Maxaan u sheegaynaa Ilaaha IPV6?
Taasi waa sax, waxaanu maanta si la mid ah u odhan doonaa ilaaha sirta.
Halkan waxaan kaga hadli doonaa tunnel IPv4 ah oo aan qarsoodi ahayn, laakiin maaha mid ku saabsan "laambad diiran", laakiin mid ku saabsan "LED" casriga ah. Waxa kale oo jira saldhigyo cayriin ah oo halkan biligleynaya, shaqaduna waxay ku socotaa baakado ku yaal meel bannaan oo isticmaale ah.
Waxaa jira borotokoolka N tunneling ee dhadhan kasta iyo midab kasta:
- stylish, moodada, dhalinyarada
- Multifunctional, sida mindiyo Swiss, OpenVPN iyo SSH
- duug ah oo aan xumaan GRE
- kan ugu fudud, ugu dhaqsaha badan, ee gebi ahaanba aan qarsoodiga ahayn IPIP
- si firfircoon u kobcaya
- qaar kale oo badan.
Laakiin waxaan ahay barnaamij-sameeyaha, sidaas darteed waxaan ku kordhin doonaa N kaliya jajab, oo ka tago horumarinta borotokoolka dhabta ah ee Kommersant.
Mid aan dhalan Waxa aan hadda sameynayaa waa in aan gaaro martigaliyayaasha ka dambeeya NAT dibadda. Isticmaalka borotokoolka qarsoodiga dadka waaweyn tan, ma aan ruxin karin dareenka ah in ay la mid tahay ka toogashada shimbiraha oo kale. Sababtoo ah tunnel-ka waxaa loo isticmaalaa inta badan kaliya in godadka NAT-e lagu dhufto, taraafikada gudaha sidoo kale badanaa waa la sifeeyaa, laakiin wali waxay ku hafanayaan HTTPS.
Markii aan baarayay hab-maamuusyada tunnel-ka ee kala duwan, dareenka dhammaystiran ee gudahayga ayaa soo jiitay IPIP marar badan iyadoo ay ugu wacan tahay sareynta ugu yar. Laakiin waxa ay hal iyo badh ku leedahay dib-u-dhacyo muhiim ah hawlahayga:
- waxay u baahan tahay IP-yada guud ee labada dhinac,
- oo aan laguu aqoonsanayn.
Sidaa darteed, kaamilnimada ayaa dib loogu celiyay geeska mugdiga ah ee madaxa, ama meel kasta oo uu fadhiyo.
Ka dibna maalin maalmaha ka mid ah, adigoo akhrinaya maqaallo ku saabsan Linux waxaan kula kulmay FOU (Foo-over-UDP), i.e. wax kasta, oo ku duudduubay UDP. Ilaa hadda, kaliya IPIP iyo GUE (Generic UDP Encapsulation) ayaa la taageeray.
Waa kan xabbaddii qalinka ahayd! IPIP fudud ayaa igu filan." - Waxaan u maleeyay.
Dhab ahaantii, rasaastu waxay noqotay mid aan gebi ahaanba lacag ahayn. Ku-soo-ururinta UDP waxay xallisaa dhibaatada ugu horreysa - waxaad ku xiri kartaa macaamiisha ka dambeeya NAT dibadda adoo isticmaalaya xiriir horay loo aasaasay, laakiin halkan kala badh ka mid ah cilladda soo socota ee IPIP waxay u muuqataa iftiin cusub - qof kasta oo ka socda shabakad gaar ah ayaa qarin kara gadaashiisa muuqda. IP-ga guud iyo dekedda macmiilka (IPIP saafi ah dhibaatadani ma jirto).
Si loo xalliyo dhibaatadan hal iyo badh, utility ayaa dhashay . Waxay fulisaa hab-guri lagu sameeyay oo lagu xaqiijinayo martigeliyaha fog, iyada oo aan la carqaladayn hawlgalka kernel FOU, kaas oo si dhakhso ah oo hufan uga baaraandegi doona baakadaha booska kernel-ka.
Uma baahnin qoraalkaaga!
