Ixesha lifikile xa i-VPN ayisesiso isixhobo esingaqhelekanga sabalawuli benkqubo yeentshebe. Abasebenzisi banemisebenzi eyahlukeneyo, kodwa inyaniso kukuba wonke umntu ufuna i-VPN.
Ingxaki kunye nezisombululo zeVPN zangoku kukuba kunzima ukuyilungisa ngokuchanekileyo, kuyabiza ukuyigcina, kwaye igcwele ikhowudi yelifa lomgangatho othandabuzekayo.
Kwiminyaka eliqela eyadlulayo, ingcaphephe yokhuseleko yolwazi yaseKhanada uJason A. Donenfeld wagqiba kwelokuba yonele yiyo waza waqalisa ukusebenza
Ibango lezibonelelo zeWireGuard ngaphezulu kwezinye izisombululo zeVPN:
- Kulula ukuyisebenzisa.
- Isebenzisa i-cryptography yanamhlanje: Isakhelo seprothokholi yengxolo, iCurve25519, ChaCha20, Poly1305, BLAKE2, SipHash24, HKDF, njl.
- I-Compact, ikhowudi efundekayo, kulula ukuyiphanda ngobuthathaka.
- Ukwenza okuphezulu.
- Icace kwaye ichanekile
iinkcukacha .
Ngaba imbumbulu yesilivere ifunyenwe? Ngaba lixesha lokungcwaba i-OpenVPN kunye ne-IPSec? Ndagqiba kwelokuba ndijamelane noku, yaye kwangaxeshanye ndenjenjalo
Imigaqo yokusebenza
Imigaqo yokusebenza inokuchazwa ngolu hlobo:
- Ujongano lweWireGuard lwenziwe kwaye isitshixo sabucala kunye nedilesi ye-IP yabelwe kuyo. Izicwangciso zabanye oontanga zilayishiwe: izitshixo zabo zoluntu, iidilesi ze-IP, njl.
- Zonke iipakethi ze-IP ezifika kwi-interface ye-WireGuard zifakwe kwi-UDP kunye
zihanjiswe ngokukhuselekileyo abanye oontanga. - Abaxhasi bachaza idilesi ye-IP yoluntu kwisetingi. Umncedisi uzibona ngokuzenzekelayo iidilesi zangaphandle zabathengi xa idatha eqinisekisiweyo ngokuchanekileyo ifunyenwe kubo.
- Umncedisi unokutshintsha idilesi ye-IP yoluntu ngaphandle kokuphazamisa umsebenzi wayo. Ngexesha elifanayo, liya kuthumela isilumkiso kubaxhasi abaxhunyiwe kwaye baya kuhlaziya uqwalaselo lwabo kwi-fly.
- Kusetyenziswa ingqikelelo yomzila
Cryptokey Routing . I-WireGuard iyayamkela kwaye ithumele iipakethi ngokusekelwe kwisitshixo sikawonke-wonke sentanga. Xa umncedisi esusa uguqulelo oluntsonkothileyo ipakethe eqinisekisiweyo ngokuchanekileyo, indawo yayo ye-src iyajongwa. Ukuba iyahambelana noqwalaseloallowed-ips
ntanga eqinisekisiweyo, ipakethi yamkelwa yi-WireGuard interface. Xa uthumela ipakethi ephumayo, inkqubo ehambelanayo iyenzeka: intsimi ye-dst yepakethi ithathwa kwaye, ngokusekelwe kuyo, intanga ehambelana nayo ikhethiwe, ipakethi isayinwe kunye nesitshixo sayo, ifihliwe kunye nesitshixo sontanga kwaye ithunyelwe kwisiphelo esikude. .
Yonke i-WireGuard's core logic ithatha ngaphantsi kwe-4 amawaka emigca yekhowudi, ngelixa i-OpenVPN kunye ne-IPSec zinamakhulu amawaka emigca. Ukuxhasa i-cryptographic algorithms yanamhlanje, kucetywa ukuba kuquke i-API entsha ye-cryptographic kwi-Linux kernel
Imveliso
Inzuzo ephezulu yokusebenza (xa kuthelekiswa ne-OpenVPN kunye ne-IPSec) iya kubonakala kwiinkqubo ze-Linux, ekubeni i-WireGuard iphunyezwa njengemodyuli ye-kernel apho. Ukongeza, i-macOS, i-Android, i-iOS, i-FreeBSD kunye ne-OpenBSD ziyaxhaswa, kodwa kuzo i-WireGuard isebenza kwindawo yomsebenzisi kunye nazo zonke iziphumo zokusebenza ezilandelayo. Inkxaso yeWindows kulindeleke ukuba yongezwe kwixa elizayo.
