He aha kā mākou e ʻōlelo nei i ke Akua o IPv6?
Pololei, e ʻōlelo like mākou i ke akua o ka hoʻopunipuni i kēia lā.
Maanei e kamaʻilio mākou e pili ana i kahi tunnel IPv4 unencrypted, akā ʻaʻole e pili ana i kahi "kukui mahana", akā e pili ana i kahi "LED" hou. A aia kekahi mau kumu maka e ʻā ana ma ʻaneʻi, a ke hoʻomaka nei ka hana me nā ʻeke ma kahi o ka mea hoʻohana.
Aia nā protocol tunneling N no kēlā me kēia ʻono a me nā kala:
- ʻano, ʻano, ʻōpio
- multifunctional, e like me nā pahi Swiss, OpenVPN a me SSH
- kahiko a ʻaʻole ʻino GRE
- ʻO ka IPIP maʻalahi, wikiwiki, ʻaʻole i hoʻopili ʻia
- e ulu ikaika ana
- he nui na mea e ae.
Akā, he polokalamu wau, no laila e hoʻonui au i ka N ma kahi hapa, a waiho i ka hoʻomohala ʻana o nā protocols maoli i nā mea hoʻomohala Kommersant.
I kahi hānau ʻole ʻO kaʻu e hana nei i kēia manawa, ʻo ia ke hōʻea i nā pūʻali ma hope o NAT mai waho. Ke hoʻohana nei i nā protocols me ka cryptography makua no kēia, ʻaʻole hiki iaʻu ke hoʻoluliluli i ka manaʻo ua like ia me ka pana ʻana i nā manu liʻiliʻi mai kahi pūkuniahi. No ka mea Hoʻohana ʻia ka tunnel no ka hapa nui wale no ka ʻoki ʻana i nā lua i ka NAT-e, hoʻopili pinepine ʻia nā kaʻa kūloko, akā hāʻule lākou i ka HTTPS.
ʻOiai e noiʻi ana i nā protocol tunneling like ʻole, ua huki ʻia koʻu manaʻo i ka IPIP ma muli o ka liʻiliʻi o ke poʻo. Akā he hoʻokahi a me ka hapa koʻikoʻi drawbacks no kaʻu mau hana:
- pono ia i nā IP lehulehu ma nā ʻaoʻao ʻelua,
- a ʻaʻohe hōʻoia no ʻoe.
No laila, ua hoʻihoʻi ʻia ka mea hemolele i ke kihi ʻeleʻele o ka iwi poʻo, a i ʻole ma kahi āna e noho ai.
A i kekahi lā, i ka heluhelu ʻana i nā ʻatikala ma ma Linux ua hele au ma FOU (Foo-over-UDP), i.e. ʻo nā mea a pau, i ʻōwili ʻia i ka UDP. I kēia manawa, kākoʻo wale ʻia ʻo IPIP a me GUE (Generic UDP Encapsulation).
“Eia ka poka kala! Ua lawa ka IPIP maʻalahi iaʻu. - Ua manaʻo wau.
ʻO ka ʻoiaʻiʻo, ua lilo ka pōkā ʻaʻole kālā piha. Hoʻopau ka Encapsulation i ka UDP i ka pilikia mua - hiki iā ʻoe ke hoʻopili i nā mea kūʻai aku ma hope o NAT mai waho me ka hoʻohana ʻana i kahi pilina i hoʻonohonoho mua ʻia, akā eia ka hapalua o ka drawback hou o nā pua IPIP i kahi kukui hou - hiki i kekahi mai kahi pūnaewele pilikino ke hūnā ma hope o ka ʻike ʻia. IP lehulehu a me ka port client (ma ka IPIP maʻemaʻe ʻaʻole kēia pilikia).
No ka hoʻoponopono ʻana i kēia pilikia hoʻokahi a me ka hapa, ua hānau ʻia ka pono . Hoʻohana ʻo ia i kahi mīkini hana home no ka hōʻoia ʻana i kahi mea hoʻokipa mamao, me ka ʻole o ka hoʻopau ʻana i ka hana o ka kernel FOU, ka mea e hoʻoponopono wikiwiki a maikaʻi i nā ʻeke i loko o ka lumi kernel.
ʻAʻole pono mākou i kāu palapala!