Hagaag, haddii aad taqaanno dekedda dadweynaha iyo IP-ga macmiilka (tusaale, qof kasta oo ka dambeeyaa meelna ma tago, NAT waxay isku daydaa inay khariidayso dekedaha 1-in-1), waxaad samayn kartaa tunnel IPIP-over-FOU oo leh raacaya amarada, iyada oo aan wax qoraal ah.
serverka:
# Подгрузить модуль ядра FOU
modprobe fou
# Создать IPIP туннель с инкапсуляцией в FOU.
# Модуль ipip подгрузится автоматически.
ip link add name ipipou0 type ipip
remote 198.51.100.2 local 203.0.113.1
encap fou encap-sport 10000 encap-dport 20001
mode ipip dev eth0
# Добавить порт на котором будет слушать FOU для этого туннеля
ip fou add port 10000 ipproto 4 local 203.0.113.1 dev eth0
# Назначить IP адрес туннелю
ip address add 172.28.0.0 peer 172.28.0.1 dev ipipou0
# Поднять туннель
ip link set ipipou0 up
dhanka macmiilka:
modprobe fou
ip link add name ipipou1 type ipip
remote 203.0.113.1 local 192.168.0.2
encap fou encap-sport 10001 encap-dport 10000 encap-csum
mode ipip dev eth0
# Опции local, peer, peer_port, dev могут не поддерживаться старыми ядрами, можно их опустить.
# peer и peer_port используются для создания соединения сразу при создании FOU-listener-а.
ip fou add port 10001 ipproto 4 local 192.168.0.2 peer 203.0.113.1 peer_port 10000 dev eth0
ip address add 172.28.0.1 peer 172.28.0.0 dev ipipou1
ip link set ipipou1 up
halkaas oo
ipipou*- magaca isku xirka shabakadda tunnel-ka maxalliga ah203.0.113.1- server IP dadweynaha198.51.100.2- IP-ga guud ee macmiilka192.168.0.2- macmiilka IP loo qoondeeyey interface eth010001- dekedda macmiilka maxalliga ah ee FOU20001- Dekedda macmiilka dadweynaha ee FOU10000- Dekadda server-ka dadweynaha ee FOUencap-csum- ikhtiyaarka lagu daro jeegga UDP baakadaha UDP ee la duubay; waxaa lagu bedeli karaanoencap-csum, iyada oo aan la xusin, daacadnimada waxaa horeyba u xukumay lakabka daboolka dibadda (inta baakidhku ku jiro gudaha tunnelka)eth0- interface gudaha kaas oo tunnel-ka ipip lagu xidhi doono172.28.0.1- IP-ga macmiilka tunnel interface (gaar ah)172.28.0.0- Interface-ka tunnel-ka IP-ga (gaar ahaan)
Ilaa inta xiriirka UDP uu nool yahay, tunnelku wuxuu ahaan doonaa mid shaqeynaya, laakiin haddii uu jabo, waxaad yeelan doontaa nasiib - haddii IP-ga macmiilka: dekeddu ay sii ahaanayso - way noolaan doontaa, haddii ay isbeddelaan - way jebi doontaa.
Habka ugu fudud ee wax walba dib loogu celin karo waa in la dejiyo cutubyada kernel-ka: modprobe -r fou ipip
Xitaa haddii aan aqoonsiga loo baahnayn, IP-ga guud ee macmiilka iyo dekeddu mar walba lama yaqaan oo inta badan lama saadaalin karo ama waa doorsoomayaal (waxay kuxirantahay nooca NAT). Haddii aad ka tagto encap-dport dhinaca server-ka, tunnelku ma shaqayn doono, ma aha caqli ku filan in la qaato dekedda isku xirka fog. Xaaladdan oo kale, ipipou sidoo kale way ku caawin kartaa, ama WireGuard iyo kuwa kale oo la mid ah ayaa ku caawin kara.
Sidee u shaqeeyaan?
Macmiilka (oo inta badan ka dambeeya NAT) wuxuu furay tunnel (sida tusaalaha kore), wuxuuna u soo diraa xirmo aqoonsiga server-ka si uu u habeeyo tunnelka dhinaciisa. Iyada oo ku xidhan goobaha, tani waxay noqon kartaa baakidh madhan (kaliya si uu adeeguhu u arko IP-ga guud: dekedda xidhiidhka), ama xogta uu serverku ku aqoonsan karo macmiilka. Xogtu waxay noqon kartaa jumlad sir ah oo fudud oo qoraal cad ah (maskaxda ku haysa HTTP Basic Auth) ama xog si gaar ah loo nashqadeeyay oo lagu saxeexay fure gaar ah (oo la mid ah HTTP Digest Auth oo ka xoog badan, eeg shaqada client_auth in code).
