Yafika nthawi yoti VPN sichirinso chida chachilendo cha oyang'anira ndevu. Ogwiritsa ntchito ali ndi ntchito zosiyanasiyana, koma zoona zake n'zakuti aliyense amafuna VPN.
Vuto ndi mayankho apano a VPN ndikuti ndizovuta kukonza bwino, okwera mtengo kuwasamalira, ndipo ali odzaza ndi malamulo amtundu wokayikitsa.
Zaka zingapo zapitazo, katswiri wodziwa za chitetezo ku Canada Jason A. Donenfeld anaganiza kuti zamukwanira ndipo anayamba kugwira ntchito. . WireGuard tsopano ikukonzekera kuphatikizidwa mu Linux kernel ndipo yalandira ngakhale matamando kuchokera ndi .
Ubwino wonenedwa ndi WireGuard pa mayankho ena a VPN:
- Yosavuta kugwiritsa ntchito.
- Amagwiritsa ntchito cryptography yamakono: Noise protocol framework, Curve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, etc.
- Nambala yaying'ono, yowerengeka, yosavuta kufufuza ngati ili pachiwopsezo.
- Kuchita kwakukulu.
- Zomveka komanso zofotokozera .
Kodi chipolopolo chasiliva chapezeka? Kodi ndi nthawi yoyika OpenVPN ndi IPSec? Ndinaganiza zothana ndi zimenezi, ndipo nthaΕ΅i yomweyo ndinatero .
Mfundo zoyendetsera ntchito
Mfundo ntchito akhoza kufotokozedwa motere:
- Mawonekedwe a WireGuard amapangidwa ndipo kiyi yachinsinsi ndi IP adilesi amapatsidwa. Zokonda za anzawo zakwezedwa: makiyi awo apagulu, ma adilesi a IP, ndi zina.
- Mapaketi onse a IP omwe akufika pa mawonekedwe a WireGuard aphatikizidwa mu UDP ndi anzawo.
- Makasitomala amatchula adilesi ya IP yapagulu ya seva pazokonda. Seva imazindikira maadiresi akunja a makasitomala pamene deta yotsimikizika yolondola ilandilidwa kuchokera kwa iwo.
- Seva imatha kusintha adilesi yapagulu ya IP popanda kusokoneza ntchito yake. Panthawi imodzimodziyo, idzatumiza chenjezo kwa makasitomala olumikizidwa ndipo adzasintha masinthidwe awo pa ntchentche.
- Lingaliro la mayendedwe amagwiritsidwa ntchito . WireGuard amavomereza ndikutumiza mapaketi kutengera makiyi agulu a anzawo. Seva ikachotsa paketi yotsimikizika yotsimikizika, gawo lake la src limawunikidwa. Ngati ikufanana ndi kasinthidwe
allowed-ipsanzawo otsimikizika, paketiyo imalandiridwa ndi mawonekedwe a WireGuard. Mukatumiza paketi yotuluka, njira yofananira imachitika: gawo la dst la paketi limatengedwa ndipo, kutengerapo, mnzake wofananira amasankhidwa, paketiyo imasainidwa ndi kiyi yake, yosungidwa ndi kiyi ya anzawo ndikutumizidwa kumapeto kwakutali. .
Malingaliro onse a WireGuard amatenga mizere yochepera 4, pomwe OpenVPN ndi IPSec ali ndi mizere mazana masauzande. Kuti muthandizire ma algorithms amakono a cryptographic, akulinganizidwa kuti aphatikizepo API yatsopano ya cryptographic mu Linux kernel . Panopa pali zokambirana zomwe zikuchitika ngati ili ndi lingaliro labwino.
Kukonzekera
Ubwino waukulu wakuchita (poyerekeza ndi OpenVPN ndi IPSec) udzawoneka pamakina a Linux, popeza WireGuard imakhazikitsidwa ngati gawo la kernel pamenepo. Kuphatikiza apo, macOS, Android, iOS, FreeBSD ndi OpenBSD amathandizidwa, koma mwa iwo WireGuard imayenda mumalo ogwiritsira ntchito ndi zotsatira zake zonse. Thandizo la Windows likuyembekezeka kuwonjezeredwa posachedwa.
