency min/avg/max/mdev = 106.867/106.994/107.126/0.066 ms
# ipipou
UDP 714 63.10 23.53
TCP 431 95.65 64.56
ICMP latency min/avg/max/mdev = 107.444/107.523/107.648/0.058 ms
# openvpn0 (auth only, no encryption)
UDP 193 17.51 1.62
TCP 12 95.45 92.80
ICMP latency min/avg/max/mdev = 107.191/107.334/107.559/0.116 ms
# wireguard
UDP 629 22.26 2.62
TCP 198 77.40 55.98
ICMP latency min/avg/max/mdev = 107.616/107.788/108.038/0.128 ms
20 Mbps tashar
tashar ta 1 Gbps mai kyakkyawan fata
A duk lokuta, ipipou yana kusa da aiki zuwa tashar tushe, wanda yake da kyau!
Tunnel ɗin buɗevpn da ba a ɓoye ya kasance da ban mamaki a cikin duka biyun.
Idan kowa zai gwada shi, zai zama mai ban sha'awa don jin ra'ayi.
Bari IPv6 da NetPrickle su kasance tare da mu!
source: www.habr.com