ʻAe, inā ʻike ʻoe i ke awa ākea a me ka IP o ka mea kūʻai aku (no ka laʻana, ʻaʻole hele ka poʻe a pau ma hope, hoʻāʻo ʻo NAT e palapala i nā awa 1-i-1), hiki iā ʻoe ke hana i kahi tunnel IPIP-over-FOU me ka e hahai ana i na kauoha, me ka palapala ole.
ma ke kikowaena:
# Подгрузить модуль ядра FOU
modprobe fou
# Создать IPIP туннель с инкапсуляцией в FOU.
# Модуль ipip подгрузится автоматически.
ip link add name ipipou0 type ipip
remote 198.51.100.2 local 203.0.113.1
encap fou encap-sport 10000 encap-dport 20001
mode ipip dev eth0
# Добавить порт на котором будет слушать FOU для этого туннеля
ip fou add port 10000 ipproto 4 local 203.0.113.1 dev eth0
# Назначить IP адрес туннелю
ip address add 172.28.0.0 peer 172.28.0.1 dev ipipou0
# Поднять туннель
ip link set ipipou0 up
ma ka mea kūʻai aku:
modprobe fou
ip link add name ipipou1 type ipip
remote 203.0.113.1 local 192.168.0.2
encap fou encap-sport 10001 encap-dport 10000 encap-csum
mode ipip dev eth0
# Опции local, peer, peer_port, dev могут не поддерживаться старыми ядрами, можно их опустить.
# peer и peer_port используются для создания соединения сразу при создании FOU-listener-а.
ip fou add port 10001 ipproto 4 local 192.168.0.2 peer 203.0.113.1 peer_port 10000 dev eth0
ip address add 172.28.0.1 peer 172.28.0.0 dev ipipou1
ip link set ipipou1 up
kahi
ipipou*- ka inoa o ke kikowaena pūnaewele tunnel kūloko203.0.113.1— kikowaena IP lehulehu198.51.100.2- IP lehulehu o ka mea kūʻai192.168.0.2— hāʻawi ʻia ka IP client i ka interface eth010001— awa mea kūʻai aku kūloko no FOU20001— awa o ka lehulehu no FOU10000— awa kikowaena lehulehu no FOUencap-csum- koho e hoʻohui i kahi helu UDP i nā ʻeke UDP i hoʻopili ʻia; hiki ke pani ia enoencap-csum, ʻaʻole e haʻi ʻia, ua hoʻomalu ʻia ka pono e ka papa encapsulation o waho (ʻoiai ka ʻeke i loko o ka tunnel)eth0- ke kikowaena kūloko kahi e hoʻopaʻa ʻia ai ka tunnel ipip172.28.0.1- IP o ka mea kūʻai aku tunnel interface (private)172.28.0.0— Ke kikowaena kikowaena IP tunnel (kūʻokoʻa)
E like me ka lōʻihi o ka pili UDP e ola ana, ka tunnel e ma ka hana ana, akā, ina e haki, oe e Laki - ina ka mea kūʻai mai o IP: awa noho like - e ola ia, ina lakou e hoʻololi - e wawahi.
ʻO ke ala maʻalahi loa e hoʻohuli i nā mea āpau, ʻo ka wehe ʻana i nā modules kernel: modprobe -r fou ipip
ʻOiai inā ʻaʻole koi ʻia ka hōʻoia ʻana, ʻaʻole ʻike mau ʻia ka IP ākea a me ke awa o ka mea kūʻai aku a ʻike pinepine ʻole ʻia a ʻano loli paha (ma muli o ke ʻano NAT). Inā haʻalele ʻoe encap-dport ma ka ʻaoʻao kikowaena, ʻaʻole e hana ka tunnel, ʻaʻole lawa ke akamai e lawe i ke awa pili mamao. I kēia hihia, hiki i ka ipipou ke kōkua, a i ʻole WireGuard a me nā mea ʻē aʻe e hiki ke kōkua iā ʻoe.
Pehea ia hana?
ʻO ka mea kūʻai (ʻo ia ka mea maʻamau ma hope o NAT) wehe i kahi tunnel (e like me ka laʻana ma luna), a hoʻouna i kahi ʻeke hōʻoia i ke kikowaena e hoʻonohonoho ai i ka tunnel ma kona ʻaoʻao. Ma muli o nā hoʻonohonoho, hiki ke lilo i ʻeke kaʻawale (i hiki i ke kikowaena ke ʻike i ka IP lehulehu: port port), a i ʻole me ka ʻikepili e hiki ai i ke kikowaena ke ʻike i ka mea kūʻai aku. Hiki i ka ʻikepili ke lilo i huaʻōlelo maʻalahi ma ka kikokikona maʻalahi (ʻo ka hoʻohālikelike me HTTP Basic Auth e hiki mai ana i ka noʻonoʻo) a i ʻole ka ʻikepili i hoʻolālā ʻia i kau inoa ʻia me kahi kī pilikino (e like me HTTP Digest Auth ikaika wale nō, ʻike i ka hana. client_auth ma ke code).