Zotsatira za benchmark ndi :
Chidziwitso changa chogwiritsa ntchito
Sindine katswiri wa VPN. Nthawi ina ndinakhazikitsa OpenVPN pamanja ndipo zinali zotopetsa, ndipo sindinayese ngakhale IPSec. Pali zosankha zambiri zoti mupange, ndizosavuta kudziwombera nokha pamapazi. Chifukwa chake, nthawi zonse ndimagwiritsa ntchito zolemba zokonzeka kukonza seva.
Chifukwa chake, WireGuard, m'malingaliro mwanga, nthawi zambiri ndi yabwino kwa wogwiritsa ntchito. Zosankha zonse zotsika zimapangidwa motsatira ndondomeko, kotero ndondomeko yokonzekera zomangamanga za VPN zimatenga mphindi zochepa chabe. Ndi pafupifupi zosatheka kunyenga mu kasinthidwe.
Ndondomeko ya kuyika pa tsamba lovomerezeka, ndikufuna padera kuzindikira zabwino kwambiri .
Makiyi a encryption amapangidwa ndi ntchito wg:
SERVER_PRIVKEY=$( wg genkey )
SERVER_PUBKEY=$( echo $SERVER_PRIVKEY | wg pubkey )
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )Kenako, muyenera kupanga seva config /etc/wireguard/wg0.conf ndi izi:
[Interface]
Address = 10.9.0.1/24
PrivateKey = $SERVER_PRIVKEY
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = 10.9.0.2/32ndi kwezani ngalandeyo ndi script wg-quick:
sudo wg-quick up /etc/wireguard/wg0.confPa machitidwe okhala ndi systemd mutha kugwiritsa ntchito izi m'malo mwake sudo systemctl start [email protected].
Pa makina a kasitomala, pangani config /etc/wireguard/wg0.conf:
[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = 10.9.0.2/24
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0
Endpoint = 1.2.3.4:51820 # ΠΠ½Π΅ΡΠ½ΠΈΠΉ IP ΡΠ΅ΡΠ²Π΅ΡΠ°
PersistentKeepalive = 25 Ndipo kwezani tunnel mwanjira yomweyo:
sudo wg-quick up /etc/wireguard/wg0.confZomwe zatsala ndikukonza NAT pa seva kuti makasitomala athe kupeza intaneti, ndipo mwamaliza!
Kusavuta kugwiritsa ntchito komanso kuphatikizika kwa ma code code kunapezedwa pochotsa ntchito yofunika yogawa. Palibe makina a satifiketi ovuta komanso zoopsa zonse zamakampani; makiyi amfupi achinsinsi amagawidwa ngati makiyi a SSH. Koma izi zimabweretsa vuto: WireGuard sikhala yosavuta kukhazikitsa pamanetiweki omwe alipo.
Zina mwazoyipa, ndizoyenera kudziwa kuti WireGuard sigwira ntchito kudzera pa HTTP proxy, popeza ndi protocol ya UDP yokha yomwe imapezeka ngati mayendedwe. Funso likubuka: kodi zingatheke kusokoneza protocol? Inde, iyi si ntchito yeniyeni ya VPN, koma kwa OpenVPN, mwachitsanzo, pali njira zodzibisa ngati HTTPS, zomwe zimathandiza anthu okhala m'mayiko opondereza kugwiritsa ntchito intaneti mokwanira.
anapezazo
Mwachidule, iyi ndi pulojekiti yosangalatsa komanso yodalirika, mutha kugwiritsa ntchito kale pama seva anu. Phindu lake ndi chiyani? Kuchita bwino pamakina a Linux, kumasuka kokhazikitsa ndi kuthandizira, ma code ophatikizika komanso owerengeka. Komabe, kwatsala pang'ono kuthamangira kusamutsa zida zovuta ku WireGuard; ndikofunikira kuyembekezera kuphatikizidwa mu kernel ya Linux.
Kuti ndipulumutse nthawi yanga (ndi yanu), ndidapanga . Ndi chithandizo chake, mutha kukhazikitsa VPN yanu nokha ndi anzanu osamvetsetsa chilichonse.
Source: www.habr.com