Dhinaca server-ka (dhinaca IP-ga dadweynaha), marka ipipou bilaabo, waxay abuurtaa nfqueue queue-ga waxayna dejisaa netfilter si xirmooyinka lagama maarmaanka ah loo diro halka ay tahay: xirmooyinka bilowga xiriirka safka nfqueue, iyo [ku dhowaad] inta soo hartay oo dhami waxay toos u aadayaan dhagaystaha FOU.
Kuwa aan aqoonta u lahayn, nfqueue (ama NetfilterQueue) waa shay gaar ah oo loogu talagalay hiwaayadda kuwaas oo aan garanayn sida loo horumariyo qaybaha kernel, kuwaas oo isticmaalaya netfilter (nftables / iptables) waxay kuu ogolaaneysaa inaad u wareejiso xirmooyinka shabakada ee booska isticmaalaha oo aad ku socodsiiso adigoo isticmaalaya Macnaha aasaasiga ah ee gacanta: wax ka beddel (ikhtiyaar) oo ku celi kernel-ka, ama iska tuur.
Qaar ka mid ah luqadaha barnaamijyada waxaa jira xiritaanno lagu shaqeynayo nfqueue, bash ma jirin (heh, la yaab ma leh), waa inaan isticmaalo python: ipipou wuxuu isticmaalaa .
Haddii wax qabadku aanu ahayn mid muhiim ah, adoo isticmaalaya shaygan waxaad si dhakhso ah oo fudud u qabsan kartaa caqligaaga ku shaqaynta baakadaha heer aad u hooseeya, tusaale ahaan, samee borotokoolka wareejinta xogta tijaabada ah, ama ku wareeji adeegyada maxaliga ah iyo kuwa fog ee leh dabeecad aan caadi ahayn.
Saldhigyada cayriin waxay gacanta ku hayaan nfqueue, tusaale ahaan, marka tunnel-ka horay loo habeeyay oo FOU ay ku dhegeysanayso dekedda la rabo, ma awoodi doontid inaad baakidh ka soo dirto isla deked la mid ah habka caadiga ah - waa mashquul, laakiin Waxaad qaadan kartaa oo aad si toos ah ugu diri kartaa baakidh si bakhtiyaan ah loo soo saaray is-dhexgalka shabakada adoo isticmaalaya godad cayriin ah, inkasta oo soo saarista baakidhkaas ay u baahan doonto in yar oo tinkering ah. Tani waa sida baakadaha aqoonsiga lagu abuuray ipipou.
Maaddaama ipipou ay ka shaqeyso kaliya xirmooyinka ugu horreeya ee isku xirka (iyo kuwa u suurtagashay in ay ku daataan safka ka hor inta aan la dhisin), waxqabadka ku dhawaad ma dhibtoonayo.
Sida ugu dhakhsaha badan server-ka ipipou uu helo baakidh la xaqiijiyay, tunnel ayaa la abuurayaa oo dhammaan baakadaha xiga ee xidhiidhka waxa mar hore ka baaraandegay kernel-ka dhaafa nfqueue. Haddii xiriirku xumaado, markaa baakidhka ugu horreeya ee kan soo socda ayaa loo diri doonaa safka nfqueue, iyadoo kuxiran goobaha, haddii aysan ahayn baakidh leh aqoonsi, laakiin laga soo bilaabo IP-ga ugu dambeeya ee xusuusta iyo dekedda macmiilka, midkoodna waa la gudbi karaa. saaran ama la tuuro. Haddii baakidh la xaqiijiyay uu ka yimid IP iyo deked cusub, tunnelka ayaa dib loo habeeyey si loo isticmaalo.
IPIP-over-FOU-ga caadiga ah waxay leedahay hal dhibaato oo kale marka la shaqeynayo NAT - macquul maaha in la abuuro laba tunnel IPIP oo ku xiran UDP oo leh IP isku mid ah, sababtoo ah qaybaha FOU iyo IPIP ayaa midba midka kale ka go'doonsan. Kuwaas. Labada macaamiil ee ka dambeeya isla IP-ga guud ma awoodi doonaan inay isku mar ku xidhmaan server isku mid ah habkan. Mustaqbalka, , waxaa lagu xallin doonaa heerka kernel-ka, laakiin tani lama hubo. Dhanka kale, dhibaatooyinka NAT waxaa lagu xallin karaa NAT - haddii ay dhacdo in labo cinwaan oo IP ah ay horey u qabsadeen tunnel kale, ipipou waxay NAT ka samayn doontaa dadweynaha ilaa IP kale oo gaar ah, voila! - waxaad samayn kartaa tunnels ilaa ay dekeduhu ka dhammaadaan.
