I-WireGuard iya "kuza" kwi-Linux kernel - ngoba?

Ekupheleni kukaJulayi, abaphuhlisi betonela yeWireGuard VPN bacetywayo isiziba iseti, eya kwenza isoftware yabo yokuhambisa i-VPN ibe yinxalenye yeLinux kernel. Nangona kunjalo, umhla ochanekileyo wokuphunyezwa "kombono" uhlala ungaziwa. Ngezantsi kokusikwa siza kuthetha ngesi sixhobo ngokubanzi.

/ ifoto Tambako The Jaguar CC

Ngokufutshane malunga neprojekthi

I-WireGuard sisisizukulwana esilandelayo setonela ye-VPN eyenziwe nguJason A. Donenfeld, i-CEO ye-Edge Security. Iprojekthi yaphuhliswa njenge yenziwe lula kunye nenye indlela ekhawulezayo ye-OpenVPN kunye ne-IPsec. Inguqulelo yokuqala yemveliso iqulethe kuphela imigca engamawaka angama-4 ekhowudi. Ukuthelekisa, i-OpenVPN inemigca engamawaka angama-120, kunye ne-IPSec - i-420 lamawaka.

Ngu ngokwe abaphuhlisi, i-WireGuard kulula ukuyiqwalasela kwaye ukhuseleko lweprotocol luphunyeziwe ngokusebenzisa i-cryptographic algorithms eqinisekisiweyo. Xa utshintsha inethiwekhi: I-Wi-Fi, i-LTE okanye i-Ethernet idinga ukuphinda uqhagamshele kwiseva yeVPN rhoqo. Iiseva ze-WireGuard aziluphelisi unxibelelwano, nokuba umsebenzisi ufumene idilesi ye-IP entsha.

Ngaphandle kwenyani yokuba iWireGuard yayiyilelwe iLinux kernel, abaphuhlisi ukhathalelwe kwaye malunga noguqulelo oluphathwayo lwesixhobo sezixhobo ze-Android. Usetyenziso alukaphuhliswa ngokupheleleyo, kodwa ungaluzama ngoku. Kule nto uyidingayo ube ngomnye wabavavanyi.

Ngokubanzi, i-WireGuard ithandwa kakhulu kwaye sele ikhona iphunyeziwe ababoneleli abaninzi beVPN, njengeMullvad kunye neAzireVPN. Ipapashiwe kwi-intanethi inani elikhulu izikhokelo zokuseta esi sigqibo. Umzekelo, kukho izikhokelo, ezenziwe ngabasebenzisi, kwaye kukho izikhokelo, elungiselelwe ngababhali beprojekthi.

Iinkcukacha zobugcisa

В amaxwebhu asemthethweni (iphe. 18) kuphawulwe ukuba i-throughput ye-WireGuard iphindwe kane ngaphezu kwe-OpenVPN: 1011 Mbit / s ngokuchasene ne-258 Mbit / s, ngokulandelanayo. I-WireGuard nayo iphambi kwesisombululo esisemgangathweni se-Linux IPsec - ine-881 Mbit/s. Ikwayigqwesa ngokulula ukuseta.

Emva kokuba izitshixo zitshintshwe (uqhagamshelo lwe-VPN luqaliswe kakhulu njenge-SSH) kwaye uxhulumaniso lusekiwe, i-WireGuard ibamba yonke eminye imisebenzi ngokwayo: akukho mfuneko yokukhathazeka malunga nokuhamba, ulawulo lwelizwe, njl. Kuyafuneka ukuba ufuna ukusebenzisa uguqulelo oluntsonkothileyo.

/ ifoto Anders Hojbjerg CC

Ukufakela, uya kufuna ukuhanjiswa kunye ne-Linux kernel endala kune-4.1. Inokufumaneka kwiindawo zokugcina ezinkulu zeLinux.

