ProHoster > Blog > Utongi > ipipou: inopfuura nzira isina kuvharwa

ipipou: inopfuura nzira isina kuvharwa

Tiri kuti kudii kuna Mwari weIPv6?

ipipou: inopfuura nzira isina kuvharwa
Ndizvozvo, tichataura zvakafanana kuna mwari we encryption nhasi.

Pano tichataura nezve isina encrypted IPv4 tunnel, asi kwete nezve "mwenje unodziya" imwe, asi nezve "LED" yemazuva ano. Uye kune zvakare masokisi akasvibira anopenya pano, uye basa riri kuenderera mberi nemapaketi munzvimbo yemushandisi.

Kune N tunneling mapuroteni kune ese kuravira uye ruvara:

  • Stylish, fashionable, pwere WireGuard
  • multifunctional, seSwiss mapanga, OpenVPN uye SSH
  • chembere uye kwete yakaipa GRE
  • iyo yakanyanya nyore, inokurumidza, isina kunyorwa zvachose IPIP
  • kushingaira kukura GENEVA
  • vamwe vakawanda.

Asi ini ndiri mugadziri wepurogiramu, saka ini ndichawedzera N chete nechidimbu, uye ndosiya kuvandudzwa kwemaprotocol chaiwo kune vanogadzira Kommersant.

Mune mumwe asati azvarwa dhizainiZvandiri kuita izvozvi kusvika kune vanogamuchira kuseri kweNAT kubva kunze. Ndichishandisa maprotocol ane cryptography yevakuru kune izvi, handina kukwanisa kuzunza manzwiro ekuti zvainge zvakaita kupfura shiri duku kubva mukanoni. Nokuti mugero unoshandiswa kune chikamu chikuru chete kubaya maburi muNAT-e, traffic yemukati inowanzovharwa, asi ichiri kunyura muHTTPS.

Ndichiri kutsvagisa maprotocol akasiyana-siyana, kutarisa kwemukati memukati wangu kwakakweverwa kuIPIP kakawanda nekuda kwehudiki hwayo. Asi ine imwe nehafu yakakosha kukanganisa kumabasa angu:

  • zvinoda maIP eruzhinji kumativi ese,
  • uye hapana huchokwadi kwauri.

Naizvozvo, munhu akakwana akadzoserwa mukona yedehenya ine rima, kana kupi kwaanogara.

Zvino rimwe zuva, tichiverenga zvinyorwa natively inotsigirwa tunnels muLinux ndakasangana neFOU (Foo-over-UDP), i.e. chero, yakaputirwa muUDP. Parizvino, IPIP chete neGUE (Generic UDP Encapsulation) inotsigirwa.

“Heino bara resirivha! IPIP iri nyore yakandikwanira." - Ndaifunga.

Kutaura zvazviri, bara racho rakaratidza kuti rakanga risiri sirivha zvachose. Encapsulation muUDP inogadzirisa dambudziko rekutanga - unogona kubatana nevatengi kuseri kweNAT kubva kunze uchishandisa yakagara yakamisikidzwa yekubatanidza, asi pano hafu yeinotevera drawback yeIPIP inotumbuka muchiedza chitsva - chero munhu kubva kune yakavanzika network anogona kuvanda kuseri kweinoonekwa. yeruzhinji IP uye chiteshi chevatengi (mune IPIP yakachena dambudziko iri harisipo).

Kugadzirisa dambudziko iri rimwe nehafu, kushandiswa kwakazvarwa ipipou. Inoshandisa dhizaini yakagadzirwa kumba yekusimbisa mubati ari kure, pasina kukanganisa kushanda kwekernel FOU, iyo ichakurumidza uye nemazvo kugadzira mapaketi munzvimbo yekernel.

Hatidi chinyorwa chako!