Ma ke kikowaena (ka ʻaoʻao me ka IP lehulehu), i ka wā e hoʻomaka ai ka ipipou, hana ia i kahi nfqueue queue handler a hoʻonohonoho i ka netfilter i hoʻouna ʻia nā ʻeke kūpono i kahi e pono ai: nā packets e hoʻomaka i ka pilina i ka queue nfqueue, a [kokoke] hele pololei nā koena a pau i ka mea hoʻolohe FOU.
No ka poʻe ʻike ʻole, ʻo ka nfqueue (a i ʻole NetfilterQueue) he mea kūikawā no nā poʻe amateurs ʻaʻole ʻike i ka hoʻomohala ʻana i nā modula kernel, me ka hoʻohana ʻana i ka netfilter (nftables/iptables) hiki iā ʻoe ke hoʻihoʻi hou i nā ʻeke pūnaewele i ka wahi hoʻohana a hana iā lākou ma laila me ka hoʻohana ʻana. ʻo ka manaʻo mua ma ka lima: hoʻololi (koho) a hoʻihoʻi i ka kernel, a hoʻolei paha.
No kekahi mau ʻōlelo papahana aia nā mea paʻa no ka hana ʻana me nfqueue, no ka bash ʻaʻohe mea (heh, ʻaʻole kahaha), pono wau e hoʻohana i ka python: hoʻohana ipipou .
Inā ʻaʻole koʻikoʻi ka hana, me ka hoʻohana ʻana i kēia mea hiki iā ʻoe ke hana wikiwiki a maʻalahi hoʻi i kāu loiloi no ka hana ʻana me nā ʻeke ma kahi haʻahaʻa haʻahaʻa, no ka laʻana, hana i nā protocols hoʻoili ʻikepili hoʻokolohua, a i ʻole troll i nā lawelawe kūloko a me kahi mamao me ka hana maʻamau.
Hoʻopili lima ʻia nā kumu maka me ka nfqueue, no ka laʻana, i ka wā i hoʻonohonoho ʻia ai ka tunnel a ke hoʻolohe nei ʻo FOU i ke awa i makemake ʻia, ʻaʻole hiki iā ʻoe ke hoʻouna i kahi ʻeke mai ke awa like ma ke ʻano maʻamau - he hana, akā. hiki iā ʻoe ke lawe a hoʻouna i kahi ʻeke i hana ʻole ʻia i ke kikowaena pūnaewele me ka hoʻohana ʻana i kahi kumu maka, ʻoiai ʻo ka hana ʻana i kēlā ʻeke e koi aku i kahi tinkering hou aʻe. ʻO kēia ke ʻano o ka hana ʻana i nā ʻeke me ka hōʻoia i ka ipipou.
Ma muli o ka hana ʻana o ipipou i nā ʻeke mua wale nō mai ka pilina (a me nā mea i hoʻokele i ka leak i ka pila ma mua o ka hoʻokumu ʻia ʻana o ka pilina), aneane ʻaʻole pilikia ka hana.
Ke loaʻa koke i ka server ipipou kahi ʻeke hōʻoia ʻia, hana ʻia kahi tunnel a ua hana mua ʻia nā ʻeke a pau ma hope o ka pilina e ka kernel bypassing nfqueue. Inā hāʻule ka pilina, a laila e hoʻouna ʻia ka ʻeke mua o ka mea e hiki mai ana i ka nfqueue queue, e pili ana i nā hoʻonohonoho, inā ʻaʻole ia he ʻeke me ka hōʻoia, akā mai ka IP i hoʻomanaʻo ʻia a me ke awa o ka mea kūʻai aku, hiki ke hoʻoholo ʻia. ma luna a hoʻolei ʻia. Inā hele mai kahi ʻeke i hōʻoia ʻia mai kahi IP hou a me ke awa, ua hoʻonohonoho hou ʻia ka tunnel e hoʻohana iā lākou.
