Peb hais li cas rau tus Vajtswv ntawm IPv6?
Yog lawm, peb yuav hais tib yam rau tus vaj tswv ntawm encryption hnub no.
Ntawm no peb yuav tham txog qhov tsis muaj IPv4 qhov nkag, tab sis tsis yog hais txog "lub teeb sov" ib qho, tab sis hais txog ib qho "LED" niaj hnub. Thiab tseem muaj cov pob khoom nyoos flashing ntawm no, thiab kev ua haujlwm tab tom pib nrog cov pob khoom hauv cov neeg siv khoom.
Muaj N tunneling raws tu qauv rau txhua tus saj thiab xim:
- stylish, fashionable, hluas
- multifunctional, zoo li Swiss riam, OpenVPN thiab SSH
- laus thiab tsis phem GRE
- qhov yooj yim tshaj plaws, ceev ceev, tag nrho unencrypted IPIP
- nquag txhim kho
- ntau lwm tus.
Tab sis kuv yog ib tug programmer, yog li kuv yuav nce N tsuas yog ib feem, thiab tawm hauv kev txhim kho cov kev cai tiag tiag rau Kommersant developers.
Nyob rau hauv ib tug tsis yug Qhov kuv tab tom ua tam sim no yog mus cuag cov tswv tom qab NAT sab nraud. Siv cov txheej txheem nrog cov neeg laus cryptography rau qhov no, kuv tsis tuaj yeem co qhov kev xav tias nws zoo li tua sparrows tawm ntawm lub cannon. Vim lub qhov yog siv rau feem ntau tsuas yog poke qhov nyob rau hauv NAT-e, sab hauv tsheb feem ntau kuj encrypted, tab sis lawv tseem poob rau hauv HTTPS.
Thaum tshawb fawb txog ntau yam kev cai tunneling, kuv cov neeg ua haujlwm zoo tshaj plaws sab hauv tau raug coj mus rau IPIP ntau dua vim nws qhov nyiaj siv ua haujlwm tsawg. Tab sis nws muaj ib qho thiab ib nrab qhov tsis zoo rau kuv txoj haujlwm:
- nws xav kom pej xeem IPs ntawm ob sab,
- thiab tsis muaj authentication rau koj.
Yog li ntawd, tus perfectionist raug tsav rov qab mus rau hauv lub kaum sab xis tsaus nti ntawm lub pob txha taub hau, los yog nyob qhov twg nws zaum.
Thiab ces muaj ib hnub, thaum nyeem ntawv rau hauv Linux Kuv tuaj hla FOU (Foo-over-UDP), i.e. Txawm li cas los xij, qhwv hauv UDP. Txog tam sim no, tsuas yog IPIP thiab GUE (Generic UDP Encapsulation) tau txais kev txhawb nqa.
“Ntawm no yog lub mos txwv nyiaj! Ib qho yooj yim IPIP yog txaus rau kuv. " - Kuv xav.
Qhov tseeb, cov mos txwv tau muab los ua tsis tau nyiaj tag nrho. Encapsulation hauv UDP daws qhov teeb meem thawj zaug - koj tuaj yeem txuas mus rau cov neeg siv khoom tom qab NAT los ntawm sab nraud siv kev sib txuas ua ntej, tab sis ntawm no ib nrab ntawm qhov tsis zoo tom ntej ntawm IPIP blossoms hauv lub teeb tshiab - leej twg los ntawm ib lub network ntiag tug tuaj yeem nkaum tom qab pom. pej xeem IP thiab tus neeg siv chaw nres nkoj (hauv IPIP ntshiab qhov teeb meem no tsis muaj nyob).
Yuav kom daws tau qhov teeb meem no ib nrab thiab ib nrab, cov nqi hluav taws xob tau yug los . Nws siv lub tshuab tsim hauv tsev rau kev lees paub tus tswv tsev nyob deb, yam tsis muaj kev cuam tshuam kev ua haujlwm ntawm cov ntsiav FOU, uas yuav ua tau sai thiab ua tau zoo ntawm cov pob ntawv hauv qhov chaw kernel.
Peb tsis xav tau koj tsab ntawv!
