I-WireGuard iye yafumana ingqalelo eninzi mva nje, enyanisweni yinkwenkwezi entsha phakathi kweeVPN. Kodwa ngaba ulungile njengoko ebonakala? Ndingathanda ukuxoxa ngoqwalaselo kunye nokuphonononga ukuphunyezwa kwe-WireGuard ukucacisa ukuba kutheni kungesosisombululo sokutshintsha i-IPsec okanye i-OpenVPN.
Kweli nqaku, ndingathanda ukuphelisa ezinye iintsomi [ezijikeleze iWireGuard]. Ewe, kuya kuthatha ixesha elide ukufunda, ke ukuba awuzenzelanga ikomityi yeti okanye ikofu, lixesha lokuyenza. Ndingathanda ukubulela kwakhona kuPeter ngokulungisa iingcinga zam eziphazamisayo.
Andizibeki njongo yokujongela phantsi abaphuhlisi beWireGuard, ndijongele phantsi iinzame zabo okanye izimvo zabo. Imveliso yabo iyasebenza, kodwa ngokobuqu ndicinga ukuba ibonakaliswe yahluke ngokupheleleyo kwinto eyiyo ngokwenene - iboniswa njengokutshintshwa kwe-IPsec kunye ne-OpenVPN, eneneni engekhoyo ngoku.
Njengenqaku, ndingathanda ukongeza ukuba uxanduva lokubekwa kwe-WireGuard lulele kumajelo eendaba athetha ngayo, kwaye kungekhona iprojekthi ngokwayo okanye abadali bayo.
Akukhange kubekho iindaba ezimnandi malunga neLinux kernel mva nje. Ke, saxelelwa malunga nokuba semngciphekweni okukhulu kweprosesa, eyathi yabekwa yisoftware, kwaye uLinus Torvalds wathetha ngayo ngobukrwada nangokukruqulayo, ngolwimi olusetyenziswayo lomphuhlisi. Umcwangcisi okanye i-zero-level networking stack nazo azikho izihloko ezicacileyo kwiimagazini ezimenyezelayo. Kwaye nantsi iWireGuard isiza.
Ephepheni, konke kuvakala kukuhle: itekhnoloji entsha enomdla.
Kodwa masiyijonge ngokusondeleyo ngakumbi.
Iphepha elimhlophe le-WireGuard
Eli nqaku lisekelwe kwi ibhalwe nguJason Donenfeld. Apho uchaza ingcamango, injongo kunye nokuphunyezwa kobugcisa be [WireGuard] kwi-Linux kernel.
Isivakalisi sokuqala sifundeka ngolu hlobo:
I-WireGuard […] ijolise ekutshintsheni zombini i-IPsec kwiimeko ezininzi zokusetyenziswa kunye nezinye iindawo ezisetyenziswayo ezithandwayo kunye/okanye izisombululo ezisekelwe kwi-TLS ezifana ne-OpenVPN ngelixa ikhuselekile ngakumbi, isebenza kwaye kulula ukuyisebenzisa [isixhobo].
Ngokuqinisekileyo, inzuzo ephambili yazo zonke itekhnoloji entsha yeyabo ukulula [xa kuthelekiswa nabangaphambili]. Kodwa iVPN kufuneka ibe njalo esebenzayo kwaye ekhuselekileyo.
Ngoko, yintoni elandelayo?
Ukuba uthi oku ayisiyiyo into oyifunayo [ukusuka kwi-VPN], ngoko unokuphelisa ukufunda apha. Nangona kunjalo, ndiya kuqaphela ukuba imisebenzi enjalo imiselwe nayiphi na enye itekhnoloji ye-tunneling.
Eyona nto inomdla kule catshulwa ingentla ilala kumagama athi "kwiimeko ezininzi", leyo, ngokuqinisekileyo, ayizange ihoywe ngumshicileli. Kwaye ke, silapho siphelele khona ngenxa yesiphithiphithi esidalwe koku kungakhathali - kweli nqaku.
Ngaba i-WireGuard iya kuthatha indawo yam [IPsec] ye-VPN yesayithi ukuya kwindawo?