Zvakanaka, kana iwe uchiziva chiteshi cheveruzhinji uye IP yemutengi (semuenzaniso, munhu wese kuseri kwayo hakuna kwaanoenda, NAT inoedza kumepu ports 1-in-1), unogona kugadzira IPIP-pamusoro-FOU tunnel ine kutevera mirairo, pasina chero zvinyorwa.

pa server:

# Подгрузить модуль ядра FOU
modprobe fou

# Создать IPIP туннель с инкапсуляцией в FOU.
# Модуль ipip подгрузится автоматически.
ip link add name ipipou0 type ipip 
    remote 198.51.100.2 local 203.0.113.1 
    encap fou encap-sport 10000 encap-dport 20001 
    mode ipip dev eth0

# Добавить порт на котором будет слушать FOU для этого туннеля
ip fou add port 10000 ipproto 4 local 203.0.113.1 dev eth0

# Назначить IP адрес туннелю
ip address add 172.28.0.0 peer 172.28.0.1 dev ipipou0

# Поднять туннель
ip link set ipipou0 up

pamutengi:

modprobe fou

ip link add name ipipou1 type ipip 
    remote 203.0.113.1 local 192.168.0.2 
    encap fou encap-sport 10001 encap-dport 10000 encap-csum 
    mode ipip dev eth0

# Опции local, peer, peer_port, dev могут не поддерживаться старыми ядрами, можно их опустить.
# peer и peer_port используются для создания соединения сразу при создании FOU-listener-а.
ip fou add port 10001 ipproto 4 local 192.168.0.2 peer 203.0.113.1 peer_port 10000 dev eth0

ip address add 172.28.0.1 peer 172.28.0.0 dev ipipou1

ip link set ipipou1 up

apo

  • ipipou* -Zita renzvimbo yemuno tunnel network interface
  • 203.0.113.1 - yeruzhinji IP server
  • 198.51.100.2 - IP yeruzhinji yemutengi
  • 192.168.0.2 -mutengi IP yakapihwa interface eth0
  • 10001 - chiteshi chevatengi chemuno cheFOU
  • 20001 - chiteshi chevatengi cheveruzhinji cheFOU
  • 10000 - public server port yeFOU
  • encap-csum -Sarudzo yekuwedzera UDP cheki kune yakavharidzirwa UDP mapaketi; inogona kutsiviwa ne noencap-csum, tisingatauri, kutendeseka kwakatodzorwa nechekunze encapsulation layer (apo packet iri mukati memugero)
  • eth0 - yemuno interface iyo ipip tunnel ichasungwa
  • 172.28.0.1 - IP yemutengi mugero wenzira (yakavanzika)
  • 172.28.0.0 - IP tunnel server interface (yakavanzika)

Chero bedzi iyo UDP yekubatanidza ichiri kurarama, mugero uchange uri muhurongwa hwekushanda, asi kana ukaputsika, iwe unenge uine rombo rakanaka - kana IP yemutengi: port inoramba yakafanana - ichararama, kana ikachinja - ichatsemuka.

Nzira iri nyore yekudzosa zvese kumashure ndeye kuburitsa kernel module: modprobe -r fou ipip

Kunyangwe kana chokwadi chisiri kudikanwa, IP yeruzhinji yemutengi uye chiteshi hazviwanzo kuzivikanwa uye kazhinji hazvitarisike kana kuchinjika (zvichienderana nerudzi rweNAT). Kana ukasiya encap-dport padivi reseva, mugero haushande, hauna kungwara zvakakwana kutora chiteshi chekubatanidza chiri kure. Muchiitiko ichi, ipipou inogonawo kubatsira, kana WireGuard nevamwe vakafanana nayo vanogona kukubatsira.

Sei kushanda?

Mutengi (uyo anowanzo kuseri kweNAT) anovhura mugero (semumuenzaniso uri pamusoro), uye anotumira pakiti yechokwadi kune server kuitira kuti igadzirise mugero padivi payo. Zvichienderana nezvirongwa, iyi inogona kunge isina chinhu packet (kungoitira kuti sevha ione iyo yeruzhinji IP: yekubatanidza port), kana nedata iyo sevha inogona kuziva mutengi. Iyo data inogona kunge iri nyore passphrase mune yakajeka mavara (iyo fananidzo neHTTP Basic Auth inouya mupfungwa) kana yakanyatso dhizainiwa data yakasainwa nekiyi yakavanzika (yakafanana neHTTP Digest Auth yakasimba chete, ona basa client_auth mune kodhi).

