Namhlanje uLinus ufudusele kuye isebe elilandelayo elinonxibelelwano lweVPN . Malunga nesi siganeko kuluhlu lokuposa lweWireGuard.
Ukuqokelelwa kwekhowudi ye-Linux 5.6 kernel entsha kuyaqhubeka ngoku. I-WireGuard sisizukulwana esilandelayo esikhawulezayo se-VPN esebenzisa i-cryptography yanamhlanje. Yayiphuhliswe ekuqaleni njengendlela elula kwaye elula ngakumbi kwiiVPN ezikhoyo. Umbhali yingcali yokhuseleko lolwazi lwaseKhanada uJason A. Donenfeld. Ngo-Agasti ka-2018, i-WireGuard nguLinus Torvalds. Ngeli xesha, umsebenzi waqala ukubandakanya i-VPN kwi-Linux kernel. Inkqubo yathatha ixesha elide.
βNdiyabona ukuba uJason wenze isicelo sokutsala iWireGuard kwi-kernel,β wabhala uLinus nge-2 ka-Agasti ka-2018. Ngaba ndingaphinda ndivakalise uthando lwam ngale VPN kwaye ndinethemba lokudityaniswa kungekudala? Ikhowudi isenokungafezekanga, kodwa ndiyijongile, kwaye xa ndithelekisa nezothuso ze-OpenVPN kunye ne-IPSec, ngumsebenzi wokwenene wobugcisa. "
Ngaphandle kweminqweno kaLinus, ukudibanisa kwathatha unyaka onesiqingatha. Ingxaki ephambili yajika yadityaniswa nokuphunyezwa kobunikazi bemisebenzi ye-cryptographic, eyayisetyenziselwa ukuphucula ukusebenza. Emva kothethathethwano olude ngoSeptemba 2019 kwaba njalo ukuguqulela ama-patches kwimisebenzi ye-Crypto API ekhoyo kwi-kernel, apho abaphuhlisi be-WireGuard banezikhalazo kwintsimi yokusebenza kunye nokhuseleko jikelele. Kodwa bagqiba ekubeni bahlule imisebenzi ye-crypto ye-WireGuard ye-crypto kwindawo eyahlukileyo ye-Zinc API kwaye ekugqibeleni bayifake kwi-kernel. NgoNovemba, abaphuhlisi be-kernel bagcina isithembiso sabo kwaye dlulisela inxalenye yekhowudi ukusuka kwiZinc ukuya kwi-kernel engundoqo. Ngokomzekelo, kwi-Crypto API ukuphunyezwa ngokukhawuleza kwe-ChaCha20 kunye ne-Poly1305 algorithms elungiselelwe kwi-WireGuard.
Ekugqibeleni, nge-9 kaDisemba 2019, uDavid S. Miller, ojongene nenkqubo yothungelwano ye-Linux kernel, kwi-net-elandelayo isebe ngokuphunyezwa kojongano lweVPN kwiprojekthi yeWireGuard.
Kwaye namhlanje, nge-29 kaJanuwari 2020, utshintsho luye ku-Linus ukuze lufakwe kwi-kernel.
Ibango lezibonelelo zeWireGuard ngaphezulu kwezinye izisombululo zeVPN:
- Kulula ukuyisebenzisa.
- Isebenzisa i-cryptography yanamhlanje: Isakhelo seprothokholi yengxolo, iCurve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, njl.
- I-Compact, ikhowudi efundekayo, kulula ukuyiphanda ngobuthathaka.
- Ukwenza okuphezulu.
- Icace kwaye ichanekile .
Yonke ingqiqo yeWireGuard ithatha ngaphantsi kwe4000 yemigca yekhowudi, ngelixa i-OpenVPN kunye ne-IPSec zifuna amakhulu amawaka emigca.
βI-WireGuard isebenzisa ingqikelelo yonxibelelwano lwesitshixo soguqulelo oluntsonkothileyo, olubandakanya ukuncamathisela isitshixo sabucala kujongano lwenethiwekhi nganye kunye nokusebenzisa izitshixo zoluntu ukuyibophelela. Izitshixo zikawonke-wonke ziyatshintshwa ukuseka umdibaniso ngendlela efanayo kwi-SSH. Ukuthethathethana nezitshixo kunye nokudibanisa ngaphandle kokusebenzisa i-daemon eyahlukileyo kwindawo yomsebenzisi, indlela yeNoise_IK esuka iyafana nokugcina authorized_keys kwi-SSH. Ukuhanjiswa kwedatha kuqhutyelwa nge-encapsulation kwiipakethi ze-UDP. Ixhasa ukutshintsha idilesi ye-IP yomncedisi weVPN (ukuzulazula) ngaphandle kokuqhawula uxhulumaniso ngohlengahlengiso oluzenzekelayo lomxhasi, - Opennet.