Hayi. Akukho thuba lokuba abathengisi abakhulu abanjengoCisco, Juniper kunye nabanye baya kuthenga iWireGuard kwiimveliso zabo. “Abatsibi koololiwe abadlulayo” ekuhambeni ngaphandle kokuba kukho imfuneko enkulu yokwenza oko. Kamva, ndiza kudlula ezinye zezizathu zokuba mhlawumbi abayi kuba nako ukufumana iimveliso zabo WireGuard ebhodini nokuba babefuna.
Ngaba i-WireGuard iya kuthatha i-RoadWarrior yam kwi-laptop yam ukuya kwiziko ledatha?
Hayi. Okwangoku, iWireGuard ayinalo inani elikhulu leempawu ezibalulekileyo eziphunyeziweyo ukuze ikwazi ukwenza into enje. Umzekelo, ayinakusebenzisa iidilesi ze-IP eziguqukayo kwicala lomncedisi wetonela, kwaye oku kukodwa kwaphula yonke imeko yokusetyenziswa kwemveliso.
IPFire ihlala isetyenziselwa amakhonkco e-Intanethi angabizi kakhulu, afana ne-DSL okanye uqhagamshelo lwentambo. Oku kunengqiqo kumashishini amancinci okanye aphakathi angadingi fiber ngokukhawuleza. [Inqaku elivela kumguquleli: ungalibali ukuba ngokwemigaqo yonxibelelwano, iRussia kunye namanye amazwe eCIS angaphambili kakhulu kweYurophu kunye ne-United States, kuba saqala ukwakha uthungelwano lwethu kamva kwaye ngokufika kwe-Ethernet kunye ne-fiber optic networks njenge umgangatho, kwaba lula ukuba siphinde siwakhe kwakhona. Kwamazwe afanayo e-EU okanye e-USA, ukufikelela kwe-xDSL Broadband ngesantya se-3-5 Mbps kuseyinto eqhelekileyo, kwaye uxhulumaniso lwefiber optic lubiza imali engafanelekanga ngokwemigangatho yethu. Ke ngoko, umbhali wenqaku uthetha nge-DSL okanye uqhagamshelo lwentambo njengesiqhelo, hayi amaxesha amandulo.] Nangona kunjalo, i-DSL, intambo, i-LTE (kunye nezinye iindlela zokufikelela ngaphandle kwamacingo) zineedilesi ze-IP ezinamandla. Kakade ke, ngamanye amaxesha azitshintshi rhoqo, kodwa ziyatshintsha.
Kukho iprojekthi ebizwa , eyongeza i-daemon yendawo yomsebenzisi ukoyisa le ntsilelo. Ingxaki enkulu ngemeko yomsebenzisi echazwe ngasentla kukwandiswa kwedilesi ye-IPv6 eguqukayo.
Ngokombono womthengisi, konke oku akubonakali kukuhle kakhulu. Enye yeenjongo zoyilo yayikukugcina iprotocol ilula kwaye icocekile.
Ngelishwa, konke oku kuye kwalula kakhulu kwaye kwakudala, ngoko ke kufuneka sisebenzise isoftware eyongezelelweyo ukuze olu yilo lonke lusebenze ngokufanelekileyo.
Ngaba iWireGuard kulula ukuyisebenzisa?
Ayikenzeki. Anditsho ukuba i-WireGuard ayisoze ibe yindlela efanelekileyo yokufumana itonela phakathi kwamanqaku amabini, kodwa okwangoku luguqulelo lwe-alpha lwemveliso ebekufanele ukuba luyiyo.
Kodwa ke yintoni ayenzayo ngokwenene? Ngaba i-IPsec ngenene kunzima ukuyigcina?
Ngokucacileyo akunjalo. Umthengisi we-IPsec uye wacinga ngoku kwaye uthumela imveliso yabo kunye ne-interface, efana ne-IPFire.
Ukuseta itonela ye-VPN ngaphezulu kwe-IPsec, uya kufuna iiseti ezintlanu zedatha oya kuyidinga ukuba ungene kuqwalaselo: idilesi yakho ye-IP yoluntu, idilesi ye-IP yoluntu yeqela elifumanayo, ii-subnets ofuna ukuzenza esidlangalaleni. olu qhagamshelo lweVPN kunye nesitshixo ekwabelwana ngaso kwangaphambili. Ke, i-VPN imiselwe ngaphakathi kwemizuzu kwaye iyahambelana nawuphi na umthengisi.