Pasevha (kurutivi neruzhinji IP), apo ipipou inotanga, inogadzira nfqueue queue handler uye inogadzirisa netfilter kuitira kuti mapaketi anodiwa atumirwe kwaanofanira kunge ari: mapaketi anotanga kubatana kune nfqueue queue, uye [inenge] vamwe vose vanoenda zvakananga kumuteereri FOU.

Kune avo vasiri mukuziva, nfqueue (kana NetfilterQueue) chinhu chakakosha kune vanoita basa vasingazive kugadzira kernel module, iyo uchishandisa netfilter (nftables/iptables) inokutendera kuti udzorere network mapaketi kunzvimbo yemushandisi uye woagadzirisa ipapo uchishandisa. primitive means at hand: shandura (optional ) woidzosera kukernel, kana kurasa.

Kune mimwe mitauro yekuronga kune zvisungo zvekushanda nenfqueue, kune bash pakanga pasina (heh, hazvishamise), ndaifanira kushandisa python: ipipou inoshandisa. NetfilterQueue.

Kana kuita kusiri kunetsa, uchishandisa chinhu ichi unogona kukurumidza uye nyore kugadzira yako pfungwa yekushanda nemapaketi pamwero wakaderera, semuenzaniso, gadzira mapuroteni ekufambisa data, kana kutsika masevhisi emunharaunda uye ari kure nemaitiro asina mwero.

Zvigadziko zvakasvibirira zvinoshanda pamwe chete nenfqueue, semuenzaniso, kana mugero watogadzirwa uye FOU ichiteerera pachiteshi chaunoda, haugone kutumira pakiti kubva pachiteshi chimwe chete nenzira yakajairika - yakabatikana, asi. iwe unogona kutora uye kutumira paketi inogadzirwa zvisina tsarukano kune network interface uchishandisa soketi yakaomeswa, kunyangwe kugadzira paketi rakadaro kunoda kuwedzeredza zvishoma. Aya ndiwo magadzirirwo emapakiti ane chokwadi muipipou.

Sezvo ipipou ichiita chete mapaketi ekutanga kubva pakubatana (uye ayo akakwanisa kunyura mumutsara kusati kwaitwa kubatana), kuita kunenge kusingatambudzike.

Pangosvika iyo ipipou sevha inogamuchira pakiti yakatendeseka, mugero unogadzirwa uye ese anotevera mapaketi mukubatana atogadziriswa ne kernel nekupfuura nfqueue. Kana iyo yekubatanidza ikatadza, ipapo yekutanga packet yeinotevera inotumirwa kune nfqueue mutsara, zvichienderana nezvirongwa, kana isiri packet ine chokwadi, asi kubva kune yekupedzisira yakayeukwa IP uye chiteshi chevatengi, inogona kupfuudzwa. pairi kana kuraswa. Kana pakiti yakatendeseka ichibva kuIP itsva uye chiteshi, mugero unogadziridzwa kuti uishandise.

Iyo yakajairika IPIP-pamusoro-FOU ine rimwe dambudziko kana uchishanda neNAT - hazvigoneke kugadzira maviri IPIP tunnel akavharirwa muUDP neiyo IP imwe chete, nekuti iyo FOU neIPIP modules dzakanyatsosiyana kubva kune imwe neimwe. Avo. vaviri vevatengi kuseri kweiyo IP yeruzhinji havazokwanisi kubatana panguva imwe chete kune imwechete sevha nenzira iyi. Mune ramangwana, zvichida, ichagadziriswa pa kernel level, asi izvi hazvina chokwadi. Zvichakadaro, matambudziko eNAT anogona kugadziriswa neNAT - kana zvikaitika kuti peya ye IP kero yakatogarwa neimwe mugero, ipipou ichaita NAT kubva kuruzhinji kune imwe yakavanzika IP, voila! - unogona kugadzira tunnel kusvika madoko apera.