Eyoguqulelo oluntsonkothileyo stream cipher kunye ne-algorithm yoqinisekiso lomyalezo (MAC) , iyilwe nguDaniel Bernstein (), uTanja Lange kunye noPeter Schwabe. I-ChaCha20 kunye ne-Poly1305 zibekwe njengee-analogues ezikhawulezayo nezikhuselekileyo ze-AES-256-CTR kunye ne-HMAC, ukuphunyezwa kwesoftware evumela ukufezekisa ixesha elimiselweyo ngaphandle kokusetyenziswa kwenkxaso ekhethekileyo ye-hardware. Ukuvelisa iqhosha eliyimfihlo ekwabelwana ngalo, i-elliptic curve Diffie-Hellman protocol isetyenziswa ekuphunyezweni , ikwacetywe nguDaniel Bernstein. I-algorithm esetyenziselwa i-hashing yi Β».
Iziphumo kwiwebhusayithi esemthethweni:
Ububanzi (megabit/s)
I-ping (ms)
Ubume bovavanyo:
- I-Intel Core i7-3820QM kunye ne-Intel Core i7-5200U
- Gigabit amakhadi Intel 82579LM kunye Intel I218LM
- Linux 4.6.1
- Uqwalaselo lwe-WireGuard: 256-bit ChaCha20 kunye nePoly1305 ye-MAC
- Uqwalaselo lokuqala lwe-IPsec: 256-bit ChaCha20 kunye nePoly1305 ye-MAC
- Uqwalaselo lwesibini lwe-IPsec: AES-256-GCM-128 (kunye ne-AES-NI)
- Uqwalaselo lwe-OpenVPN: I-AES 256-bit elingana ne-cipher suite ene-HMAC-SHA2-256, imowudi ye-UDP
- Ukusebenza kulinganiswe kusetyenziswa
iperf3, ibonisa umphumo ophakathi kwimizuzu engama-30.
Kwithiyori, xa sele idityanisiwe kwisitaki sothungelwano, iWireGuard kufuneka isebenze ngokukhawuleza. Kodwa ngokwenene oku akuyi kuba njalo ngenxa yenguqu kwi-Crypto API cryptographic imisebenzi eyakhelwe kwi-kernel. Mhlawumbi ayizizo zonke ezisele zilungiselelwe ukuya kwinqanaba lokusebenza kwe-WireGuard yomthonyama.
Ngokombono wam, iWireGuard ifanelekile kumsebenzisi. Zonke izigqibo ezisezantsi zenziwa kwinkcazo, ngoko ke inkqubo yokulungiselela isiseko seVPN esiqhelekileyo sithatha imizuzu embalwa kuphela. Kuphantse ukuba akunakwenzeka ukuphazamisa ulungelelwaniso - kuHabrΓ© ngo-2018. β Inkqubo yokufakela kwiwebhusayithi esemthethweni, ndingathanda ukuqaphela ngokwahlukileyo okubalaseleyo . Oku kulula ukusetyenziswa kunye nokudibanisa kwesiseko sekhowudi kwaphunyezwa ngokuphelisa ukuhanjiswa kwezitshixo. Akukho sistim yesatifikethi esintsonkothileyo kunye nayo yonke le nto yoyikeka yenkampani; izitshixo ezimfutshane zofihlo zisasazwe kakhulu njengezitshixo ze-SSH. "
Iprojekthi ye-WireGuard iye yaphuhliswa ukususela ngo-2015, ihlolwe kwaye . Inkxaso ye-WireGuard idibaniswe kwi-NetworkManager kunye ne-systemd, kwaye i-kernel patches ifakwe kwisiseko sokusabalalisa i-Debian Unstable, i-Mageia, i-Alpine, i-Arch, i-Gentoo, i-OpenWrt, i-NixOS, i-Subgraph kunye ne-ALT.
umthombo: www.habr.com