Sithini na kuThixo we-IPv6?
Kulungile, siya kuthetha okufanayo kuthixo wokufihla namhlanje.
Apha siza kuthetha ngetonela ye-IPv4 engabhalwanga, kodwa kungekhona "ngesibane esifudumeleyo", kodwa malunga ne "LED" yanamhlanje. Kwaye kukho neesokethi eziluhlaza ezidanyazayo apha, kwaye umsebenzi uyaqhubeka kunye neepakethi kwindawo yabasebenzisi.
Kukho iiprothokholi zokuhambisa i-N zayo yonke incasa kunye nombala:
- stylish, fashionable, ulutsha
- imisebenzi emininzi, njengeemela zaseSwitzerland, i-OpenVPN kunye ne-SSH
- indala kwaye hayi embi GRE
- eyona ilula, ikhawulezayo, i-IPIP engafihlwanga ngokupheleleyo
- ukuphuhlisa ngokukhutheleyo
- abanye abaninzi.
Kodwa ndingumdwelisi wenkqubo, ngoko ke ndiza kwandisa i-N kuphela ngeqhezu, kwaye ndishiye uphuhliso lwemigaqo yokwenyani kubaphuhlisi beKommersant.
Komnye ongekazalwa Into endiyenzayo ngoku kukufikelela kumamkeli ngasemva kwe-NAT ukusuka ngaphandle. Ndisebenzisa iiprothokholi ezine-cryptography yabantu abadala kule nto, andizange ndikwazi ukuyishukumisa imvakalelo yokuba kufana nokudubula oongqatyana kwi-cannon. Ngokuba Itonela isetyenziselwa ubukhulu becala kuphela ukugqobhoza imingxunya kwi-NAT-e, itrafikhi yangaphakathi iqhele ukuguqulelwa ngokuntsonkothileyo, kodwa basatshona kwi-HTTPS.
Ngelixa ndiphanda iiprothokholi ezahlukeneyo zetonela, ingqwalasela yam yangaphakathi yokugqibelela yatsalelwa kwi-IPIP ngokuphindaphindiweyo ngenxa yobuncinci bayo. Kodwa inesithintelo esinesiqingatha esibalulekileyo kwimisebenzi yam:
- ifuna ii-IP zoluntu kumacala omabini,
- kwaye akukho siqinisekiso sakho.
Ke ngoko, umntu ogqibeleleyo waqhutywa wabuyela kwikona emnyama yokakayi, okanye naphi na apho ahlala khona.
Kwaye ngenye imini, ngelixa ufunda amanqaku kwiLinux ndadibana neFOU (Foo-over-UDP), okt. nantoni na, esongelwe kwi-UDP. Ukuza kuthi ga ngoku, kuphela i-IPIP kunye ne-GUE (i-Generic UDP Encapsulation) exhaswayo.
“Nantsi imbumbulu yesilivere! I-IPIP elula yanele kum.” - Ndicinge.
Enyanisweni, imbumbulu yajika yayingeyosilivere ngokupheleleyo. I-Ecapsulation kwi-UDP isombulula ingxaki yokuqala - unokudibanisa kubathengi emva kwe-NAT ukusuka ngaphandle usebenzisa uxhulumaniso olusekwe ngaphambili, kodwa apha isiqingatha se-drawback elandelayo ye-IPIP iyaqhakaza ekukhanyeni okutsha - nabani na ovela kwinethiwekhi yangasese unokufihla emva kokubonakalayo. IP yoluntu kunye nechweba lomxhasi (kwi-IPIP ecocekileyo le ngxaki ayikho).
Ukusombulula le ngxaki enye enesiqingatha, usetyenziso lwazalwa . Isebenzisa indlela eyenziwe ekhaya yokuqinisekisa inginginya ekude, ngaphandle kokuphazamisa ukusebenza kwe-kernel FOU, eya kukhawuleza kwaye isebenze ngokufanelekileyo iipakethi kwindawo ye-kernel.
Asifuni umbhalo wakho!
