Kodi tikunena chiyani kwa Mulungu wa IPv6?
Ndiko kulondola, tidzanena zomwezo kwa mulungu wa kubisa lero.
Apa tikambirana za njira yosadziwika ya IPv4, koma osati za "nyali yofunda", koma za "LED" yamakono. Ndipo palinso ma socket aiwisi akuthwanima pano, ndipo ntchito ikuchitika ndi mapaketi m'malo ogwiritsa ntchito.
Pali ma protocol a N pazakudya zilizonse ndi mtundu:
- wotsogola, wapamwamba, wachinyamata
- ntchito zambiri, monga mipeni yaku Swiss, OpenVPN ndi SSH
- wakale osati woyipa GRE
- IPIP yosavuta, yachangu, yosasinthika kwathunthu
- akukula mwachangu
- ena ambiri.
Koma ndine wopanga mapulogalamu, kotero ndidzawonjezera N pang'ono pang'ono, ndikusiya kupanga ma protocol enieni kwa opanga a Kommersant.
M'modzi wosabadwa Zomwe ndikuchita tsopano ndikufikira omwe ali kumbuyo kwa NAT kuchokera kunja. Pogwiritsa ntchito ma protocol okhala ndi ma cryptography achikulire pa izi, sindingathe kugwedeza kumverera kuti zinali ngati kuwombera mpheta mu cannon. Chifukwa msewu umagwiritsidwa ntchito nthawi zambiri kungobowola mu NAT-e, magalimoto amkati nthawi zambiri amabisidwa, koma amamirabe mu HTTPS.
Ndikafufuza ma protocol osiyanasiyana, chidwi changa chamkati chimakopeka ndi IPIP mobwerezabwereza chifukwa chakuchepa kwake. Koma ili ndi zovuta chimodzi ndi theka pazantchito zanga:
- imafuna ma IP a anthu onse mbali zonse,
- ndipo palibe kutsimikizika kwa inu.
Chifukwa chake, wochita bwino adabwezeredwa mu ngodya yamdima ya chigaza, kapena kulikonse komwe amakhala.
Ndiyeno tsiku lina, ndikuwerenga nkhani ku Linux ndinapeza FOU (Foo-over-UDP), i.e. chilichonse, atakulungidwa mu UDP. Pakadali pano, IPIP ndi GUE (Generic UDP Encapsulation) zokha ndizo zimathandizidwa.
“Nayi chipolopolo chasiliva! IPIP yosavuta ndiyokwanira kwa ine. " - Ndinaganiza.
M'malo mwake, chipolopolocho chinapezeka kuti sichinali siliva kwathunthu. Encapsulation mu UDP imathetsa vuto loyamba - mutha kulumikizana ndi makasitomala kumbuyo kwa NAT kuchokera kunja pogwiritsa ntchito kugwirizana komwe kunakhazikitsidwa kale, koma apa theka la drawback lotsatira la maluwa a IPIP mu kuwala kwatsopano - aliyense wochokera pa intaneti payekha akhoza kubisala kumbuyo kwa zowoneka. pagulu IP ndi kasitomala doko (mu IPIP koyera vutoli kulibe).
Kuti athetse vutoli limodzi ndi theka, zofunikira zidabadwa . Imagwiritsira ntchito makina opangira nyumba kuti atsimikizire kuti ali kutali, popanda kusokoneza ntchito ya kernel FOU, yomwe idzakonza mapaketi mofulumira komanso moyenera mu kernel space.
Sitikufuna zolemba zanu!
