David Miller (), wanda ke da alhakin tsarin sadarwar yanar gizo na Linux kernel, zuwa reshe na gaba tare da aiwatar da haɗin gwiwar VPN daga aikin . A farkon shekara mai zuwa, canje-canjen da aka tara a cikin reshe na gaba zai zama tushen sakin Linux kernel 5.6.
An yi ƙoƙarin tura lambar WireGuard zuwa babban kwaya a cikin ƴan shekarun da suka gabata, amma bai yi nasara ba saboda an ɗaure shi da aiwatar da ayyukan sirri na sirri waɗanda aka yi amfani da su don haɓaka aiki. Da farko, waɗannan ayyuka sun kasance don kwaya a matsayin ƙarin ƙaramin matakin Zinc API, wanda a ƙarshe zai iya maye gurbin daidaitaccen API ɗin Crypto.
Bayan tattaunawa a taron Recipes na Kernel, waɗanda suka kirkiro WireGuard a cikin Satumba canja wurin facin ku don amfani da Crypto API da ke cikin ainihin, wanda masu haɓaka WireGuard ke da gunaguni a fagen aiki da tsaro gabaɗaya. An yanke shawarar ci gaba da haɓaka API na Zinc, amma a matsayin wani aikin daban.
A watan Nuwamba, masu haɓaka kernel a mayar da martani ga sulhu da kuma yarda don canja wurin wani ɓangare na code daga Zinc zuwa babban kernel. Mahimmanci, za a motsa wasu abubuwan haɗin Zinc zuwa cikin ainihin, amma ba azaman API daban ba, amma a matsayin wani ɓangare na tsarin tsarin Crypto API. Misali, API ɗin Crypto tuni aiwatar da sauri na ChaCha20 da Poly1305 algorithms da aka shirya a cikin WireGuard.
Dangane da bayarwa mai zuwa na WireGuard a cikin babban mahimmanci, wanda ya kafa aikin game da sake fasalin ma'ajiyar. Don sauƙaƙe ci gaba, ma'ajin "WireGuard.git" na monolithic, wanda aka tsara don wanzuwa a keɓe, za a maye gurbinsa da ma'ajiyoyi daban-daban guda uku, mafi dacewa don tsara aiki tare da lamba a cikin babban kernel:
- - cikakken bishiyar kernel tare da canje-canje daga aikin Wireguard, faci daga wanda za'a sake duba su don haɗawa a cikin kwaya kuma a kai a kai a kai shi zuwa rassan net/net-na gaba.
- - wurin ajiyar kayan aiki da rubutun da ke gudana a cikin sararin mai amfani, kamar wg da wg-sauri. Ana iya amfani da ma'ajiyar don ƙirƙirar fakiti don rarrabawa.
- - ma'ajiya tare da bambance-bambancen na'urar, wanda aka kawo shi daban daga kernel kuma ya haɗa da Layer compat.h don tabbatar da dacewa da tsofaffin kernels. Za a gudanar da babban ci gaba a cikin ma'ajiyar wayaguard-linux.git, amma muddin akwai dama da buƙata tsakanin masu amfani, za a tallafa wa wani nau'in faci na daban ta hanyar aiki.
Bari mu tunatar da ku cewa VPN WireGuard ana aiwatar da shi bisa ga hanyoyin ɓoye na zamani, yana ba da babban aiki sosai, yana da sauƙin amfani, ba tare da rikitarwa ba kuma ya tabbatar da kansa a cikin manyan abubuwan jigilar kayayyaki waɗanda ke aiwatar da manyan hanyoyin zirga-zirga. Aikin yana tasowa tun 2015, an duba shi kuma hanyoyin ɓoyewa da aka yi amfani da su. An riga an haɗa tallafin WireGuard a cikin NetworkManager da tsarin, kuma an haɗa facin kernel a cikin rarraba tushe. , Mageia, Alpine, Arch, Gentoo, OpenWrt, NixOS, и .
WireGuard yana amfani da manufar kewayawa maɓallin ɓoyewa, wanda ya haɗa da haɗa maɓalli na sirri zuwa kowane cibiyar sadarwa da amfani da shi don ɗaure maɓallan jama'a. Ana musayar maɓallai na jama'a don kafa haɗi ta hanya mai kama da SSH. Don yin shawarwari da maɓallai da haɗawa ba tare da gudanar da wani daemon daban ba a cikin sarari mai amfani, hanyar Noise_IK daga kama da kiyaye maɓallai masu izini a cikin SSH. Ana yin watsa bayanai ta hanyar ɓoyewa a cikin fakitin UDP. Yana goyan bayan canza adireshin IP na uwar garken VPN (yawo) ba tare da cire haɗin haɗin ba kuma sake saita abokin ciniki ta atomatik.
Don boye-boye magudanar ruwa da kuma tabbatar da saƙon algorithm (MAC) , wanda Daniel Bernstein ya tsara (), Tanya Lange
(Tanja Lange) da kuma Peter Schwabe. ChaCha20 da Poly1305 an sanya su azaman mafi sauri da aminci analogues na AES-256-CTR da HMAC, aiwatar da software wanda ke ba da damar cimma ƙayyadadden lokacin aiwatarwa ba tare da amfani da tallafin kayan aiki na musamman ba. Don samar da maɓallin sirrin da aka raba, ana amfani da ka'idar Diffie-Hellman a cikin aiwatarwa. , kuma Daniel Bernstein ya gabatar. Algorithm da ake amfani dashi don hashing shine .
a WireGuard na Performance ya nuna sau 3.9 mafi girma kayan aiki da kuma sau 3.8 mafi girman amsa idan aka kwatanta da OpenVPN (256-bit AES tare da HMAC-SHA2-256). Idan aka kwatanta da IPsec (256-bit ChaCha20 + Poly1305 da AES-256-GCM-128), WireGuard yana nuna ƙaramin haɓaka aikin (13-18%) da ƙananan latency (21-23%). An yi gwaje-gwajen ta amfani da saurin aiwatar da algorithms na ɓoyewa wanda aikin ya haɓaka - canjawa zuwa daidaitaccen API ɗin Crypto na kernel na iya haifar da mummunan aiki.
source: budenet.ru