Kulungile, ukuba uyayazi izibuko likawonke-wonke kunye ne IP yomxhasi (umzekelo, wonke umntu ongasemva kwayo akayi ndawo, i-NAT izama ukwenza izibuko 1-kwi-1), ungenza itonela ye IPIP-ngaphaya kweFOU nge imiyalelo elandelayo, ngaphandle kwazo naziphi na iincwadi ezishicilelweyo.
kwiseva:
# Подгрузить модуль ядра FOU
modprobe fou
# Создать IPIP туннель с инкапсуляцией в FOU.
# Модуль ipip подгрузится автоматически.
ip link add name ipipou0 type ipip
remote 198.51.100.2 local 203.0.113.1
encap fou encap-sport 10000 encap-dport 20001
mode ipip dev eth0
# Добавить порт на котором будет слушать FOU для этого туннеля
ip fou add port 10000 ipproto 4 local 203.0.113.1 dev eth0
# Назначить IP адрес туннелю
ip address add 172.28.0.0 peer 172.28.0.1 dev ipipou0
# Поднять туннель
ip link set ipipou0 up
kumxhasi:
modprobe fou
ip link add name ipipou1 type ipip
remote 203.0.113.1 local 192.168.0.2
encap fou encap-sport 10001 encap-dport 10000 encap-csum
mode ipip dev eth0
# Опции local, peer, peer_port, dev могут не поддерживаться старыми ядрами, можно их опустить.
# peer и peer_port используются для создания соединения сразу при создании FOU-listener-а.
ip fou add port 10001 ipproto 4 local 192.168.0.2 peer 203.0.113.1 peer_port 10000 dev eth0
ip address add 172.28.0.1 peer 172.28.0.0 dev ipipou1
ip link set ipipou1 up
apho
ipipou*— igama lojongano lwenethiwekhi yetonela yasekhaya203.0.113.1— iseva ye-IP yoluntu198.51.100.2- IP kawonkewonke yomthengi192.168.0.2— umxhasi we-IP owabelwe ujongano lwe-eth010001- izibuko lomxumi wengingqi weFOU20001— izibuko lomxumi woluntu weFOU10000-Izibuko leseva kawonke-wonke yeFOUencap-csum- ukhetho lokongeza i-checksum ye-UDP kwiipakethi ze-UDP ezifakiweyo; inokutshintshwa yinoencap-csum, ungakhankanyi, ingqibelelo sele ilawulwa ngumgangatho wangaphandle we-encapsulation (ngelixa ipakethe ingaphakathi kwitonela)eth0- ujongano lwendawo apho itonela ye-ipip iya kubotshwa172.28.0.1-IP yojongano lwetonela yomxhasi (yabucala)172.28.0.0-Ujongano lweseva yetonela yeIP (yabucala)
Ngethuba nje uxhulumaniso lwe-UDP luphila, i-tunnel iya kusebenza, kodwa ukuba iyaphuka, uya kuba nethamsanqa - ukuba i-IP yomxhasi: ichweba lihlala lifanayo - liya kuphila, ukuba liya kutshintsha - liya kuphuka.
Eyona ndlela ilula yokubuyisela yonke into ngasemva kukukhulula iimodyuli zekernel: modprobe -r fou ipip
Nokuba ungqinisiso alufuneki, i-IP yoluntu kunye nezibuko azisoloko zisaziwa kwaye zihlala zingalindelekanga okanye ziyaguquguquka (kuxhomekeke kuhlobo lweNAT). Ukuba uyashiya encap-dport kwicala lomncedisi, itonela ayizukusebenza, ayilumkanga ngokwaneleyo ukuthatha izibuko lodibaniso olukude. Kule meko, i-ipipou inokukunceda, okanye i-WireGuard kunye nabanye abafana nayo inokukunceda.
Isebenza njani?
Umxhasi (oqhele ukuba ngasemva kwe-NAT) ivula itonela (njengoko kumzekelo ongasentla), kwaye ithumela ipakethe yoqinisekiso kumncedisi ukuze iqwalasele itonela kwicala layo. Ngokuxhomekeke kwizicwangciso, le nto ingaba yipakethi engenanto (nje ukwenzela ukuba umncedisi abone i-IP yoluntu: i-port yoxhumano), okanye ngedatha apho umncedisi unokuchonga umxhasi. Idatha inokuba ligama lokugqithisa elilula kumbhalo ocacileyo (umzekeliso kunye ne-HTTP UBhaliso oluSiseko luza engqondweni) okanye idatha eyilwe ngokukodwa esayinwe ngeqhosha labucala (elifana ne-HTTP Digest Auth yomelele kuphela, bona umsebenzi client_auth kwikhowudi).