Iziphumo zebenchmark nge
Amava am okusetyenziswa
Andiyongcali yeVPN. Ndakhe ndaseta i-OpenVPN ngesandla kwaye yayidinwa kakhulu, kwaye andizange ndizame i-IPSec. Zininzi kakhulu izigqibo ekufuneka zenziwe, kulula kakhulu ukuzidubula enyaweni. Ke ngoko, bendisoloko ndisebenzisa izikripthi esele zenziwe ukuqwalasela umncedisi.
Ke, iWireGuard, ngokwembono yam, ilungele umsebenzisi ngokubanzi. Zonke izigqibo ezisezantsi zenziwa kwinkcazo, ngoko ke inkqubo yokulungiselela isiseko seVPN esiqhelekileyo sithatha imizuzu embalwa kuphela. Kuphantse ukuba akunakwenzeka ukukopela kuqwalaselo.
Inkqubo yokufaka
Izitshixo zoguqulelo oluntsonkothileyo zenziwe ngumsebenzi wg
:
SERVER_PRIVKEY=$( wg genkey )
SERVER_PUBKEY=$( echo $SERVER_PRIVKEY | wg pubkey )
CLIENT_PRIVKEY=$( wg genkey )
CLIENT_PUBKEY=$( echo $CLIENT_PRIVKEY | wg pubkey )
Okulandelayo, kufuneka wenze uqwalaselo lomncedisi /etc/wireguard/wg0.conf
ngomxholo olandelayo:
[Interface]
Address = 10.9.0.1/24
PrivateKey = $SERVER_PRIVKEY
[Peer]
PublicKey = $CLIENT_PUBKEY
AllowedIPs = 10.9.0.2/32
kwaye uphakamise itonela ngescript wg-quick
:
sudo wg-quick up /etc/wireguard/wg0.conf
Kwiinkqubo ezine-systemd ungasebenzisa oku endaweni yoko sudo systemctl start [email protected]
.
Kumatshini womxhasi, yenza uqwalaselo /etc/wireguard/wg0.conf
:
[Interface]
PrivateKey = $CLIENT_PRIVKEY
Address = 10.9.0.2/24
[Peer]
PublicKey = $SERVER_PUBKEY
AllowedIPs = 0.0.0.0/0
Endpoint = 1.2.3.4:51820 # ΠΠ½Π΅ΡΠ½ΠΈΠΉ IP ΡΠ΅ΡΠ²Π΅ΡΠ°
PersistentKeepalive = 25
Kwaye uphakamise itonela ngendlela efanayo:
sudo wg-quick up /etc/wireguard/wg0.conf
Konke okuseleyo kukuqwalasela i-NAT kwiseva ukuze abathengi bakwazi ukufikelela kwi-Intanethi, kwaye ugqibile!
Oku kulula ukusetyenziswa kunye nokudibanisa kwesiseko sekhowudi kwaphunyezwa ngokususa umsebenzi ongundoqo wokusabalalisa. Akukho sistim yesatifikethi esintsonkothileyo kunye nayo yonke le nto yoyikekayo; amaqhosha amafutshane oguqulelo oluntsonkothileyo asasazwe kakhulu njengezitshixo ze-SSH. Kodwa oku kubangela ingxaki: iWireGuard ayizukuba lula ukuyiphumeza kwezinye iinethiwekhi ezikhoyo.
Phakathi kwezinto ezingalunganga, kuyafaneleka ukuba uqaphele ukuba i-WireGuard ayiyi kusebenza nge-proxy ye-HTTP, kuba kuphela i-protocol ye-UDP ekhoyo njengezothutho. Umbuzo uvela: ngaba kuya kwenzeka ukuba ukuphazamisa iprotocol? Ngokuqinisekileyo, oku akuwona umsebenzi othe ngqo we-VPN, kodwa kwi-OpenVPN, umzekelo, kukho iindlela zokuzifihla njenge-HTTPS, enceda abahlali bamazwe angama-totalitarian basebenzise ngokupheleleyo i-Intanethi.
ezifunyanisiweyo
Ukushwankathela, le yiprojekthi enomdla kakhulu kwaye ithembisayo, ungayisebenzisa kakade kwiiseva zomntu. Yintoni inzuzo? Ukusebenza okuphezulu kwiinkqubo ze-Linux, ukusekwa ngokulula kunye nenkxaso, isiseko sekhowudi edibeneyo kunye nefundekayo. Nangona kunjalo, kusesekuseni kakhulu ukuba uleqe ukuhambisa isiseko esintsonkothileyo kwi-WireGuard; kufanelekile ukulinda ukufakwa kwayo kwi-Linux kernel.
Ukugcina ixesha lam (kunye nelakho), ndiye ndaphuhlisa
umthombo: www.habr.com