Ok, yog tias koj paub qhov chaw nres nkoj pej xeem thiab IP ntawm tus neeg siv khoom (piv txwv li, txhua tus tom qab nws tsis mus qhov twg, NAT sim ua daim ntawv qhia chaw nres nkoj 1-hauv-1), koj tuaj yeem tsim IPIP-dhau-FOU qhov nrog ua raws li cov lus txib, tsis muaj ntawv sau.
ntawm server:
# Подгрузить модуль ядра FOU
modprobe fou
# Создать IPIP туннель с инкапсуляцией в FOU.
# Модуль ipip подгрузится автоматически.
ip link add name ipipou0 type ipip
remote 198.51.100.2 local 203.0.113.1
encap fou encap-sport 10000 encap-dport 20001
mode ipip dev eth0
# Добавить порт на котором будет слушать FOU для этого туннеля
ip fou add port 10000 ipproto 4 local 203.0.113.1 dev eth0
# Назначить IP адрес туннелю
ip address add 172.28.0.0 peer 172.28.0.1 dev ipipou0
# Поднять туннель
ip link set ipipou0 up
ntawm tus neeg siv khoom:
modprobe fou
ip link add name ipipou1 type ipip
remote 203.0.113.1 local 192.168.0.2
encap fou encap-sport 10001 encap-dport 10000 encap-csum
mode ipip dev eth0
# Опции local, peer, peer_port, dev могут не поддерживаться старыми ядрами, можно их опустить.
# peer и peer_port используются для создания соединения сразу при создании FOU-listener-а.
ip fou add port 10001 ipproto 4 local 192.168.0.2 peer 203.0.113.1 peer_port 10000 dev eth0
ip address add 172.28.0.1 peer 172.28.0.0 dev ipipou1
ip link set ipipou1 up
qhov twg
ipipou*- lub npe ntawm lub zos tunnel network interface203.0.113.1- pej xeem IP server198.51.100.2- pej xeem IP ntawm tus neeg siv khoom192.168.0.2- tus neeg siv IP muab rau interface eth010001- chaw nres nkoj tus neeg siv khoom hauv zos rau FOU20001- pej xeem neeg siv chaw nres nkoj rau FOU10000- pej xeem chaw nres nkoj rau FOUencap-csum- kev xaiv ntxiv UDP checksum rau encapsulated UDP pob ntawv; tuaj yeem hloov taunoencap-csum, tsis tau hais, kev ncaj ncees twb tswj los ntawm txheej txheej encapsulation (thaum lub pob ntawv nyob rau hauv lub qhov)eth0- hauv zos interface uas lub ipip qhov yuav raug khi172.28.0.1- IP ntawm tus neeg siv khoom qhov interface (tus kheej)172.28.0.0- IP tunnel server interface (tus kheej)
Ntev npaum li qhov kev sib txuas UDP tseem muaj sia nyob, qhov av yuav ua haujlwm, tab sis yog tias nws tawg, koj yuav muaj hmoo - yog tias tus neeg siv khoom tus IP: chaw nres nkoj tseem zoo li qub - nws yuav nyob, yog tias lawv hloov - nws yuav tawg.
Txoj kev yooj yim tshaj plaws los tig txhua yam rov qab yog kom tshem tawm cov kernel modules: modprobe -r fou ipip
Txawm hais tias tsis muaj kev lees paub tseeb, tus neeg siv khoom tus IP thiab chaw nres nkoj tsis yog ib txwm paub thiab feem ntau tsis tuaj yeem pom lossis hloov pauv (nyob ntawm hom NAT). Yog koj omit encap-dport nyob rau sab server, qhov av yuav tsis ua haujlwm, nws tsis ntse txaus los nqa qhov chaw nres nkoj chaw taws teeb. Hauv qhov no, ipipou kuj tuaj yeem pab, lossis WireGuard thiab lwm tus nyiam nws tuaj yeem pab koj.
Ua li cas nws ua hauj lwm?
Tus neeg siv khoom (uas feem ntau yog tom qab NAT) qhib lub qhov (raws li hauv qhov piv txwv saum toj no), thiab xa cov ntawv pov thawj rau lub server kom nws teeb tsa lub qhov ntawm nws sab. Nyob ntawm qhov chaw, qhov no tuaj yeem yog pob ntawv khoob (tsuas yog kom lub server tuaj yeem pom pej xeem IP: chaw nres nkoj txuas), lossis nrog cov ntaub ntawv uas tus neeg rau zaub mov tuaj yeem txheeb xyuas tus neeg siv khoom. Cov ntaub ntawv tuaj yeem ua tau yooj yim passphrase hauv cov ntawv ntshiab (qhov sib piv nrog HTTP Basic Auth los rau hauv siab) lossis cov ntaub ntawv tsim tshwj xeeb kos npe nrog tus yuam sij ntiag tug (zoo ib yam li HTTP Digest Auth tsuas muaj zog, saib muaj nuj nqi client_auth hauv code).