Ngelishwa, kukho iinketho ezimbalwa kweli bali. Nabani na okhe wazama ukutsibela kwi-IPsec kumatshini we-OpenBSD uyayazi into endithetha ngayo. Kukho imizekelo embalwa ebuhlungu ngakumbi, kodwa eneneni, zininzi, zininzi iindlela ezilungileyo zokusebenzisa i-IPsec.
Malunga nobunzima beprotocol
Umsebenzisi wokugqibela akanakuxhalaba malunga nobunzima beprotocol.
Ukuba besihlala kwihlabathi apho le nto yayiyinkxalabo yokwenene yomsebenzisi, ngoko besiya kudala silahla i-SIP, i-H.323, i-FTP kunye nezinye iiprotocol ezenziwe ngaphezu kweminyaka elishumi edlulileyo engasebenzi kakuhle ne-NAT.
Kukho izizathu zokuba kutheni i-IPsec intsonkothe ngakumbi kune-WireGuard: yenza izinto ezininzi ngakumbi. Umzekelo, ukuqinisekiswa komsebenzisi usebenzisa igama lokungena / igama lokugqitha okanye iSIM khadi ene-EAP. Inesakhono esandisiweyo sokongeza entsha .
Kwaye iWireGuard ayinayo loo nto.
Kwaye oku kuthetha ukuba i-WireGuard iya kuphuka ngexesha elithile, kuba enye ye-cryptographic primitives iya kuba buthathaka okanye ithotyelwe ngokupheleleyo. Umbhali wamaxwebhu obugcisa uthi:
Kuyafaneleka ukuba uqaphele ukuba i-WireGuard inombono we-cryptographically. Ngabom ayinakuguquguquka kwee-ciphers kunye neeprothokholi. Ukuba imingxunya enzulu ifunyenwe kwi-primitives engaphantsi, zonke iindawo zokuphela ziya kufuneka zihlaziywe. Njengoko unokubona kuluhlu oluqhubekayo lwe-SLL/TLS buthathaka, ukuguquguquka koguqulelo oluntsonkothileyo ngoku kunyuke kakhulu.
Isivakalisi sokugqibela sichaneke ngokupheleleyo.
Ukufikelela kwimvumelwano malunga nokuba yeyiphi i-encryption enokusetyenziswa yenza iiprothokholi ezifana ne-IKE kunye ne-TLS более entsonkothileyo. Intsonkothe kakhulu? Ewe, ubuthathaka buqhelekile kwi-TLS/SSL, kwaye akukho ndlela yimbi kubo.
Ekutyesheleni iingxaki zokwenyani
Khawufane ucinge ukuba uneseva yeVPN enabathengi abalwayo abangama-200 kwindawo ethile kwihlabathi liphela. Lo ngumzekelo omhle wokusetyenziswa osemgangathweni. Ukuba kufuneka utshintshe ufihlo, kufuneka uhambise uhlaziyo kuzo zonke iikopi zeWireGuard kwezi laptops, ii-smartphones, njalo njalo. Ngaxeshanye hambisa. Kuyinto engenakwenzeka ngokoqobo. Abalawuli abazama ukwenza oku kuya kuthatha iinyanga ukuhambisa ulungelelwaniso olufunekayo, kwaye ngokuqinisekileyo kuya kuthatha iminyaka yenkampani ephakathi ukukhupha isiganeko esinjalo.
IPsec kunye ne-OpenVPN zibonelela ngenqaku lothethathethwano lwe-cipher. Ke ngoko, kangangexesha elithile emva kokuba uvula i-encryption entsha, endala nayo iya kusebenza. Oku kuya kuvumela abathengi bangoku ukuba baphucule kwinguqulelo entsha. Emva kokuba uhlaziyo lukhutshiwe, uvele ucime uguqulelo olusesichengeni. Kwaye yiloo nto! Ulungile! umhle! Abathengi abayi kuqaphela.
Le yimeko eqhelekileyo yokuthunyelwa okukhulu, kwaye i-OpenVPN inobunzima boku. Ukuhambelana ngasemva kubalulekile, kwaye nangona usebenzisa i-encryption ebuthathaka, kwabaninzi, oku ayisosizathu sokuvala ishishini. Kuba iya kukhubaza umsebenzi wamakhulu abathengi ngenxa yokungakwazi ukwenza umsebenzi wabo.