Kumncedisi (icala nge IP yoluntu), xa ipipou iqala, yenza i-nfqueue queue isibambi kwaye iqwalasele i-netfilter ukuze iipakethe eziyimfuneko zithunyelwe apho zifanele ukuba khona: iipakethi eziqalisa uxhulumaniso kumgca we-nfqueue, kwaye [phantse] bonke abanye baya ngqo kumphulaphuli FOU.
Kwabo bangaziyo, i-nfqueue (okanye i-NetfilterQueue) yinto ekhethekileyo kubantu abangabaziyo abangaziyo ukuphuhlisa iimodyuli ze-kernel, esebenzisa i-netfilter (i-nftables/iptables) ikuvumela ukuba uqondise kwakhona ipakethe yenethiwekhi kwindawo yomsebenzisi kwaye uziqhube apho usebenzisa. iindlela zakudala zikufuphi: lungisa (ukhetho) kwaye uyibuyisele kwikernel, okanye uyilahle.
Kwezinye iilwimi zeprogram kukho izibophelelo zokusebenza kunye ne-nfqueue, kuba i-bash yayingekho (heh, ayimangalisi), kwafuneka ndisebenzise i-python: i-ipipou isebenzisa. .
Ukuba ukusebenza akubalulekanga, usebenzisa le nto unokukhawuleza kwaye ngokulula udibanise eyakho ingqiqo yokusebenza ngeepakethi kwinqanaba elisezantsi ngokufanelekileyo, umzekelo, ukwenza iiprothokholi zokudlulisa idatha, okanye ucofe iinkonzo zasekhaya kunye nezikude ngokuziphatha okungeyomgangatho.
Iisokethi ezikrwada zisebenza ngesandla kunye ne-nfqueue, umzekelo, xa itonela sele iqwalaselwe kwaye iFOU imamele kwizibuko elifunekayo, awuyi kukwazi ukuthumela ipakethi ukusuka kwizibuko elifanayo ngendlela eqhelekileyo - ixakekile, kodwa Ungathatha kwaye uthumele ipakethe eyenziwe ngokungenamkhethe ngqo kujongano lomsebenzi womnatha usebenzisa isokhethi ekrwada, nangona ukuvelisa ipakethi enjalo kuyakufuna ukukhenkceza okungakumbi. Yile ndlela iipakethi ezinobungqina benziwa kwi-ipipou.
Ekubeni i-ipipou isebenza kuphela iipakethi zokuqala ezivela kuqhagamshelo (kunye nezo zikwazi ukuvuza emgceni ngaphambi kokuba uxhulumaniso lusekwe), ukusebenza phantse akuhlupheki.
Ngokukhawuleza ukuba iseva ye-ipipou ifumana ipakethe eqinisekisiweyo, itonela yenziwe kwaye zonke iipakethi ezilandelayo kuqhagamshelwano sele ziqhutywe yi-kernel ngokudlula i-nfqueue. Ukuba uxhulumaniso aluphumeleli, ngoko ke ipakethi yokuqala elandelayo iya kuthunyelwa kumgca we-nfqueue, ngokuxhomekeke kwizicwangciso, ukuba ayisiyiyo ipakethi enobubhali, kodwa ukusuka kwi-IP yokugqibela ekhunjulwayo kunye nechweba lomxhasi, inokugqithiswa. phezu okanye ilahlwe. Ukuba ipakethe eqinisekisiweyo ivela kwi-IP entsha kunye ne-port, itonela iphinda iqwalaselwe ukuzisebenzisa.
I-IPIP-over-FOU yesiqhelo inengxaki enye ngakumbi xa usebenza ne-NAT - akunakwenzeka ukwenza iitonela ezimbini ze-IPIP ezifakwe kwi-UDP kunye ne-IP efanayo, kuba iimodyuli ze-FOU kunye ne-IPIP zihluke kakhulu enye kwenye. Ezo. iperi yabathengi emva kwe IP yoluntu efanayo abayi kukwazi ukudibanisa ngaxeshanye kumncedisi omnye ngale ndlela. Kwixesha elizayo, , iyakusonjululwa kwinqanaba le-kernel, kodwa oku akuqinisekanga. Okwangoku, iingxaki ze-NAT zinokusombululwa yi-NAT - ukuba kuyenzeka ukuba iperi yedilesi ye-IP isele ifakwe enye itonela, ipipou iya kwenza i-NAT ukusuka kuluntu ukuya kwi-IP yangasese, voila! -Unokwenza iitonela kude kuphele amazibuko.