Ntawm tus neeg rau zaub mov (sab nrog rau pej xeem IP), thaum ipipou pib, nws tsim ib qho nfqueue queue handler thiab configures netfilter kom cov pob ntawv tsim nyog raug xa mus rau qhov chaw lawv yuav tsum yog: pob ntawv pib qhov kev sib txuas rau nfqueue queue, thiab [yuav luag] tag nrho cov mus ncaj nraim rau tus mloog FOU.
Rau cov tsis paub, nfqueue (los yog NetfilterQueue) yog ib qho tshwj xeeb rau cov neeg ua haujlwm pib uas tsis paub yuav ua li cas los tsim cov kernel modules, uas siv netfilter (nftables / iptables) tso cai rau koj los hloov cov pob ntawv network rau cov neeg siv qhov chaw thiab ua lawv nyob ntawd siv. Primitive txhais tau tias ntawm tes: hloov kho (optional) thiab muab nws rov qab rau lub ntsiav, lossis muab pov tseg.
Rau qee cov lus programming muaj kev sib khi rau kev ua haujlwm nrog nfqueue, rau bash tsis muaj ib qho (heh, tsis xav tsis thoob), Kuv yuav tsum siv python: ipipou siv .
Yog tias qhov kev ua tau zoo tsis tseem ceeb, siv qhov no koj tuaj yeem ua tau sai thiab yooj yim concoct koj tus kheej logic rau kev ua hauj lwm nrog cov pob ntawv ntawm ib qho qis qis, piv txwv li, tsim cov ntaub ntawv sim hloov cov txheej txheem, lossis troll cov kev pabcuam hauv zos thiab cov chaw taws teeb uas tsis yog tus qauv.
Raw sockets ua hauj lwm nyob rau hauv tes nrog nfqueue, piv txwv li, thaum lub qhov yog twb configured thiab FOU yog mloog ntawm qhov xav tau chaw nres nkoj, koj yuav tsis muaj peev xwm xa ib pob ntawv los ntawm tib qhov chaw nres nkoj raws li ib txwm - nws yog tibneeg hu tauj coob, tab sis. koj tuaj yeem nqa thiab xa cov pob ntawv tsim tawm ncaj qha mus rau lub network interface siv lub qhov (socket) raw, txawm hais tias tsim cov pob ntawv no yuav xav tau me ntsis ntxiv tinkering. Qhov no yog li cas pob ntawv nrog authentication yog tsim nyob rau hauv ipipou.
Txij li thaum ipipou txheej txheem tsuas yog thawj pob ntawv los ntawm kev sib txuas (thiab cov uas tau tswj kom xau mus rau hauv kab ua ntej kev sib txuas tau tsim), kev ua haujlwm yuav luag tsis raug kev txom nyem.
Thaum tus neeg rau zaub mov ipipou tau txais cov pob ntawv pov thawj, lub qhov yog tsim thiab tag nrho cov ntawv txuas ntxiv tom ntej hauv kev sib txuas tau ua tiav los ntawm cov ntsiav hla dhau nfqueue. Yog tias qhov kev sib txuas tsis ua haujlwm, ces thawj pob ntawv ntawm tus tom ntej yuav raug xa mus rau nfqueue queue, nyob ntawm qhov chaw, yog tias nws tsis yog pob ntawv nrog kev lees paub, tab sis los ntawm qhov kawg nco qab IP thiab tus neeg siv chaw nres nkoj, nws tuaj yeem dhau los. ntawm los yog muab pov tseg. Yog tias daim ntawv pov thawj lees paub los ntawm tus IP tshiab thiab qhov chaw nres nkoj, qhov tunnel raug kho dua los siv lawv.
Qhov ib txwm IPIP-dhau-FOU muaj ib qho teeb meem ntxiv thaum ua haujlwm nrog NAT - nws tsis tuaj yeem tsim ob lub IPIP tunnels encapsulated hauv UDP nrog tib tus IP, vim tias FOU thiab IPIP modules sib cais los ntawm ib leeg. Cov. ib khub ntawm cov neeg siv tom qab tib tus IP pej xeem yuav tsis tuaj yeem txuas mus rau tib lub server hauv txoj kev no. Yav tom ntej, , nws yuav raug daws nyob rau hauv cov ntsiav tshuaj, tab sis qhov no tsis paub meej. Lub sijhawm no, NAT teeb meem tuaj yeem daws tau los ntawm NAT - yog tias nws tshwm sim tias ob khub ntawm IP chaw nyob twb tau nyob los ntawm lwm qhov, ipipou yuav ua NAT los ntawm pej xeem mus rau lwm tus IP ntiag tug, voila! - koj tuaj yeem tsim qhov tunnels kom txog thaum cov chaw nres nkoj khiav tawm.
