Namhlanje uLinus ufudusele kuye isebe elilandelayo elinonxibelelwano lweVPN
Ukuqokelelwa kwekhowudi ye-Linux 5.6 kernel entsha kuyaqhubeka ngoku. I-WireGuard sisizukulwana esilandelayo esikhawulezayo se-VPN esebenzisa i-cryptography yanamhlanje. Yayiphuhliswe ekuqaleni njengendlela elula kwaye elula ngakumbi kwiiVPN ezikhoyo. Umbhali yingcali yokhuseleko lolwazi lwaseKhanada uJason A. Donenfeld. Ngo-Agasti ka-2018, i-WireGuard
βNdiyabona ukuba uJason wenze isicelo sokutsala iWireGuard kwi-kernel,β wabhala uLinus nge-2 ka-Agasti ka-2018. Ngaba ndingaphinda ndivakalise uthando lwam ngale VPN kwaye ndinethemba lokudityaniswa kungekudala? Ikhowudi isenokungafezekanga, kodwa ndiyijongile, kwaye xa ndithelekisa nezothuso ze-OpenVPN kunye ne-IPSec, ngumsebenzi wokwenene wobugcisa. "
Ngaphandle kweminqweno kaLinus, ukudibanisa kwathatha unyaka onesiqingatha. Ingxaki ephambili yajika yadityaniswa nokuphunyezwa kobunikazi bemisebenzi ye-cryptographic, eyayisetyenziselwa ukuphucula ukusebenza. Emva kothethathethwano olude ngoSeptemba 2019 kwaba njalo
Ekugqibeleni, nge-9 kaDisemba 2019, uDavid S. Miller, ojongene nenkqubo yothungelwano ye-Linux kernel,
Kwaye namhlanje, nge-29 kaJanuwari 2020, utshintsho luye ku-Linus ukuze lufakwe kwi-kernel.
Ibango lezibonelelo zeWireGuard ngaphezulu kwezinye izisombululo zeVPN:
- Kulula ukuyisebenzisa.
- Isebenzisa i-cryptography yanamhlanje: Isakhelo seprothokholi yengxolo, iCurve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, njl.
- I-Compact, ikhowudi efundekayo, kulula ukuyiphanda ngobuthathaka.
- Ukwenza okuphezulu.
- Icace kwaye ichanekile
iinkcukacha .
Yonke ingqiqo yeWireGuard ithatha ngaphantsi kwe4000 yemigca yekhowudi, ngelixa i-OpenVPN kunye ne-IPSec zifuna amakhulu amawaka emigca.
βI-WireGuard isebenzisa ingqikelelo yonxibelelwano lwesitshixo soguqulelo oluntsonkothileyo, olubandakanya ukuncamathisela isitshixo sabucala kujongano lwenethiwekhi nganye kunye nokusebenzisa izitshixo zoluntu ukuyibophelela. Izitshixo zikawonke-wonke ziyatshintshwa ukuseka umdibaniso ngendlela efanayo kwi-SSH. Ukuthethathethana nezitshixo kunye nokudibanisa ngaphandle kokusebenzisa i-daemon eyahlukileyo kwindawo yomsebenzisi, indlela yeNoise_IK esuka
Isakhelo seNkqubo yeNgxolo iyafana nokugcina authorized_keys kwi-SSH. Ukuhanjiswa kwedatha kuqhutyelwa nge-encapsulation kwiipakethi ze-UDP. Ixhasa ukutshintsha idilesi ye-IP yomncedisi weVPN (ukuzulazula) ngaphandle kokuqhawula uxhulumaniso ngohlengahlengiso oluzenzekelayo lomxhasi, -ubhala Opennet.Eyoguqulelo oluntsonkothileyo
iyasetyenziswa stream cipherI-ChaCha20 kunye ne-algorithm yoqinisekiso lomyalezo (MAC)I-Poly1305 , iyilwe nguDaniel Bernstein (UDaniel J. Bernstein ), uTanja Lange kunye noPeter Schwabe. I-ChaCha20 kunye ne-Poly1305 zibekwe njengee-analogues ezikhawulezayo nezikhuselekileyo ze-AES-256-CTR kunye ne-HMAC, ukuphunyezwa kwesoftware evumela ukufezekisa ixesha elimiselweyo ngaphandle kokusetyenziswa kwenkxaso ekhethekileyo ye-hardware. Ukuvelisa iqhosha eliyimfihlo ekwabelwana ngalo, i-elliptic curve Diffie-Hellman protocol isetyenziswa ekuphunyezweniI-Curve25519 , ikwacetywe nguDaniel Bernstein. I-algorithm esetyenziselwa i-hashing yiI-BLAKE2s (RFC7693) Β».
Iziphumo
Ububanzi (megabit/s)
I-ping (ms)
Ubume bovavanyo:
- I-Intel Core i7-3820QM kunye ne-Intel Core i7-5200U
- Gigabit amakhadi Intel 82579LM kunye Intel I218LM
- Linux 4.6.1
- Uqwalaselo lwe-WireGuard: 256-bit ChaCha20 kunye nePoly1305 ye-MAC
- Uqwalaselo lokuqala lwe-IPsec: 256-bit ChaCha20 kunye nePoly1305 ye-MAC
- Uqwalaselo lwesibini lwe-IPsec: AES-256-GCM-128 (kunye ne-AES-NI)
- Uqwalaselo lwe-OpenVPN: I-AES 256-bit elingana ne-cipher suite ene-HMAC-SHA2-256, imowudi ye-UDP
- Ukusebenza kulinganiswe kusetyenziswa
iperf3
, ibonisa umphumo ophakathi kwimizuzu engama-30.
Kwithiyori, xa sele idityanisiwe kwisitaki sothungelwano, iWireGuard kufuneka isebenze ngokukhawuleza. Kodwa ngokwenene oku akuyi kuba njalo ngenxa yenguqu kwi-Crypto API cryptographic imisebenzi eyakhelwe kwi-kernel. Mhlawumbi ayizizo zonke ezisele zilungiselelwe ukuya kwinqanaba lokusebenza kwe-WireGuard yomthonyama.
Ngokombono wam, iWireGuard ifanelekile kumsebenzisi. Zonke izigqibo ezisezantsi zenziwa kwinkcazo, ngoko ke inkqubo yokulungiselela isiseko seVPN esiqhelekileyo sithatha imizuzu embalwa kuphela. Kuphantse ukuba akunakwenzeka ukuphazamisa ulungelelwaniso -
wabhala kuHabrΓ© ngo-2018. β Inkqubo yokufakelaichazwe ngokweenkcukacha kwiwebhusayithi esemthethweni, ndingathanda ukuqaphela ngokwahlukileyo okubalaseleyoInkxaso ye-OpenWRT . Oku kulula ukusetyenziswa kunye nokudibanisa kwesiseko sekhowudi kwaphunyezwa ngokuphelisa ukuhanjiswa kwezitshixo. Akukho sistim yesatifikethi esintsonkothileyo kunye nayo yonke le nto yoyikeka yenkampani; izitshixo ezimfutshane zofihlo zisasazwe kakhulu njengezitshixo ze-SSH. "
Iprojekthi ye-WireGuard iye yaphuhliswa ukususela ngo-2015, ihlolwe kwaye
umthombo: www.habr.com