Nokuti Haasi ese mapaketi ari mukubatana akasainwa, saka kuchengetedzwa kwakapusa uku kuri panjodzi yeMITM, saka kana paine villain akavanda munzira pakati pemutengi uye sevha anogona kuteerera traffic nekuishandisa, anogona kutungamira mapaketi akavimbiswa kuburikidza. imwe kero uye gadzira mugero kubva kumunhu asingavimbike.

Kana paine chero munhu ane mazano ekugadzirisa izvi uchisiya huwandu hwetraffic mukati mepakati, usazeze kutaura.

Nenzira, encapsulation muUDP yakazviratidza kwazvo. Kuenzaniswa ne encapsulation pamusoro pe IP, yakanyanya kugadzikana uye kazhinji inokurumidza kukurumidza kunyangwe nekuwedzera pamusoro peiyo UDP musoro. Izvi zvinokonzerwa nekuti vazhinji vanogamuchira paInternet vanoshanda zvakanaka chete nemaprotocol matatu anozivikanwa: TCP, UDP, ICMP. Chikamu chinobatika chinogona kurasa zvachose zvimwe zvese, kana kuzvigadzirisa zvishoma nezvishoma, nekuti zvakagadziridzwa chete kune zvitatu izvi.

Semuenzaniso, ichi ndicho chikonzero QUICK, iyo HTTP/3 yakavakirwa, yakagadzirwa pamusoro peUDP, uye kwete pamusoro peIP.

Zvakanaka, mazwi akakwana, inguva yekuona kuti inoshanda sei mu "nyika chaiyo".

Hondo

Inoshandiswa kutevedzera nyika chaiyo iperf3. Panyaya yechiyero chekuswedera kune chokwadi, izvi zvakangofanana nekutevedzera nyika chaiyo muMinecraft, asi ikozvino ichaita.

Vatori vechikamu mumakwikwi:

  • reference main channel
  • gamba rechinyorwa chino iipipou
  • OpenVPN ine chokwadi asi isina encryption
  • OpenVPN mune zvese-inosanganisirwa modhi
  • WireGuard isina PresharedKey, ine MTU=1440 (kubvira IPv4-chete)

Data yehunyanzvi ye geeks
Metrics inotorwa nemirairo inotevera:

pamutengi:

UDP

CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2 -u -b 12M; tail -1 "$CPULOG"
# Где "-b 12M" это пропускная способность основного канала, делённая на число потоков "-P", чтобы лишние пакеты не плодить и не портить производительность.

TCP

CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2; tail -1 "$CPULOG"

ICMP latency

ping -c 10 SERVER_IP | tail -1

pane sevha (inomhanya panguva imwe chete nemutengi):

UDP

CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"

TCP

CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"

Tunnel configuration

ipipou
server
/etc/ipipou/server.conf:

server
number 0
fou-dev eth0
fou-local-port 10000
tunl-ip 172.28.0.0
auth-remote-pubkey-b64 eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-secret topsecret
auth-lifetime 3600
reply-on-auth-ok
verb 3

systemctl start ipipou@server

mutengi
/etc/ipipou/client.conf:

client
number 0
fou-local @eth0
fou-remote SERVER_IP:10000
tunl-ip 172.28.0.1
# pubkey of auth-key-b64: eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-key-b64 RuBZkT23na2Q4QH1xfmZCfRgSgPt5s362UPAFbecTso=
auth-secret topsecret
keepalive 27
verb 3

systemctl start ipipou@client

openvpn (hapana encryption, ine chokwadi)
server

openvpn --genkey --secret ovpn.key  # Затем надо передать ovpn.key клиенту
openvpn --dev tun1 --local SERVER_IP --port 2000 --ifconfig 172.16.17.1 172.16.17.2 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key

mutengi

openvpn --dev tun1 --local LOCAL_IP --remote SERVER_IP --port 2000 --ifconfig 172.16.17.2 172.16.17.1 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key

openvpn (ine encryption, authentication, via UDP, zvese sezvaitarisirwa)
Yakagadzirirwa kushandisa openvpn-manage

murindi
server
/etc/wireguard/server.conf:

[Interface]
Address=172.31.192.1/18
ListenPort=51820
PrivateKey=aMAG31yjt85zsVC5hn5jMskuFdF8C/LFSRYnhRGSKUQ=
MTU=1440

[Peer]
PublicKey=LyhhEIjVQPVmr/sJNdSRqTjxibsfDZ15sDuhvAQ3hVM=
AllowedIPs=172.31.192.2/32

systemctl start wg-quick@server

mutengi
/etc/wireguard/client.conf:

[Interface]
Address=172.31.192.2/18
PrivateKey=uCluH7q2Hip5lLRSsVHc38nGKUGpZIUwGO/7k+6Ye3I=
MTU=1440

[Peer]
PublicKey=DjJRmGvhl6DWuSf1fldxNRBvqa701c0Sc7OpRr4gPXk=
AllowedIPs=172.31.192.1/32
Endpoint=SERVER_IP:51820

systemctl start wg-quick@client

Mhinduro

Chiratidzo chakashata chakanyorova
Server CPU mutoro haisi kuratidza zvakanyanya, nekuti ... Kune mamwe akawanda masevhisi anomhanya ipapo, dzimwe nguva vanodya zviwanikwa:

proto bandwidth[Mbps] CPU_idle_client[%] CPU_idle_server[%]
# 20 Mbps канал с микрокомпьютера (4 core) до VPS (1 core) через Атлантику
# pure
UDP 20.4      99.80 93.34
TCP 19.2      99.67 96.68
ICMP latency min/avg/max/mdev = 198.838/198.997/199.360/0.372 ms
# ipipou
UDP 19.8      98.45 99.47
TCP 18.8      99.56 96.75
ICMP latency min/avg/max/mdev = 199.562/208.919/220.222/7.905 ms
# openvpn0 (auth only, no encryption)
UDP 19.3      99.89 72.90
TCP 16.1      95.95 88.46
ICMP latency min/avg/max/mdev = 191.631/193.538/198.724/2.520 ms
# openvpn (full encryption, auth, etc)
UDP 19.6      99.75 72.35
TCP 17.0      94.47 87.99
ICMP latency min/avg/max/mdev = 202.168/202.377/202.900/0.451 ms
# wireguard
UDP 19.3      91.60 94.78
TCP 17.2      96.76 92.87
ICMP latency min/avg/max/mdev = 217.925/223.601/230.696/3.266 ms

## около-1Gbps канал между VPS Европы и США (1 core)
# pure
UDP 729      73.40 39.93
TCP 363      96.95 90.40
ICMP latency min/avg/max/mdev = 106.867/106.994/107.126/0.066 ms
# ipipou
UDP 714      63.10 23.53
TCP 431      95.65 64.56
ICMP latency min/avg/max/mdev = 107.444/107.523/107.648/0.058 ms
# openvpn0 (auth only, no encryption)
UDP 193      17.51  1.62
TCP  12      95.45 92.80
ICMP latency min/avg/max/mdev = 107.191/107.334/107.559/0.116 ms
# wireguard
UDP 629      22.26  2.62
TCP 198      77.40 55.98
ICMP latency min/avg/max/mdev = 107.616/107.788/108.038/0.128 ms

20 Mbps chiteshi

ipipou: inopfuura nzira isina kuvharwa

ipipou: inopfuura nzira isina kuvharwa

chiteshi pane 1 tarisiro Gbps

ipipou: inopfuura nzira isina kuvharwa

ipipou: inopfuura nzira isina kuvharwa

Muzviitiko zvese, ipipou iri padyo chaizvo mukuita kune base chiteshi, iyo yakanaka!

Iyo isina kuvharirwa openvpn tunnel yakaita zvinoshamisa mune ese ari maviri kesi.

Kana paine munhu achaiedza, zvichave zvinonakidza kunzwa mhinduro.

Dai IPv6 neNetPrickle vave nesu!

Source: www.habr.com

Voeg