Vim Tsis yog tag nrho cov pob ntawv hauv kev sib txuas tau kos npe, tom qab ntawd qhov kev tiv thaiv yooj yim no yooj yim rau MITM, yog li yog tias muaj ib tus neeg phem lurking ntawm txoj kev ntawm tus neeg siv khoom thiab tus neeg rau zaub mov uas tuaj yeem mloog cov tsheb khiav thiab tswj nws, nws tuaj yeem hloov pauv cov ntawv pov thawj los ntawm lwm qhov chaw nyob thiab tsim ib qhov av los ntawm tus tswv tsev tsis ntseeg.
Yog tias leej twg muaj tswv yim yuav ua li cas los kho qhov no thaum tawm ntawm cov tsheb khiav hauv lub hauv paus, tsis txhob yig hais.
Los ntawm txoj kev, encapsulation hauv UDP tau ua pov thawj nws tus kheej zoo heev. Piv rau encapsulation tshaj IP, nws yog qhov ruaj khov dua thiab feem ntau sai dua txawm tias qhov nyiaj siv ua haujlwm ntxiv ntawm UDP header. Qhov no yog vim qhov tseeb tias feem ntau tus tswv hauv Is Taws Nem ua haujlwm tau zoo tsuas yog nrog peb txoj cai nrov tshaj plaws: TCP, UDP, ICMP. Qhov tangible feem tuaj yeem muab pov tseg tag nrho lwm yam, lossis ua haujlwm qeeb dua, vim tias nws yog qhov zoo rau peb qhov no xwb.
Piv txwv li, qhov no yog vim li cas QUICK, uas HTTP / 3 raws li, tau tsim nyob rau sab saum toj ntawm UDP, thiab tsis nyob saum IP.
Zoo, cov lus txaus, nws yog lub sijhawm los saib seb nws ua haujlwm li cas hauv "lub ntiaj teb tiag".
Sib ntaus sib tua
Siv los ua raws li lub ntiaj teb tiag iperf3. Nyob rau hauv cov nqe lus ntawm cov degree ntawm ze rau kev muaj tiag, qhov no yog kwv yees li tib yam li emulating lub ntiaj teb no tiag nyob rau hauv Minecraft, tab sis rau tam sim no nws yuav ua.
Cov neeg koom nrog hauv kev sib tw:
- siv lub ntsiab channel
- tus hero ntawm tsab xov xwm no yog ipipou
- OpenVPN nrog authentication tab sis tsis muaj encryption
- OpenVPN hauv txhua hom kev suav nrog
- WireGuard tsis muaj PresharedKey, nrog MTU = 1440 (txij li IPv4 nkaus xwb)
Technical data rau geeks
Metrics raug coj los nrog cov lus txib hauv qab no:
ntawm tus neeg siv khoom:
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2 -u -b 12M; tail -1 "$CPULOG"
# Где "-b 12M" это пропускная способность основного канала, делённая на число потоков "-P", чтобы лишние пакеты не плодить и не портить производительность.