Iqela le-WireGuard lenze iprotocol yabo yalula, kodwa ingasetyenziswa ngokupheleleyo kubantu abangenalo ulawulo oluthe gqolo kubo bobabini abalingane kwitonela labo. Kumava am, le yeyona meko ixhaphakileyo.
Ukukrola!
Kodwa yintoni le encryption entsha enomdla esetyenziswa nguWireGuard?
I-WireGuard isebenzisa i-Curve25519 ngokutshintshiselana okubalulekileyo, i-ChaCha20 yokubethela kunye ne-Poly1305 yokuqinisekisa idatha. Ikwasebenza kunye ne-SipHash kwizitshixo ze-hash kunye ne-BLAKE2 ye-hashing.
I-ChaCha20-Poly1305 isemgangathweni ye-IPsec kunye ne-OpenVPN (ngaphezu kwe-TLS).
Kucacile ukuba uphuhliso lukaDaniel Bernstein lusetyenziswa rhoqo. U-BLAKE2 ungumlandeli we-BLAKE, i-SHA-3 yokugqibela engazange iphumelele ngenxa yokufana kwayo ne-SHA-2. Ukuba i-SHA-2 yayiza kwaphulwa, bekukho ithuba elihle lokuba u-BLAKE naye angathotyelwa.
IPsec kunye ne-OpenVPN ayifuni iSipHash ngenxa yoyilo lwazo. Ke ekuphela kwento engasetyenziswayo ngoku kunye nabo yi-BLAKE2, kwaye oko kuphela de ibekwe emgangathweni. Oku akusiyo i-drawback enkulu, kuba ii-VPNs zisebenzisa i-HMAC ukudala ingqibelelo, ethathwa njengesisombululo esinamandla kunye ne-MD5.
Ngoko ke ndafikelela kwisigqibo sokuba phantse isethi efanayo yezixhobo ze-cryptographic zisetyenziswa kuzo zonke ii-VPN. Ke ngoko, i-WireGuard ayikhuselekanga ngakumbi okanye ingaphantsi kunayo nayiphi na enye imveliso yangoku xa kufihlwa kufihlo okanye ukuthembeka kwedatha edlulisiweyo.
Kodwa nangona oku akuyona into ebaluleke kakhulu, ekufanelekile ukuthobela ingqalelo kumaxwebhu asemthethweni eprojekthi. Emva kwakho konke, into ephambili kukukhawuleza.
Ngaba iWireGuard ikhawuleza kunezinye izisombululo zeVPN?
Ngamafutshane: hayi, hayi ngokukhawuleza.
I-ChaCha20 yi-cipher yomlambo ekulula ukuyisebenzisa kwisofthiwe. Ifihla into enye ngexesha. Vimba iiprothokholi ezinjenge-AES encrypt ibhloko ye-128 bits ngexesha. I-transistors eninzi iyafuneka ukuphumeza inkxaso ye-hardware, ngoko ke iiprosesa ezinkulu ziza ne-AES-NI, isandiso seseti yomyalelo esenza eminye yemisebenzi yenkqubo yofihlo ukuyikhawulezisa.
Bekulindeleke ukuba i-AES-NI ingaze ingene kwii-smartphones [kodwa yenzekile - malunga. ngokwe.]. Kule nto, i-ChaCha20 yaphuhliswa njengendlela ekhaphukhaphu, eyonga ibhetri. Ke ngoko, inokuza njengeendaba kuwe yokuba yonke i-smartphone onokuthi uyithenge namhlanje inohlobo oluthile lokukhawuleziswa kwe-AES kwaye ibaleka ngokukhawuleza kunye nokusetyenziswa kwamandla aphantsi ngolu guqulelo oluntsonkothileyo kuneChaCha20.
Ngokucacileyo, malunga nayo yonke iprosesa yedesktop/server ethengwe kule minyaka imbalwa idlulileyo ine-AES-NI.
Ke ngoko, ndilindele ukuba i-AES igqwese i-ChaCha20 kuyo yonke imeko. Amaxwebhu asemthethweni e-WireGuard akhankanya ukuba nge-AVX512, i-ChaCha20-Poly1305 iya kudlula i-AES-NI, kodwa olu lwandiso lweseti yomyalelo luya kufumaneka kuphela kwii-CPU ezinkulu, ezingayi kunceda kwakhona nge-hardware encinci nangaphezulu, eya kuhlala ikhawuleza nge-AES. -N.I.