Sababtoo ah Dhammaan xirmooyinka xiriirka lama saxiixin, markaa ilaalintan fudud ayaa u nugul MITM, markaa haddii uu jiro qof xun oo ku dhuumanaya jidka u dhexeeya macmiilka iyo server-ka kaas oo dhagaysan kara taraafikada oo uu maamuli karo, wuxuu u wareejin karaa baakadaha la xaqiijiyay iyada oo loo marayo ciwaan kale oo tunnel ka samee martigeliyaha aan la aamini karin .
Haddii qof uu haysto fikrado ku saabsan sida tan loo hagaajiyo marka uu ka tago inta badan taraafikada xudunta, ha ka waaban inaad hadasho.
Jid ahaan, isku-duubnida UDP ayaa si fiican isu cadeeysay. Marka la barbar dhigo ku-kordhinta IP-ga, aad bay u xasiloon tahay oo inta badan way dhakhso badan tahay inkasta oo dheeraadka ah ee ka sarreeya madaxa UDP. Tani waxay sabab u tahay xaqiiqda ah in inta badan martigeliyayaasha internetka ay si fiican ugu shaqeeyaan kaliya saddexda borotokool ee ugu caansan: TCP, UDP, ICMP. Qaybta la taaban karo waxay si buuxda u tuuri kartaa wax kasta oo kale, ama waxay u socodsiin kartaa si tartiib tartiib ah, sababtoo ah waxaa loo hagaajiyay kaliya saddexdan.
Tusaale ahaan, tani waa sababta degdegga ah, ee HTTP / 3 ku salaysan, loo abuuray dusha sare ee UDP, oo aan dusha sare ee IP.
Waa hagaag, ereyo ku filan, waa waqtigii la arki lahaa sida ay u shaqeyso "adduunka dhabta ah".
Dagaal
Loo isticmaalo in lagu daydo adduunka dhabta ah iperf3. Marka la eego heerka u dhowaanshaha xaqiiqada, tani waxay la mid tahay ku dayashada adduunka dhabta ah ee Minecraft, laakiin hadda way sameyn doontaa.
Ka qaybgalayaasha tartanka:
- kanaalka weyn ee tixraaca
- geesiga maqaalkan waa ipipou
- Fur VPN oo leh aqoonsi laakiin aan sir lahayn
- Ku fur VPN qaab loo dhan yahay
- WireGuard aan lahayn PresharedKey, oo wata MTU=1440 (tan iyo IPV4-kaliya)
Xogta farsamada ee geeks
Qiyaasta waxaa lagu qaadaa amarada soo socda:
dhanka macmiilka:
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2 -u -b 12M; tail -1 "$CPULOG"
# Где "-b 12M" это пропускная способность основного канала, делённая на число потоков "-P", чтобы лишние пакеты не плодить и не портить производительность.