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2; tail -1 "$CPULOG"
ICMP latency
ping -c 10 SERVER_IP | tail -1
ntawm lub server (khiav ib txhij nrog tus neeg siv khoom):
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
Qhov configuration
ipipou ua
neeg rau zaub mov
/etc/ipipou/server.conf:
server
number 0
fou-dev eth0
fou-local-port 10000
tunl-ip 172.28.0.0
auth-remote-pubkey-b64 eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-secret topsecret
auth-lifetime 3600
reply-on-auth-ok
verb 3
systemctl start ipipou@server
tus neeg siv khoom
/etc/ipipou/client.conf:
client
number 0
fou-local @eth0
fou-remote SERVER_IP:10000
tunl-ip 172.28.0.1
# pubkey of auth-key-b64: eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-key-b64 RuBZkT23na2Q4QH1xfmZCfRgSgPt5s362UPAFbecTso=
auth-secret topsecret
keepalive 27
verb 3
systemctl start ipipou@client
openvpn (tsis muaj encryption, nrog authentication)
neeg rau zaub mov
openvpn --genkey --secret ovpn.key # Затем надо передать ovpn.key клиенту
openvpn --dev tun1 --local SERVER_IP --port 2000 --ifconfig 172.16.17.1 172.16.17.2 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
tus neeg siv khoom
openvpn --dev tun1 --local LOCAL_IP --remote SERVER_IP --port 2000 --ifconfig 172.16.17.2 172.16.17.1 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
openvpn (nrog encryption, authentication, ntawm UDP, txhua yam raws li xav tau)
Configured siv
tooj liab
neeg rau zaub mov
/etc/wireguard/server.conf:
[Interface]
Address=172.31.192.1/18
ListenPort=51820
PrivateKey=aMAG31yjt85zsVC5hn5jMskuFdF8C/LFSRYnhRGSKUQ=
MTU=1440
[Peer]
PublicKey=LyhhEIjVQPVmr/sJNdSRqTjxibsfDZ15sDuhvAQ3hVM=
AllowedIPs=172.31.192.2/32
systemctl start wg-quick@server
tus neeg siv khoom
/etc/wireguard/client.conf:
[Interface]
Address=172.31.192.2/18
PrivateKey=uCluH7q2Hip5lLRSsVHc38nGKUGpZIUwGO/7k+6Ye3I=
MTU=1440
[Peer]
PublicKey=DjJRmGvhl6DWuSf1fldxNRBvqa701c0Sc7OpRr4gPXk=
AllowedIPs=172.31.192.1/32
Endpoint=SERVER_IP:51820
systemctl start wg-quick@client
Результаты
Damp ugly sign
Server CPU load tsis yog qhov qhia tau zoo, vim tias ... Muaj ntau ntau lwm yam kev pabcuam uas khiav mus rau ntawd, qee zaum lawv noj cov peev txheej:
proto bandwidth[Mbps] CPU_idle_client[%] CPU_idle_server[%]
# 20 Mbps канал с микрокомпьютера (4 core) до VPS (1 core) через Атлантику
# pure
UDP 20.4 99.80 93.34
TCP 19.2 99.67 96.68
ICMP latency min/avg/max/mdev = 198.838/198.997/199.360/0.372 ms
# ipipou
UDP 19.8 98.45 99.47
TCP 18.8 99.56 96.75
ICMP latency min/avg/max/mdev = 199.562/208.919/220.222/7.905 ms
# openvpn0 (auth only, no encryption)
UDP 19.3 99.89 72.90
TCP 16.1 95.95 88.46
ICMP latency min/avg/max/mdev = 191.631/193.538/198.724/2.520 ms
# openvpn (full encryption, auth, etc)
UDP 19.6 99.75 72.35
TCP 17.0 94.47 87.99
ICMP latency min/avg/max/mdev = 202.168/202.377/202.900/0.451 ms
# wireguard
UDP 19.3 91.60 94.78
TCP 17.2 96.76 92.87
ICMP latency min/avg/max/mdev = 217.925/223.601/230.696/3.266 ms
## около-1Gbps канал между VPS Европы и США (1 core)
# pure
UDP 729 73.40 39.93
TCP 363 96.95 90.40
ICMP latency min/avg/max/mdev = 106.867/106.994/107.126/0.066 ms
# ipipou
UDP 714 63.10 23.53
TCP 431 95.65 64.56
ICMP latency min/avg/max/mdev = 107.444/107.523/107.648/0.058 ms
# openvpn0 (auth only, no encryption)
UDP 193 17.51 1.62
TCP 12 95.45 92.80
ICMP latency min/avg/max/mdev = 107.191/107.334/107.559/0.116 ms
# wireguard
UDP 629 22.26 2.62
TCP 198 77.40 55.98
ICMP latency min/avg/max/mdev = 107.616/107.788/108.038/0.128 ms
20 Mbps channel
channel per 1 optimistic Gbps
Nyob rau hauv txhua rooj plaub, ipipou yog ze heev nyob rau hauv kev ua tau zoo rau lub hauv paus channel, uas yog zoo heev!
Lub unencrypted openvpn qhov tau coj txawv txawv nyob rau hauv ob qho tib si.
Yog leej twg yuav mus sim, yuav txaus siab mloog cov lus qhia.
Tej zaum IPv6 thiab NetPrickle nyob nrog peb!
Tau qhov twg los: www.hab.com