Lokaci ya yi da VPN ba wani kayan aiki mai ban mamaki na masu gudanar da tsarin gemu ba. Masu amfani suna da ayyuka daban-daban, amma gaskiyar ita ce kowa yana buƙatar VPN.
Matsalar tare da mafita na VPN na yanzu shine cewa suna da wahala a daidaita su daidai, tsada don kulawa, kuma suna cike da lambar gado na inganci mai tambaya.
Shekaru da yawa da suka wuce, kwararre kan harkokin tsaro na Kanada Jason A. Donenfeld ya yanke shawarar cewa ya ishe shi kuma ya fara aiki. . Yanzu ana shirye-shiryen WireGuard don haɗawa a cikin kernel na Linux kuma har ma ya sami yabo daga da kuma cikin .
Fa'idodin WireGuard akan sauran hanyoyin VPN:
- Sauki don amfani.
- Yana amfani da cryptography na zamani: tsarin tsarin amo, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, da sauransu.
- Karamin, lambar da za a iya karantawa, mai sauƙin bincike don lahani.
- Babban aiki.
- Bayyanawa da fayyace .
An sami harsashin azurfa? Shin lokaci yayi don binne OpenVPN da IPSec? Na yanke shawarar yin maganin wannan, kuma a lokaci guda na yi .
Ka'idodin aiki
Ana iya siffanta ƙa'idodin aiki kamar haka:
- An ƙirƙiri ƙirar WireGuard kuma an sanya maɓalli na sirri da adireshin IP zuwa gare shi. Ana loda saitunan sauran takwarorinsu: maɓallan jama'a, adiresoshin IP, da sauransu.
- Duk fakitin IP da suka isa wurin WireGuard dubawa an lullube su a cikin UDP da sauran takwarorinsu.
- Abokan ciniki suna ƙayyade adireshin IP na jama'a na uwar garken a cikin saitunan. Sabar tana gane adiresoshin waje na abokan ciniki ta atomatik lokacin da aka karɓi ingantattun bayanai daga gare su.
- Sabar na iya canza adireshin IP na jama'a ba tare da katse aikinsa ba. A lokaci guda, zai aika da faɗakarwa ga abokan cinikin da aka haɗa kuma za su sabunta tsarin su akan tashi.
- Ana amfani da manufar hanya . WireGuard yana karɓa kuma yana aika fakiti bisa maballin jama'a na ɗan'uwa. Lokacin da uwar garken ya warware fakitin da aka inganta daidai, ana duba filin src ɗin sa. Idan ya dace da tsarin
allowed-ipstakwarorinsu ingantacce, fakitin yana karɓar ta hanyar WireGuard interface. Lokacin aika fakitin mai fita, hanyar da ta dace tana faruwa: ana ɗaukar filin dst na fakitin kuma, dangane da shi, za a zaɓi takwarorinsu daidai, ana sanya hannu kan fakitin tare da maɓalli, rufaffen maɓalli tare da maɓallin ɗan uwan kuma a aika zuwa wurin ƙarshen nesa. .
Duk ainihin ma'anar WireGuard yana ɗaukar ƙasa da layukan lamba 4, yayin da OpenVPN da IPSec ke da dubunnan layukan. Don tallafawa algorithms cryptographic na zamani, an ba da shawarar haɗa sabon API ɗin cryptographic a cikin Linux kernel . A halin yanzu ana tattaunawa kan ko wannan kyakkyawan ra'ayi ne.
Yawan aiki
Matsakaicin fa'idar aiki (idan aka kwatanta da OpenVPN da IPSec) za a iya gani akan tsarin Linux, tunda ana aiwatar da WireGuard azaman ƙirar kwaya a can. Bugu da kari, macOS, Android, iOS, FreeBSD da OpenBSD ana tallafawa, amma a cikin su WireGuard yana gudana cikin sararin mai amfani tare da duk sakamakon aikin da ya biyo baya. Ana sa ran za a ƙara tallafin Windows nan gaba.