Ngokuba Ayizizo zonke iipakethi ezikunxibelelwano ezisayiniweyo, ngoko olu khuselo lulula lusemngciphekweni kwi-MITM, ngoko ke ukuba kukho i-villain ehleli endleleni phakathi komxhasi kunye nomncedisi onokumamela i-traffic kwaye ayenze, unokubuyisela iipakethi eziqinisekisiweyo. enye idilesi kwaye wenze itonela ukusuka kumamkeli ongathenjwa .
Ukuba nabani na unemibono malunga nendlela yokulungisa oku ngelixa ushiya ubuninzi bezithuthi kumbindi, unganqikazi ukuthetha.
Ngendlela, i-encapsulation kwi-UDP izibonakalise kakuhle kakhulu. Xa kuthelekiswa ne-encapsulation phezu kwe-IP, izinzile kakhulu kwaye ihlala ikhawuleza nangona i-overhead eyongezelelweyo ye-UDP header. Oku kungenxa yokuba uninzi lweenginginya kwi-Intanethi zisebenza kakuhle kuphela ngeeprotocol ezintathu ezidumileyo: TCP, UDP, ICMP. Inxalenye ebonakalayo inokulahla yonke enye into ngokupheleleyo, okanye iyiqhube kancinci, kuba ilungiselelwe ezi zintathu kuphela.
Ngokomzekelo, le nto i-QUICK, apho i-HTTP / 3 isekelwe khona, yenziwe phezulu kwe-UDP, kwaye kungekhona phezulu kwe-IP.
Ewe, amagama aneleyo, lixesha lokubona indlela esebenza ngayo "kwihlabathi lenene".
Idabi
Isetyenziselwa ukulinganisa ihlabathi lokwenyani iperf3. Ngokumalunga nenqanaba lokusondela kwinyani, oku kuphantse kufane nokuxelisa umhlaba wenene eMinecraft, kodwa okwangoku kuyakwenza.
Abathathi-nxaxheba kukhuphiswano:
- umjelo oyintloko wesalathiso
- iqhawe leli nqaku ipipou
- I-OpenVPN ngokuqinisekiswa kodwa akukho lufihlo
- OpenVPN kwimowudi ebandakanya konke
- WireGuard ngaphandle PresharedKey, kunye MTU=1440 (ukususela IPv4-kuphela)
Idatha yobuchwephesha yegeeks
Iimetriki zithathwa ngale miyalelo ilandelayo:
kumxhasi:
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2 -u -b 12M; tail -1 "$CPULOG"
# Где "-b 12M" это пропускная способность основного канала, делённая на число потоков "-P", чтобы лишние пакеты не плодить и не портить производительность.
