An sabunta tushen bishiyar FreeBSD tare da sabon aiwatar da VPN WireGuard, dangane da lambar ƙirar kernel tare da haɗin gwiwar ƙungiyoyin ci gaban FreeBSD da WireGuard tare da gudummawa daga Jason A. Donenfeld, marubucin VPN WireGuard, da John H. Baldwin ), sanannen mai haɓaka GDB da FreeBSD, wanda ya aiwatar da tallafi don SMP da NUMA a cikin kwaya na FreeBSD a farkon 2000s. Bayan an karɓi direban zuwa cikin FreeBSD (sys/dev/wg), haɓakawa da kiyaye shi daga yanzu za a aiwatar da shi a cikin ma'ajin FreeBSD.
Kafin a karɓi lambar, an gudanar da cikakken nazarin canje-canje tare da tallafin Gidauniyar FreeBSD, yayin da aka bincika hulɗar direba tare da sauran tsarin kernel da yuwuwar yin amfani da primitives na kernel da aka bayar. aka tantance.
Don amfani da algorithm ɗin ƙirƙira da direba ke buƙata, API na FreeBSD kernel crypto-subsystem an ƙaddamar da shi, wanda aka ƙara kayan aiki wanda ke ba da damar yin amfani da algorithms waɗanda ba a tallafawa a cikin FreeBSD ta daidaitaccen crypto-API, ta amfani da aiwatar da algorithms masu mahimmanci daga ɗakin karatu na libsodium. Daga cikin algorithms da aka gina a cikin direba, lambar kawai don ƙididdige hashes Blake2 ya rage, tun da aiwatar da wannan algorithm da aka bayar a cikin FreeBSD yana da alaƙa da ƙayyadaddun girman hash.
Bugu da kari, yayin aiwatar da bita, an aiwatar da ingantaccen lambar, wanda ya ba da damar haɓaka ingancin rarraba kaya akan CPUs masu yawa (daidaituwar daidaituwa na aikin ɓoyayyen fakiti da ayyukan ɓarna ga cores CPUs an tabbatar da su). Sakamakon haka, abin da ya wuce lokacin sarrafa fakitin ya yi kusa da na aiwatar da direban Linux. Lambar kuma tana ba da damar yin amfani da direban ossl don hanzarta ayyukan ɓoyewa.
Ba kamar ƙoƙarin da aka yi a baya na haɗa WireGuard zuwa FreeBSD ba, sabon aiwatarwa yana amfani da daidaitaccen wg mai amfani, maimakon ingantacciyar sigar ifconfig, wanda ke ba da damar haɓaka daidaitawar akan Linux da FreeBSD. An haɗa kayan aikin wg, da kuma direban, a cikin lambar tushe ta FreeBSD, wanda ya yiwu ta canza lasisi don lambar wg (lambar tana yanzu a ƙarƙashin lasisin MIT da GPL). Ƙoƙarin ƙarshe na haɗa WireGuard a cikin FreeBSD an yi shi ne a cikin 2020, amma ya ƙare a cikin abin kunya, sakamakon haka an cire lambar da aka riga aka ƙara saboda ƙarancin inganci, aikin rashin kulawa tare da buffers, amfani da stubs maimakon cak, aiwatar da rashin cikawa. na yarjejeniya da keta lasisin GPL.
Bari mu tunatar da ku cewa VPN WireGuard ana aiwatar da shi bisa ga hanyoyin ɓoye na zamani, yana ba da babban aiki sosai, yana da sauƙin amfani, ba tare da rikitarwa ba kuma ya tabbatar da kansa a cikin manyan abubuwan jigilar kayayyaki waɗanda ke aiwatar da manyan hanyoyin zirga-zirga. Aikin yana tasowa tun daga 2015, kuma an gudanar da bincike da kuma tabbatar da hanyoyin da aka yi amfani da su a zahiri. WireGuard yana amfani da manufar kewayawa maɓallin ɓoyewa, wanda ya haɗa da haɗa maɓalli na sirri zuwa kowane cibiyar sadarwa da amfani da shi don ɗaure maɓallan jama'a.
Ana musayar maɓallai na jama'a don kafa haɗi ta hanya mai kama da SSH. Don yin shawarwari da maɓallai da haɗawa ba tare da gudanar da keɓantaccen daemon ba a cikin sarari mai amfani, ana amfani da tsarin Noise_IK na Noise Protocol Framework, kama da kiyaye maɓallan izini a cikin SSH. Ana yin watsa bayanai ta hanyar ɓoyewa a cikin fakitin UDP. Yana goyan bayan canza adireshin IP na uwar garken VPN (yawo) ba tare da cire haɗin haɗin tare da sake daidaita abokin ciniki ta atomatik ba.
Encryption yana amfani da cipher rafi na ChaCha20 da Poly1305 ingantaccen saƙon algorithm (MAC), wanda Daniel J. Bernstein, Tanja Lange da Peter Schwabe suka haɓaka. ChaCha20 da Poly1305 an sanya su azaman mafi sauri da aminci analogues na AES-256-CTR da HMAC, aiwatar da software wanda ke ba da damar cimma ƙayyadadden lokacin aiwatarwa ba tare da amfani da tallafin kayan aiki na musamman ba. Don samar da maɓallin sirrin da aka raba, ana amfani da ka'idar Diffie-Hellman a cikin aiwatar da Curve25519, wanda Daniel Bernstein ya gabatar. Ana amfani da BLAKE2s algorithm (RFC7693) don hashing.
source: budenet.ru