Chabwino, ngati mukudziwa doko la anthu onse ndi IP ya kasitomala (mwachitsanzo, aliyense kumbuyo kwake samapita kulikonse, NAT amayesa mapu madoko 1-in-1), mutha kupanga njira ya IPIP-over-FOU ndi kutsatira malamulo, popanda zolembedwa.
pa seva:
# Подгрузить модуль ядра FOU
modprobe fou
# Создать IPIP туннель с инкапсуляцией в FOU.
# Модуль ipip подгрузится автоматически.
ip link add name ipipou0 type ipip
remote 198.51.100.2 local 203.0.113.1
encap fou encap-sport 10000 encap-dport 20001
mode ipip dev eth0
# Добавить порт на котором будет слушать FOU для этого туннеля
ip fou add port 10000 ipproto 4 local 203.0.113.1 dev eth0
# Назначить IP адрес туннелю
ip address add 172.28.0.0 peer 172.28.0.1 dev ipipou0
# Поднять туннель
ip link set ipipou0 up
pa kasitomala:
modprobe fou
ip link add name ipipou1 type ipip
remote 203.0.113.1 local 192.168.0.2
encap fou encap-sport 10001 encap-dport 10000 encap-csum
mode ipip dev eth0
# Опции local, peer, peer_port, dev могут не поддерживаться старыми ядрами, можно их опустить.
# peer и peer_port используются для создания соединения сразу при создании FOU-listener-а.
ip fou add port 10001 ipproto 4 local 192.168.0.2 peer 203.0.113.1 peer_port 10000 dev eth0
ip address add 172.28.0.1 peer 172.28.0.0 dev ipipou1
ip link set ipipou1 up
kumene
ipipou*- dzina la mawonekedwe amtaneti am'deralo203.0.113.1- seva ya IP yapagulu198.51.100.2- IP yapagulu ya kasitomala192.168.0.2- kasitomala IP yoperekedwa ku mawonekedwe eth010001- doko lamakasitomala apafupi a FOU20001- doko la kasitomala wa FOU10000- doko la seva yapagulu la FOUencap-csum- kusankha kuwonjezera cheke cha UDP pamapaketi ophatikizidwa a UDP; akhoza kusinthidwa ndinoencap-csum, osatchulapo, umphumphu ukulamulidwa kale ndi wosanjikiza wakunja wa encapsulation (pamene paketi ili mkati mwa ngalandeyo)eth0- mawonekedwe akomweko pomwe njira ya ipip idzamangidwa172.28.0.1- IP ya mawonekedwe a kasitomala (achinsinsi)172.28.0.0- IP tunnel seva mawonekedwe (achinsinsi)
Malingana ngati kugwirizana kwa UDP kuli ndi moyo, ngalandeyo idzakhala ikugwira ntchito, koma ikasweka, mudzakhala ndi mwayi - ngati IP ya kasitomala: doko likadali chimodzimodzi - lidzakhala ndi moyo, ngati lisintha - lidzasweka.
Njira yosavuta yosinthira chilichonse ndikutsitsa ma module a kernel: modprobe -r fou ipip
Ngakhale kutsimikizika sikufunikira, IP ndi doko la kasitomala sizidziwika nthawi zonse ndipo nthawi zambiri zimakhala zosayembekezereka kapena zosinthika (kutengera mtundu wa NAT). Ngati musiya encap-dport kumbali ya seva, ngalandeyo sigwira ntchito, si nzeru zokwanira kutenga doko lolumikizana lakutali. Pankhaniyi, ipipou ingathandizenso, kapena WireGuard ndi ena onga iwo angakuthandizeni.
Kodi ntchito?
Makasitomala (omwe nthawi zambiri amakhala kumbuyo kwa NAT) amatsegula njira (monga momwe zilili pamwambapa), ndikutumiza paketi yotsimikizira ku seva kuti ikonzekere ngalandeyo kumbali yake. Kutengera makonda, izi zitha kukhala paketi yopanda kanthu (kungoti seva imatha kuwona IP yapagulu: doko lolumikizira), kapena ndi data yomwe seva imatha kuzindikira kasitomala. Deta ikhoza kukhala mawu osavuta omveka bwino (chifaniziro ndi HTTP Basic Auth chimabwera m'maganizo) kapena deta yopangidwa mwapadera yosainidwa ndi kiyi yachinsinsi (yofanana ndi HTTP Digest Auth yamphamvu kwambiri, onani ntchito client_auth mu kodi).