Sakamakon ma'auni tare da :
Kwarewar amfani na
Ni ba ƙwararren VPN ba ne. Na taɓa kafa OpenVPN da hannu kuma yana da ban sha'awa sosai, kuma ban ma gwada IPSec ba. Akwai yanke shawara da yawa da za ku yanke, yana da sauƙin harbi kanku a ƙafa. Don haka, koyaushe ina amfani da shirye-shiryen rubutun don daidaita sabar.
Don haka, WireGuard, daga ra'ayi na, gabaɗaya manufa ce ga mai amfani. Duk ƙananan yanke shawara ana yin su a cikin ƙayyadaddun bayanai, don haka tsarin shirya kayan aikin VPN na yau da kullun yana ɗaukar mintuna kaɗan kawai. Yana da kusan ba zai yiwu a yi magudi a cikin tsari ba.
Tsarin shigarwa a kan official website, Ina so in lura dabam dabam da kyau kwarai .
Maɓallan ɓoyewa suna haifar da abin amfani wg:
SERVER_PRIVKEY=$( wg genkey )
SERVER_PUBKEY=$( echo $SERVER_PRIVKEY | wg pubkey )
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )Na gaba, kuna buƙatar ƙirƙirar saitin uwar garken /etc/wireguard/wg0.conf tare da abun ciki mai zuwa:
[Interface]
Address = 10.9.0.1/24
PrivateKey = $SERVER_PRIVKEY
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = 10.9.0.2/32kuma tada rami tare da rubutun wg-quick:
sudo wg-quick up /etc/wireguard/wg0.confA kan tsarin tare da systemd zaka iya amfani da wannan maimakon sudo systemctl start [email protected].
A kan injin abokin ciniki, ƙirƙirar saiti /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = 10.9.0.2/24
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0
Endpoint = 1.2.3.4:51820 # Внешний IP сервера
PersistentKeepalive = 25 Kuma a ɗaga rami kamar haka:
sudo wg-quick up /etc/wireguard/wg0.confAbinda ya rage shine saita NAT akan uwar garken don abokan ciniki su sami damar Intanet, kuma kun gama!
An sami wannan sauƙin amfani da ƙaƙƙarfan tushe na lambar ta hanyar kawar da aikin rarraba maɓalli. Babu wani hadadden tsarin takaddun shaida da duk wannan tsoro na kamfani; ana rarraba gajerun maɓallan ɓoye kamar maɓallan SSH. Amma wannan yana haifar da matsala: WireGuard ba zai kasance da sauƙin aiwatarwa akan wasu cibiyoyin sadarwar da ke akwai ba.
Daga cikin rashin amfani, yana da mahimmanci a lura cewa WireGuard ba zai yi aiki ta hanyar wakili na HTTP ba, tunda kawai ka'idar UDP tana samuwa azaman jigilar kaya. Tambayar ta taso: shin zai yiwu a toshe ka'idar? Tabbas, wannan ba aikin VPN ba ne kai tsaye, amma ga OpenVPN, alal misali, akwai hanyoyin da za su canza kanta a matsayin HTTPS, wanda ke taimaka wa mazauna ƙasashen da ke da cikakken ikon yin amfani da Intanet.
binciken
Don taƙaitawa, wannan aiki ne mai ban sha'awa kuma mai ban sha'awa, za ku iya amfani da shi a kan sabobin sirri. Menene riba? Babban aiki akan tsarin Linux, sauƙin saiti da goyan baya, ƙarami da tushe lambar da za'a iya karantawa. Koyaya, ya yi wuri da sauri don canja wurin hadaddun kayan aikin zuwa WireGuard; yana da daraja jira haɗa shi a cikin Linux kernel.
Don adana lokaci na (da ku), na haɓaka . Tare da taimakonsa, zaku iya saita VPN na sirri don kanku da abokan ku ba tare da fahimtar komai game da shi ba.
source: www.habr.com