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2; tail -1 "$CPULOG"
Daahitaanka ICMP
ping -c 10 SERVER_IP | tail -1
serverka (isku mar la wada macmiilka):
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
Habaynta tunnel
ippou
server
/etc/ipipou/server.conf:
server
number 0
fou-dev eth0
fou-local-port 10000
tunl-ip 172.28.0.0
auth-remote-pubkey-b64 eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-secret topsecret
auth-lifetime 3600
reply-on-auth-ok
verb 3
systemctl start ipipou@server
macmiil
/etc/ipipou/client.conf:
client
number 0
fou-local @eth0
fou-remote SERVER_IP:10000
tunl-ip 172.28.0.1
# pubkey of auth-key-b64: eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-key-b64 RuBZkT23na2Q4QH1xfmZCfRgSgPt5s362UPAFbecTso=
auth-secret topsecret
keepalive 27
verb 3
systemctl start ipipou@client
openvpn (ma jiro sir, oo leh aqoonsi)
server
openvpn --genkey --secret ovpn.key # Затем надо передать ovpn.key клиенту
openvpn --dev tun1 --local SERVER_IP --port 2000 --ifconfig 172.16.17.1 172.16.17.2 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
macmiil
openvpn --dev tun1 --local LOCAL_IP --remote SERVER_IP --port 2000 --ifconfig 172.16.17.2 172.16.17.1 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
openvpn (oo leh sir, xaqiijin, iyada oo loo marayo UDP, wax kasta oo la filayo)
La habeeyey iyadoo la isticmaalayo
waardiye
server
/etc/wireguard/server.conf:
[Interface]
Address=172.31.192.1/18
ListenPort=51820
PrivateKey=aMAG31yjt85zsVC5hn5jMskuFdF8C/LFSRYnhRGSKUQ=
MTU=1440
[Peer]
PublicKey=LyhhEIjVQPVmr/sJNdSRqTjxibsfDZ15sDuhvAQ3hVM=
AllowedIPs=172.31.192.2/32
systemctl start wg-quick@server
macmiil
/etc/wireguard/client.conf:
[Interface]
Address=172.31.192.2/18
PrivateKey=uCluH7q2Hip5lLRSsVHc38nGKUGpZIUwGO/7k+6Ye3I=
MTU=1440
[Peer]
PublicKey=DjJRmGvhl6DWuSf1fldxNRBvqa701c0Sc7OpRr4gPXk=
AllowedIPs=172.31.192.1/32
Endpoint=SERVER_IP:51820
systemctl start wg-quick@client
Результаты
calaamad qoyan oo qoyan
Culayska CPU ee Server-ku maaha mid tilmaamaya, sababtoo ah... Waxaa jira adeegyo kale oo badan oo halkaas ka socda, mararka qaarkood waxay cunaan kheyraadka:
proto bandwidth[Mbps] CPU_idle_client[%] CPU_idle_server[%]
# 20 Mbps канал с микрокомпьютера (4 core) до VPS (1 core) через Атлантику
# pure
UDP 20.4 99.80 93.34
TCP 19.2 99.67 96.68
ICMP latency min/avg/max/mdev = 198.838/198.997/199.360/0.372 ms
# ipipou
UDP 19.8 98.45 99.47
TCP 18.8 99.56 96.75
ICMP latency min/avg/max/mdev = 199.562/208.919/220.222/7.905 ms
# openvpn0 (auth only, no encryption)
UDP 19.3 99.89 72.90
TCP 16.1 95.95 88.46
ICMP latency min/avg/max/mdev = 191.631/193.538/198.724/2.520 ms
# openvpn (full encryption, auth, etc)
UDP 19.6 99.75 72.35
TCP 17.0 94.47 87.99
ICMP latency min/avg/max/mdev = 202.168/202.377/202.900/0.451 ms
# wireguard
UDP 19.3 91.60 94.78
TCP 17.2 96.76 92.87
ICMP latency min/avg/max/mdev = 217.925/223.601/230.696/3.266 ms
## около-1Gbps канал между VPS Европы и США (1 core)
# pure
UDP 729 73.40 39.93
TCP 363 96.95 90.40
ICMP latency min/avg/max/mdev = 106.867/106.994/107.126/0.066 ms
# ipipou
UDP 714 63.10 23.53
TCP 431 95.65 64.56
ICMP latency min/avg/max/mdev = 107.444/107.523/107.648/0.058 ms
# openvpn0 (auth only, no encryption)
UDP 193 17.51 1.62
TCP 12 95.45 92.80
ICMP latency min/avg/max/mdev = 107.191/107.334/107.559/0.116 ms
# wireguard
UDP 629 22.26 2.62
TCP 198 77.40 55.98
ICMP latency min/avg/max/mdev = 107.616/107.788/108.038/0.128 ms
20 Mbps kanaalka
kanaalka halkii 1 Gbps rajo leh
Xaaladaha oo dhan, ipipou aad ayuu ugu dhow yahay waxqabadka kanaalka saldhigga, taas oo aad u fiican!
Tunnel-ka Openvpn-ka ee aan qarsoodiga ahayn wuxuu u dhaqmay si la yaab leh labada xaaladoodba.
Haddii qof uu tijaabin doono, waxay noqon doontaa mid xiiso leh in la maqlo jawaab celin.
IPV6 iyo NetPrickle ha nala joogaan!
Source: www.habr.com