Pa seva (mbali ndi IP yapagulu), ipipou ikayamba, imapanga chowongolera mzere wa nfqueue ndikukonza netfilter kuti mapaketi ofunikira atumizidwe komwe ayenera kukhala: mapaketi oyambitsa kulumikizana ndi mzere wa nfqueue, ndi [pafupifupi] ena onse amapita molunjika kwa omvera FOU.
Kwa iwo omwe sakudziwa, nfqueue (kapena NetfilterQueue) ndi chinthu chapadera kwa osaphunzira omwe sadziwa kupanga ma module a kernel, omwe pogwiritsa ntchito netfilter (nftables/iptables) amakulolani kuti muwongolere mapaketi a netiweki kumalo ogwiritsira ntchito ndikuwongolera pamenepo njira zakale zomwe zili pafupi: sinthani (posankha) ndikubwezera ku kernel, kapena kutaya.
Pazilankhulo zina zamapulogalamu pali zomangira zogwirira ntchito ndi nfqueue, chifukwa bash panalibe (heh, sizodabwitsa), ndidagwiritsa ntchito python: ipipou amagwiritsa ntchito .
Ngati kugwira ntchito sikuli kofunikira, pogwiritsa ntchito chinthu ichi mutha kupanga malingaliro anu mwachangu komanso mosavuta pogwira ntchito ndi mapaketi pamlingo wochepa kwambiri, mwachitsanzo, pangani ma protocol oyeserera, kapena kuthamangitsa mautumiki am'deralo ndi akutali ndi machitidwe osavomerezeka.
Mitsempha yaiwisi imagwira ntchito limodzi ndi nfqueue, mwachitsanzo, pamene ngalandeyo yakonzedwa kale ndipo FOU ikumvetsera pa doko lomwe mukufuna, simungathe kutumiza paketi kuchokera ku doko lomwelo mwachizolowezi - imakhala yotanganidwa, koma mukhoza kutenga ndi kutumiza mwachisawawa kwaiye paketi molunjika kwa maukonde mawonekedwe ntchito socket yaiwisi, ngakhale kupanga paketi wotero adzafunika tinkering pang'ono. Umu ndi momwe mapaketi okhala ndi kutsimikizika amapangidwira mu ipipou.
Popeza ipipou amangopanga mapaketi oyamba okha kuchokera paulumikizano (ndi omwe adatha kutsika pamzere kulumikizana kusanakhazikitsidwe), magwiridwe antchito samavutika.
Seva ya ipipou ikangolandira paketi yotsimikizika, ngalande imapangidwa ndipo mapaketi onse olumikizana amakonzedwa kale ndi kernel yodutsa nfqueue. Ngati kugwirizana kwalephera, ndiye kuti paketi yoyamba ya yotsatira idzatumizidwa pamzere wa nfqueue, malingana ndi zoikidwiratu, ngati si paketi yokhala ndi kutsimikizika, koma kuchokera ku IP yomaliza kukumbukira ndi doko la kasitomala, ikhoza kuperekedwa. pa kapena kutayidwa. Ngati paketi yotsimikizika imachokera ku IP yatsopano ndi doko, ngalandeyo imakonzedwanso kuti iwagwiritse ntchito.
IPIP-over-FOU yachizolowezi imakhala ndi vuto linanso pamene mukugwira ntchito ndi NAT - sizingatheke kupanga ma IPIP awiri otsekedwa mu UDP ndi IP yomweyo, chifukwa ma modules a FOU ndi IPIP ali olekanitsidwa. Iwo. makasitomala awiri omwe ali kumbuyo kwa IP ya anthu omwewo sangathe kulumikiza nthawi imodzi ndi seva yomweyo motere. M'tsogolomu, , idzathetsedwa pamlingo wa kernel, koma izi sizotsimikizika. Pakalipano, mavuto a NAT akhoza kuthetsedwa ndi NAT - ngati zichitika kuti ma adilesi a IP ali kale ndi ngalande ina, ipipou idzachita NAT kuchokera pagulu kupita ku IP yachinsinsi, voila! - mutha kupanga tunnel mpaka madoko atha.