Andiqinisekanga ukuba oku bekunokubonwa kwangaphambili ngexesha lophuhliso lwe-WireGuard, kodwa namhlanje into yokuba ibethelelwe kwi-encryption yodwa sele iyimqobo enokuthi ingachaphazeli ukusebenza kwayo kakuhle.
IPsec ikuvumela ukuba ukhethe ngokukhululekileyo ukuba yeyiphi i-encryption ilungele imeko yakho. Kwaye ke, oku kuyimfuneko ukuba, umzekelo, ufuna ukudlulisela i-10 okanye ngaphezulu kweegigabytes zedatha ngokusebenzisa uxhumano lwe-VPN.
Imiba yokudibanisa kwiLinux
Nangona i-WireGuard ikhethe iprotocol yangoku yokufihla, oku sele kubangela iingxaki ezininzi. Kwaye ke, endaweni yokusebenzisa oko kuxhaswe yi-kernel ngaphandle kwebhokisi, ukudityaniswa kwe-WireGuard kulibaziseke iminyaka ngenxa yokunqongophala kwezi primitives kwiLinux.
Andiqinisekanga ngokupheleleyo ukuba yintoni imeko kwezinye iinkqubo zokusebenza, kodwa mhlawumbi ayahlukanga kakhulu kuneLinux.
Ikhangeleka njani inyaniso?
Ngelishwa, ngalo lonke ixesha umxhasi endicela ukuba ndimisele uqhagamshelo lwe-VPN kubo, ndibalekela kumbandela abasebenzisa iziqinisekiso eziphelelwe lixesha kunye ne-encryption. I-3DES ngokubambisana ne-MD5 iseyinto eqhelekileyo, njenge-AES-256 kunye ne-SHA1. Kwaye nangona le yokugqibela ingcono kancinci, ayisiyiyo into ekufuneka isetyenziswe ngo-2020.
Utshintshiselwano olungundoqo rhoqo I-RSA iyasetyenziswa - isixhobo esicothayo kodwa esikhuselekileyo.
Abathengi bam banxulunyaniswa nabasemagunyeni kunye neminye imibutho namaziko karhulumente, kunye namaqumrhu amakhulu amagama abo aziwa kwihlabathi liphela. Bonke basebenzisa ifom yesicelo eyadalwa kumashumi eminyaka eyadlulayo, kwaye ukukwazi ukusebenzisa i-SHA-512 akuzange kongezwe. Andikwazi ukuthetha ukuba ngandlela-thile ichaphazela ngokucacileyo inkqubela yezobuchwepheshe, kodwa ngokucacileyo iyanciphisa inkqubo yenkampani.
Kubuhlungu kum ukubona oku, kuba i-IPsec ixhase i-elliptic curves offhand ukususela ngonyaka ka-2005. I-Curve25519 nayo intsha kwaye iyafumaneka ukuze isetyenziswe. Kukho ezinye iindlela ze-AES ezifana neCamellia kunye ne-ChaCha20, kodwa ngokucacileyo ayizizo zonke ezixhaswa ngabathengisi abakhulu abanjengoCisco nabanye.
Kwaye abantu bayayisebenzisa. Zininzi iikiti zeCisco, zininzi iikiti ezenzelwe ukusebenza neCisco. Ziinkokheli zemarike kweli candelo kwaye azinamdla kakhulu kulo naluphi na uhlobo lwezinto ezintsha.
Ewe, imeko [kwicandelo leshishini] imbi, kodwa asizukubona naluphi na utshintsho ngenxa yeWireGuard. Abathengisi mhlawumbi abanakuze babone nayiphi na imiba yokusebenza kunye nesixhobo kunye ne-encryption abasele beyisebenzisa, abayi kubona naziphi na iingxaki nge-IKEv2, kwaye ke abakhangeli ezinye iindlela.
Ngokubanzi, ngaba ukhe wacinga ngokushiya uCisco?
Iimpawu zokuthelekisa
Kwaye ngoku masiqhubele phambili kwibenchmarks ukusuka kuxwebhu lweWireGuard. Nangona eli [amaxwebhu] ingelonqaku lenzululwazi, bendisalindele ukuba abaphuhlisi bathathe indlela yenzululwazi, okanye basebenzise indlela yenzululwazi njengesalathiso. Naziphi na iimpawu zokulinganisa azinamsebenzi ukuba azikwazi ukuphinda zenziwe kwakhona, kwaye azinamsebenzi ngakumbi xa zifunyenwe kwibhubhoratri.