ʻO ka IPIP-over-FOU maʻamau he hoʻokahi pilikia hou i ka hana ʻana me NAT - ʻaʻole hiki ke hana i ʻelua IPIP tunnels i hoʻopaʻa ʻia ma UDP me ka IP like, no ka mea, ua kaʻawale loa nā modules FOU a me IPIP mai kekahi i kekahi. ʻO kēlā mau. ʻAʻole hiki i nā mea kūʻai aku ma hope o ka IP lehulehu hoʻokahi ke hoʻohui like i ka kikowaena like ma kēia ala. I ka wā e hiki mai ana, , e hoʻoholo ʻia ma ka pae kernel, akā ʻaʻole maopopo kēia. I kēia manawa, hiki ke hoʻoponopono ʻia nā pilikia NAT e NAT - inā ua noho ʻia kekahi mau IP address e kekahi tunnel, e hana ʻo ipipou iā NAT mai ka lehulehu a i kahi IP pilikino ʻē aʻe, voila! - hiki iā ʻoe ke hana i nā tunnels a pau nā awa.
No ka mea ʻAʻole i hoʻopaʻa inoa ʻia nā paʻi āpau i ka pilina, a laila hiki ke pale ʻia kēia palekana maʻalahi i ka MITM, no laila inā aia kahi mea ʻino e hūnā ma ke ala ma waena o ka mea kūʻai aku a me ke kikowaena hiki ke hoʻolohe i ke kaʻa a me ka hoʻoponopono ʻana iā ia, hiki iā ia ke hoʻihoʻi i nā ʻeke i hōʻoia ʻia ma o kahi helu ʻē aʻe a hana i kahi tunnel mai kahi hoʻokipa hilinaʻi ʻole.
Inā loaʻa i kekahi nā manaʻo e pili ana i ka hoʻoponopono ʻana i kēia me ka waiho ʻana i ka hapa nui o ke kaʻa i ke kumu, mai kānalua e ʻōlelo.
Ma ke ala, ua hōʻoia maikaʻi loa ka encapsulation ma UDP. Ke hoʻohālikelike ʻia i ka encapsulation ma luna o IP, ʻoi aku ka paʻa a ʻoi aku ka wikiwiki ma mua o ka nui o ke poʻo o ke poʻo UDP. ʻO kēia ma muli o ka hana maikaʻi ʻana o ka hapa nui o nā mea hoʻokipa ma ka Pūnaewele me nā protocols kaulana ʻekolu: TCP, UDP, ICMP. Hiki i ka ʻāpana kino ke hoʻolei loa i nā mea ʻē aʻe, a i ʻole e hoʻomaʻamaʻa lohi, no ka mea, ʻoi aku ka maikaʻi no kēia mau mea ʻekolu.
No ka laʻana, ʻo ia ke kumu QUICK, kahi i hoʻokumu ʻia ai ʻo HTTP/3, ma luna o UDP, ʻaʻole ma luna o IP.
ʻAe, lawa nā huaʻōlelo, ʻo ia ka manawa e ʻike ai pehea e hana ai i ka "honua maoli".
kaua
Hoʻohana ʻia e hoʻohālike i ke ao maoli iperf3. Ma ke ʻano o ke kiʻekiʻe o ka pili ʻana i ka ʻoiaʻiʻo, ua like kēia me ka hoʻohālikelike ʻana i ka honua maoli i Minecraft, akā i kēia manawa e hana ia.
Nā mea komo i ka hoʻokūkū:
- reference main channel
- ipipou ka meʻe o kēia ʻatikala
- OpenVPN me ka hōʻoia akā ʻaʻohe hoʻopunipuni
- OpenVPN ma ke ʻano holoʻokoʻa
- WireGuard me ka PresharedKey, me MTU=1440 (mai ka IPv4 wale nō)
ʻikepili ʻenehana no nā geeks
Lawe ʻia nā metric me kēia mau kauoha:
ma ka mea kūʻai aku:
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2 -u -b 12M; tail -1 "$CPULOG"
# Где "-b 12M" это пропускная способность основного канала, делённая на число потоков "-P", чтобы лишние пакеты не плодить и не портить производительность.