Chifukwa Si mapaketi onse olumikizana omwe amasainidwa, ndiye kuti chitetezo chosavutachi chili pachiwopsezo cha MITM, chifukwa chake ngati pali woyipa yemwe akubisala panjira pakati pa kasitomala ndi seva yemwe angamvetsere kuchuluka kwa magalimoto ndikuwongolera, amatha kuwongolera mapaketi otsimikizika kudzera. adilesi ina ndikupanga ngalande kuchokera kwa munthu wosadalirika.
Ngati wina ali ndi malingaliro amomwe angakonzere izi ndikusiya kuchuluka kwa magalimoto pachimake, musazengereze kuyankhula.
Mwa njira, encapsulation mu UDP yadziwonetsera bwino kwambiri. Poyerekeza ndi encapsulation pa IP, imakhala yokhazikika kwambiri ndipo nthawi zambiri imathamanga ngakhale pamwamba pamutu wa UDP. Izi ndichifukwa choti makamu ambiri pa intaneti amagwira ntchito bwino ndi ma protocol atatu otchuka: TCP, UDP, ICMP. Gawo logwirika limatha kutaya china chilichonse, kapena kuchikonza pang'onopang'ono, chifukwa limakongoletsedwa ndi atatuwa.
Mwachitsanzo, ndichifukwa chake QUICK, yomwe HTTP/3 idakhazikitsidwa, idapangidwa pamwamba pa UDP, osati pamwamba pa IP.
Chabwino, mawu okwanira, ndi nthawi yoti muwone momwe zimagwirira ntchito mu "dziko lenileni".
Nkhondo
Amagwiritsidwa ntchito kutengera dziko lenileni iperf3. Pankhani ya kuyandikira kwa zenizeni, izi ndizofanana ndi kutsanzira dziko lenileni ku Minecraft, koma pakali pano zidzachitika.
Otenga nawo gawo pampikisano:
- longosolerani njira yayikulu
- mulumbe wacibalo eeci ni ipipou
- OpenVPN ndi kutsimikizika koma osabisa
- OpenVPN mumachitidwe ophatikiza onse
- WireGuard yopanda PresharedKey, yokhala ndi MTU=1440 (kuyambira IPv4-only)
Deta yaukadaulo ya akatswiri
Ma metric amatengedwa ndi malamulo awa:
pa kasitomala:
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2 -u -b 12M; tail -1 "$CPULOG"
# Где "-b 12M" это пропускная способность основного канала, делённая на число потоков "-P", чтобы лишние пакеты не плодить и не портить производительность.
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2; tail -1 "$CPULOG"
ICMP latency
ping -c 10 SERVER_IP | tail -1
pa seva (imayenda nthawi imodzi ndi kasitomala):
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
Kusintha kwa tunnel
mphamvu
Seva
/etc/ipipou/server.conf:
server
number 0
fou-dev eth0
fou-local-port 10000
tunl-ip 172.28.0.0
auth-remote-pubkey-b64 eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-secret topsecret
auth-lifetime 3600
reply-on-auth-ok
verb 3
systemctl start ipipou@server
kasitomala
/etc/ipipou/client.conf:
client
number 0
fou-local @eth0
fou-remote SERVER_IP:10000
tunl-ip 172.28.0.1
# pubkey of auth-key-b64: eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-key-b64 RuBZkT23na2Q4QH1xfmZCfRgSgPt5s362UPAFbecTso=
auth-secret topsecret
keepalive 27
verb 3
systemctl start ipipou@client
openvpn (palibe kubisa, ndi kutsimikizika)
Seva