Kulwakhiwo lweLinux lweWireGuard, ithatha ithuba lokusebenzisa i-GSO-Isegmentation ye-Generic Segmentation. Ndiyabulela kuye, umxhasi wenza ipakethi enkulu yeekhilobhayithi ezingama-64 kwaye uyibhale ngekhowudi / uyikhuphe ngexesha elinye. Ngaloo ndlela, iindleko zokubiza kunye nokuphumeza imisebenzi ye-cryptographic iyancitshiswa. Ukuba ufuna ukwandisa uqhagamshelo lwakho lweVPN, lo ngumbono olungileyo.
Kodwa, njengesiqhelo, inyaniso ayikho lula. Ukuthumela ipakethe enkulu kangako kwiadaptha yenethiwekhi kufuna ukuba isikwe kwiipakethi ezininzi ezincinci. Ubungakanani obuqhelekileyo bokuthumela yi-1500 bytes. Oko kukuthi, i-giant yethu ye-64 kilobytes iya kwahlulwa kwiipakethi ze-45 (i-1240 bytes yolwazi kunye ne-20 bytes ye-header ye-IP). Emva koko, ixesha elithile, baya kuthintela ngokupheleleyo umsebenzi we-adapter yenethiwekhi, kuba kufuneka bathunyelwe kunye kwaye kanye. Ngenxa yoko, oku kuya kukhokelela ekutsibeni okuphambili, kwaye iipakethi ezifana neVoIP, umzekelo, ziya kufolwa.
Ngaloo ndlela, i-throughput ephezulu eyenziwa yi-WireGuard ngesibindi amabango aphunyezwa kwiindleko zokunciphisa uthungelwano lwezinye izicelo. Kwaye iqela le-WireGuard sele likhona esi sisigqibo sam.
Kodwa masiqhubele phambili.
Ngokweebhentshi kumaxwebhu obugcisa, uxhulumaniso lubonisa i-throughput ye-1011 Mbps.
Iyachukumisa.
Oku kuchukumisa ngokukhethekileyo ngenxa yokuba eyona ngcingane iphezulu yethiyori yoqhagamshelo lwe-Gigabit Ethernet eyodwa yi-966 Mbps kunye nobukhulu bepakethi ye-1500 bytes thabatha i-20 bytes kwi-header ye-IP, i-8 bytes ye-header ye-UDP kunye ne-16 bytes kwi-header iWireGuard ngokwayo . Kukho enye enye i-header ye-IP kwipakethi efihliweyo kunye nenye enye kwi-TCP ye-20 bytes. Ngoko le bandwidth yongezelelweyo ivela phi?
Ngezakhelo ezinkulu kunye neenzuzo ze-GSO esithethe ngazo apha ngasentla, ubuninzi bethiyori kubungakanani besakhelo se-9000 bytes buya kuba yi-1014 Mbps. Ngokuqhelekileyo loo mveliso ayifumaneki ngokwenene, kuba inxulunyaniswa nobunzima obukhulu. Ke, ndinokucinga kuphela ukuba uvavanyo lwenziwa kusetyenziswa iifreyimu ezityebileyo ezingaphezulu kweekhilobhayithi ezingama-64 ezinobuninzi bethiyori ye-1023 Mbps, exhaswa kuphela ziiadaptha zenethiwekhi ezithile. Kodwa oku akusebenzi ngokupheleleyo kwiimeko zokwenyani, okanye kunokusetyenziswa kuphela phakathi kwezikhululo ezibini eziqhagamshelwe ngokuthe ngqo, ngokukodwa ngaphakathi kwebhentshi yovavanyo.
Kodwa ekubeni i-tunnel ye-VPN ithunyelwa phakathi kweenginginya ezimbini zisebenzisa uqhagamshelo lwe-Intanethi olungaxhasi iifreyimu ze-jumbo konke konke, isiphumo esiphunyeziweyo kwibhentshi asinakuthathwa njengebhentshi. Oku kuyimpumelelo yelabhoratri engekho ngqiqweni engenakwenzeka kwaye engasebenziyo kwiimeko zokwenyani zokulwa.