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2; tail -1 "$CPULOG"
ICMP latency
ping -c 10 SERVER_IP | tail -1
ma ke kikowaena (holo like me ka mea kūʻai aku):
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
Ka hoʻonohonoho ʻana o ka tunnel
ipipou
kikowaena
/etc/ipipou/server.conf:
server
number 0
fou-dev eth0
fou-local-port 10000
tunl-ip 172.28.0.0
auth-remote-pubkey-b64 eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-secret topsecret
auth-lifetime 3600
reply-on-auth-ok
verb 3
systemctl start ipipou@server
mea kūʻai aku
/etc/ipipou/client.conf:
client
number 0
fou-local @eth0
fou-remote SERVER_IP:10000
tunl-ip 172.28.0.1
# pubkey of auth-key-b64: eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-key-b64 RuBZkT23na2Q4QH1xfmZCfRgSgPt5s362UPAFbecTso=
auth-secret topsecret
keepalive 27
verb 3
systemctl start ipipou@client
openvpn (ʻaʻohe hoʻopunipuni, me ka hōʻoia)
kikowaena
openvpn --genkey --secret ovpn.key # Затем надо передать ovpn.key клиенту
openvpn --dev tun1 --local SERVER_IP --port 2000 --ifconfig 172.16.17.1 172.16.17.2 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
mea kūʻai aku
openvpn --dev tun1 --local LOCAL_IP --remote SERVER_IP --port 2000 --ifconfig 172.16.17.2 172.16.17.1 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
openvpn (me ka hoʻopunipuni, hōʻoia, ma o UDP, nā mea āpau e like me ka mea i manaʻo ʻia)
Hoʻonohonoho ʻia me ka hoʻohana ʻana
kahu mālama hale
kikowaena
/etc/wireguard/server.conf:
[Interface]
Address=172.31.192.1/18
ListenPort=51820
PrivateKey=aMAG31yjt85zsVC5hn5jMskuFdF8C/LFSRYnhRGSKUQ=
MTU=1440
[Peer]
PublicKey=LyhhEIjVQPVmr/sJNdSRqTjxibsfDZ15sDuhvAQ3hVM=
AllowedIPs=172.31.192.2/32
systemctl start wg-quick@server
mea kūʻai aku
/etc/wireguard/client.conf:
[Interface]
Address=172.31.192.2/18
PrivateKey=uCluH7q2Hip5lLRSsVHc38nGKUGpZIUwGO/7k+6Ye3I=
MTU=1440
[Peer]
PublicKey=DjJRmGvhl6DWuSf1fldxNRBvqa701c0Sc7OpRr4gPXk=
AllowedIPs=172.31.192.1/32
Endpoint=SERVER_IP:51820
systemctl start wg-quick@client
Nā hualoaʻa
Hōʻailona ʻino ʻino
ʻAʻole hōʻike nui ka ukana CPU server, no ka mea... Nui nā lawelawe ʻē aʻe e holo ana ma laila, i kekahi manawa ʻai lākou i nā kumuwaiwai:
proto bandwidth[Mbps] CPU_idle_client[%] CPU_idle_server[%]
# 20 Mbps канал с микрокомпьютера (4 core) до VPS (1 core) через Атлантику
# pure
UDP 20.4 99.80 93.34
TCP 19.2 99.67 96.68
ICMP latency min/avg/max/mdev = 198.838/198.997/199.360/0.372 ms
# ipipou
UDP 19.8 98.45 99.47
TCP 18.8 99.56 96.75
ICMP latency min/avg/max/mdev = 199.562/208.919/220.222/7.905 ms
# openvpn0 (auth only, no encryption)
UDP 19.3 99.89 72.90
TCP 16.1 95.95 88.46
ICMP latency min/avg/max/mdev = 191.631/193.538/198.724/2.520 ms
# openvpn (full encryption, auth, etc)
UDP 19.6 99.75 72.35
TCP 17.0 94.47 87.99
ICMP latency min/avg/max/mdev = 202.168/202.377/202.900/0.451 ms
# wireguard
UDP 19.3 91.60 94.78
TCP 17.2 96.76 92.87
ICMP latency min/avg/max/mdev = 217.925/223.601/230.696/3.266 ms
## около-1Gbps канал между VPS Европы и США (1 core)
# pure
UDP 729 73.40 39.93
TCP 363 96.95 90.40
ICMP latency min/avg/max/mdev = 106.867/106.994/107.126/0.066 ms
# ipipou
UDP 714 63.10 23.53
TCP 431 95.65 64.56
ICMP latency min/avg/max/mdev = 107.444/107.523/107.648/0.058 ms
# openvpn0 (auth only, no encryption)
UDP 193 17.51 1.62
TCP 12 95.45 92.80
ICMP latency min/avg/max/mdev = 107.191/107.334/107.559/0.116 ms
# wireguard
UDP 629 22.26 2.62
TCP 198 77.40 55.98
ICMP latency min/avg/max/mdev = 107.616/107.788/108.038/0.128 ms
20 Mbps pūnaewele
kaila no 1 optimistic Gbps
I nā hihia a pau, kokoke loa ka ipipou i ka hana i ke kahawai kumu, maikaʻi loa!
He ʻano ʻē ka hana ʻana o ka tunnel openvpn unencrypted i nā hihia ʻelua.
Inā e hoʻāʻo kekahi, e hauʻoli ka lohe ʻana i nā manaʻo.
Hiki iā IPv6 a me NetPrickle me mākou!
Source: www.habr.com