openvpn --genkey --secret ovpn.key # Затем надо передать ovpn.key клиенту
openvpn --dev tun1 --local SERVER_IP --port 2000 --ifconfig 172.16.17.1 172.16.17.2 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
kasitomala
openvpn --dev tun1 --local LOCAL_IP --remote SERVER_IP --port 2000 --ifconfig 172.16.17.2 172.16.17.1 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
openvpn (ndi kubisa, kutsimikizika, kudzera pa UDP, chilichonse monga chikuyembekezeka)
Kukonzekera kugwiritsa ntchito
waya
Seva
/etc/wireguard/server.conf:
[Interface]
Address=172.31.192.1/18
ListenPort=51820
PrivateKey=aMAG31yjt85zsVC5hn5jMskuFdF8C/LFSRYnhRGSKUQ=
MTU=1440
[Peer]
PublicKey=LyhhEIjVQPVmr/sJNdSRqTjxibsfDZ15sDuhvAQ3hVM=
AllowedIPs=172.31.192.2/32
systemctl start wg-quick@server
kasitomala
/etc/wireguard/client.conf:
[Interface]
Address=172.31.192.2/18
PrivateKey=uCluH7q2Hip5lLRSsVHc38nGKUGpZIUwGO/7k+6Ye3I=
MTU=1440
[Peer]
PublicKey=DjJRmGvhl6DWuSf1fldxNRBvqa701c0Sc7OpRr4gPXk=
AllowedIPs=172.31.192.1/32
Endpoint=SERVER_IP:51820
systemctl start wg-quick@client
Zotsatira
Chizindikiro chonyowa chonyansa
Kuchuluka kwa seva ya CPU sikuwonetsa, chifukwa ... Pali ntchito zina zambiri zomwe zikugwira ntchito kumeneko, nthawi zina zimadya zothandizira:
proto bandwidth[Mbps] CPU_idle_client[%] CPU_idle_server[%]
# 20 Mbps канал с микрокомпьютера (4 core) до VPS (1 core) через Атлантику
# pure
UDP 20.4 99.80 93.34
TCP 19.2 99.67 96.68
ICMP latency min/avg/max/mdev = 198.838/198.997/199.360/0.372 ms
# ipipou
UDP 19.8 98.45 99.47
TCP 18.8 99.56 96.75
ICMP latency min/avg/max/mdev = 199.562/208.919/220.222/7.905 ms
# openvpn0 (auth only, no encryption)
UDP 19.3 99.89 72.90
TCP 16.1 95.95 88.46
ICMP latency min/avg/max/mdev = 191.631/193.538/198.724/2.520 ms
# openvpn (full encryption, auth, etc)
UDP 19.6 99.75 72.35
TCP 17.0 94.47 87.99
ICMP latency min/avg/max/mdev = 202.168/202.377/202.900/0.451 ms
# wireguard
UDP 19.3 91.60 94.78
TCP 17.2 96.76 92.87
ICMP latency min/avg/max/mdev = 217.925/223.601/230.696/3.266 ms
## около-1Gbps канал между VPS Европы и США (1 core)
# pure
UDP 729 73.40 39.93
TCP 363 96.95 90.40
ICMP latency min/avg/max/mdev = 106.867/106.994/107.126/0.066 ms
# ipipou
UDP 714 63.10 23.53
TCP 431 95.65 64.56
ICMP latency min/avg/max/mdev = 107.444/107.523/107.648/0.058 ms
# openvpn0 (auth only, no encryption)
UDP 193 17.51 1.62
TCP 12 95.45 92.80
ICMP latency min/avg/max/mdev = 107.191/107.334/107.559/0.116 ms
# wireguard
UDP 629 22.26 2.62
TCP 198 77.40 55.98
ICMP latency min/avg/max/mdev = 107.616/107.788/108.038/0.128 ms
20 Mbps njira
njira pa 1 Gbps yodalirika
Nthawi zonse, ipipou imakhala pafupi kwambiri ndi njira yoyambira, yomwe ndiyabwino kwambiri!
The uncrypted openvpn tunnel idachita modabwitsa muzochitika zonsezi.
Ngati wina ayesa, zidzakhala zosangalatsa kumva ndemanga.
Mulole IPv6 ndi NetPrickle akhale nafe!
Source: www.habr.com