Nokuba ndihleli kwiziko ledatha, andikwazanga ukuhambisa izakhelo ezinkulu kune-9000 bytes.
Umgaqo wokusetyenziswa kubomi bokwenyani uphulwa ngokupheleleyo kwaye, njengoko ndicinga, umbhali we "umlinganiselo" owenziweyo wazigxeka ngenxa yezizathu ezicacileyo.
Intlantsi yokugqibela yethemba
Iwebhusayithi yeWireGuard ithetha kakhulu malunga nezikhongozeli kwaye kuyacaca ukuba yenzelwe ntoni.
I-VPN elula nekhawulezayo engadingi kuqwalaselo kwaye inokubekwa kwaye iqwalaselwe ngezixhobo ezinkulu zokucula njengeAmazon efini layo. Ngokukodwa, iAmazon isebenzisa izinto zehardware zamva nje endizikhankanye ngaphambili, njenge-AVX512. Oku kwenzelwa ukukhawulezisa umsebenzi kwaye ungabotshelelwa kwi-x86 okanye nayiphi na enye i-architecture.
Baphucula i-throughput kunye neepakethi ezinkulu kune-9000 bytes - ezi ziya kuba zizakhelo ezinkulu ezifihliweyo zemigqomo yokunxibelelana enye kwenye, okanye kwimisebenzi yogcino, ukwenza izifinyezo okanye ukuthumela ezi zikhongozeli zinye. Nokuba iidilesi ze-IP eziguquguqukayo aziyi kuchaphazela ukusebenza kwe-WireGuard nangayiphi na indlela kwimeko yemeko endiyichazileyo.
Idlalwe kakuhle. Ukuphunyezwa okuqaqambileyo kunye nocekeceke kakhulu, phantse ireferensi yereferensi.
Kodwa ayingeni kwihlabathi elingaphandle kweziko ledatha olilawulayo ngokupheleleyo. Ukuba uthatha umngcipheko kwaye uqale ukusebenzisa i-WireGuard, kuya kufuneka wenze ukulungelelaniswa rhoqo kuyilo kunye nokuphunyezwa kweprotocol yokufihla.
isiphelo
Kulula kum ukuba ndigqibe kwelokuba iWireGuard ayikalungi.
Yakhulelwa njengesisombululo esilula kunye nesikhawulezayo kwiingxaki ezininzi ezinezisombululo ezikhoyo. Ngelishwa, ngenxa yezi zisombululo, wancama izinto ezininzi eziya kufaneleka kubasebenzisi abaninzi. Kungenxa yoko le nto ingenako ukuthatha indawo ye-IPsec okanye i-OpenVPN.
Ukuze i-WireGuard ikwazi ukukhuphisana, kufuneka yongeze ubuncinane idilesi ye-IP kunye nomgaqo kunye noqwalaselo lwe-DNS. Ngokucacileyo, le yeyona nto yenzelwe amajelo afihliweyo.
Ukhuseleko yinto yam ephambili, kwaye ngoku andinasizathu sokukholelwa ukuba i-IKE okanye i-TLS ngandlela-thile ithotyelwe okanye yaphukile. I-encryption yanamhlanje ixhaswa kuzo zombini, kwaye zibonakaliswe ngamashumi eminyaka yokusebenza. Kungenxa yokuba into entsha ayithethi ukuba ingcono.
Ukusebenzisana kubaluleke kakhulu xa unxibelelana namaqela esithathu anezikhululo zawo ungazilawuliyo. IPsec ngumgangatho we-de facto kwaye ixhaswa phantse yonke indawo. Kwaye uyasebenza. Kwaye nokuba ijongeka njani, ithiyori, iWireGuard kwixesha elizayo isenokungahambelani neenguqulelo zayo ezahlukeneyo.
Naluphi na ukhuseleko lwe-cryptographic lwaphulwa ngokukhawuleza okanye kamva kwaye, ngokufanelekileyo, kufuneka lutshintshwe okanye luhlaziywe.
Ukukhanyela zonke ezi nyaniso kunye nokufuna ngobumfama ukusebenzisa i-WireGuard ukuqhagamshela i-iPhone yakho kwindawo yokusebenzela yasekhaya yiklasi yenkosi yokufaka intloko yakho esantini.
umthombo: www.habr.com