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2; tail -1 "$CPULOG"
Ukubambezeleka kwe-ICMP
ping -c 10 SERVER_IP | tail -1
kumncedisi (isebenza ngaxeshanye nomxhasi):
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
Ubumbeko lwetonela
ipipou
umncedisi
/etc/ipipou/server.conf:
server
number 0
fou-dev eth0
fou-local-port 10000
tunl-ip 172.28.0.0
auth-remote-pubkey-b64 eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-secret topsecret
auth-lifetime 3600
reply-on-auth-ok
verb 3
systemctl start ipipou@server
umthengi
/etc/ipipou/client.conf:
client
number 0
fou-local @eth0
fou-remote SERVER_IP:10000
tunl-ip 172.28.0.1
# pubkey of auth-key-b64: eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-key-b64 RuBZkT23na2Q4QH1xfmZCfRgSgPt5s362UPAFbecTso=
auth-secret topsecret
keepalive 27
verb 3
systemctl start ipipou@client
openvpn (akukho lufihlo, ngoqinisekiso)
umncedisi
openvpn --genkey --secret ovpn.key # Затем надо передать ovpn.key клиенту
openvpn --dev tun1 --local SERVER_IP --port 2000 --ifconfig 172.16.17.1 172.16.17.2 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
umthengi
openvpn --dev tun1 --local LOCAL_IP --remote SERVER_IP --port 2000 --ifconfig 172.16.17.2 172.16.17.1 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
openvpn (ngoguqulelo oluntsonkothileyo, uqinisekiso, nge-UDP, yonke into njengoko kulindelekile)
Kuqwalaselwe ukusetyenziswa
umlindi
umncedisi
/etc/wireguard/server.conf:
[Interface]
Address=172.31.192.1/18
ListenPort=51820
PrivateKey=aMAG31yjt85zsVC5hn5jMskuFdF8C/LFSRYnhRGSKUQ=
MTU=1440
[Peer]
PublicKey=LyhhEIjVQPVmr/sJNdSRqTjxibsfDZ15sDuhvAQ3hVM=
AllowedIPs=172.31.192.2/32
systemctl start wg-quick@server
umthengi
/etc/wireguard/client.conf:
[Interface]
Address=172.31.192.2/18
PrivateKey=uCluH7q2Hip5lLRSsVHc38nGKUGpZIUwGO/7k+6Ye3I=
MTU=1440
[Peer]
PublicKey=DjJRmGvhl6DWuSf1fldxNRBvqa701c0Sc7OpRr4gPXk=
AllowedIPs=172.31.192.1/32
Endpoint=SERVER_IP:51820
systemctl start wg-quick@client
Iziphumo
Uphawu olumanzi olubi
Umthwalo we-CPU yeseva ayibonisi kakhulu, kuba... Zininzi ezinye iinkonzo ezisebenza apho, ngamanye amaxesha zitya izibonelelo:
proto bandwidth[Mbps] CPU_idle_client[%] CPU_idle_server[%]
# 20 Mbps канал с микрокомпьютера (4 core) до VPS (1 core) через Атлантику
# pure
UDP 20.4 99.80 93.34
TCP 19.2 99.67 96.68
ICMP latency min/avg/max/mdev = 198.838/198.997/199.360/0.372 ms
# ipipou
UDP 19.8 98.45 99.47
TCP 18.8 99.56 96.75
ICMP latency min/avg/max/mdev = 199.562/208.919/220.222/7.905 ms
# openvpn0 (auth only, no encryption)
UDP 19.3 99.89 72.90
TCP 16.1 95.95 88.46
ICMP latency min/avg/max/mdev = 191.631/193.538/198.724/2.520 ms
# openvpn (full encryption, auth, etc)
UDP 19.6 99.75 72.35
TCP 17.0 94.47 87.99
ICMP latency min/avg/max/mdev = 202.168/202.377/202.900/0.451 ms
# wireguard
UDP 19.3 91.60 94.78
TCP 17.2 96.76 92.87
ICMP latency min/avg/max/mdev = 217.925/223.601/230.696/3.266 ms
## около-1Gbps канал между VPS Европы и США (1 core)
# pure
UDP 729 73.40 39.93
TCP 363 96.95 90.40
ICMP latency min/avg/max/mdev = 106.867/106.994/107.126/0.066 ms
# ipipou
UDP 714 63.10 23.53
TCP 431 95.65 64.56
ICMP latency min/avg/max/mdev = 107.444/107.523/107.648/0.058 ms
# openvpn0 (auth only, no encryption)
UDP 193 17.51 1.62
TCP 12 95.45 92.80
ICMP latency min/avg/max/mdev = 107.191/107.334/107.559/0.116 ms
# wireguard
UDP 629 22.26 2.62
TCP 198 77.40 55.98
ICMP latency min/avg/max/mdev = 107.616/107.788/108.038/0.128 ms
Ijelo le-20 Mbps
itshaneli nge-1 Gbps enethemba
Kuzo zonke iimeko, i-ipipou isondele kakhulu ekusebenzeni kwisiteshi esisisiseko, esihle kakhulu!
Itonela ye-openvpn engafihlwanga iziphathe ngendlela engaqhelekanga kuzo zombini iimeko.
Ukuba nabani na uza kuyivavanya, kuya kuba mnandi ukuva ingxelo.
Ngamana i-IPv6 kunye ne-NetPrickle zinganathi!
umthombo: www.habr.com