$ sudo add-apt-repository ppa:hda-me/wireguard
$ sudo apt update
$ sudo apt install wireguard-dkms wireguard-tools

Njengabahleli benqaku le-xakep.ru, ukuzihlanganisa kwimibhalo yomthombo nako kulula. Kwanele ukuvula ujongano kwaye wenze izitshixo zikawonke-wonke kunye nezabucala:

$ sudo ip link add dev wg0 type wireguard
$ wg genkey | tee privatekey | wg pubkey > publickey

WireGuard ayisebenzisi ujongano lokusebenza kunye nomboneleli we-crypto I-CryptoAPI. Endaweni yoko, kusetyenziswa i-stream cipher I-ChaCha20, i-cryptographic ukulinganisa ukufaka Poly1305 kunye nemisebenzi ye-cryptographic hash yobunini.

Isitshixo esiyimfihlo senziwa kusetyenziswa Iprotocol yeDiffie-Hellman esekwe kwijika elijiko I-Curve25519. Xa hashing, basebenzisa imisebenzi ye-hash I-BLAKE2 и SipHash. Ngenxa yefomathi yesitampu sexesha TAI64N Iprothokholi ilahla iipakethi ezinexabiso elincinci lesitampu sexesha, ngokwenza oko ukuthintela i-DoS- и phinda uhlaselo.

Kule meko, i-WireGuard isebenzisa umsebenzi we-ioctl ukulawula i-I/O (eyayisetyenziswa ngaphambili umnatha), eyenza ikhowudi icoceke kwaye ilula. Ungaqinisekisa oku ngokujonga ikhowudi yoqwalaselo.

Izicwangciso zomphuhlisi

Okwangoku, i-WireGuard yimodyuli ye-kernel ephuma emthini. Kodwa umbhali weprojekthi nguJason Donenfeld utsho, ukuba ixesha lifikile lokuphunyezwa ngokupheleleyo kwi-Linux kernel. Ngenxa yokuba ilula kwaye ithembekile kunezinye izisombululo. Jason kule nkalo ixhasa noLinus Torvalds ngokwakhe wayibiza ikhowudi yeWireGuard “njengomsebenzi wobugcisa.”

Kodwa akukho mntu uthetha malunga nemihla echanekileyo yokuqaliswa kwe-WireGuard kwi-kernel. KUNYE phantse oku kuya kwenzeka ngokukhululwa kwe-Linux kernel 4.18 ka-Agasti. Nangona kunjalo, kunokwenzeka ukuba oku kuya kwenzeka kwikamva elikufutshane kakhulu: kwinguqulo 4.19 okanye 5.0.

Xa i-WireGuard yongezwa kwi-kernel, abaphuhlisi funa gqibezela isicelo sezixhobo ze-Android kwaye uqale ukubhala isicelo se-iOS. Kukho nezicwangciso zokugqiba ukuphunyezwa kwi-Go kunye ne-Rust kwaye ifakwe kwi-macOS, Windows kunye ne-BSD. Kukwacwangcisiwe ukuphumeza i-WireGuard yezinye "iinkqubo ezingaqhelekanga": I-DPDK, FPGA, kunye nezinye izinto ezininzi ezinomdla. Zonke zidweliswe kwi uluhlu lokwenza ababhali beprojekthi.

PS Amanye amanqaku ambalwa avela kwibhlog yethu yeshishini:

• Itekhnoloji yamafu kwicandelo lezemali: amava eenkampani zaseRussia
• Ukuvavanya inkqubo yediski efini
• Yintoni efihliweyo emva kwegama elithi vCloud Director - ukujonga ngaphakathi

Isikhokelo esiphambili somsebenzi wethu kukubonelela ngeenkonzo zefu:

I-Virtual Infrastructure (IaaS) | PCI DSS ukusingatha | Ilifu FZ-152 | Ukusingathwa kwe-SAP | Ugcino olubonakalayo | Uguqulelo oluntsonkothileyo idatha kwilifu | Ugcino lwamafu

umthombo: www.habr.com