ukukhutshwa kweVPN okubalulekileyo , ephawule ukuhanjiswa kwamacandelo e-WireGuard kwi-core core kunye nokuzinziswa kophuhliso. Ikhowudi ibandakanyiwe kwi-Linux kernel uphicotho olongezelelweyo lokhuseleko olwenziwa yinkampani ezimeleyo eyincutshe kolu phicotho. Uphicotho alukhange luveze naziphi na iingxaki.
Ekubeni i-WireGuard ngoku iphuhliswa kwi-Linux kernel engundoqo, indawo yokugcina ilungiselelwe ukuhanjiswa kunye nabasebenzisi abaqhubeka nokusebenzisa iinguqulelo ezindala ze-kernel. . Indawo yokugcina ibandakanya ikhowudi ye-WireGuard ene-backported kunye ne-comat.h umaleko wokuqinisekisa ukuhambelana neenkozo ezindala. Kuyaphawulwa ukuba nje ukuba abaphuhlisi banethuba kwaye abasebenzisi bayayidinga, inguqu eyahlukileyo yeepatches iya kuxhaswa kwifom yokusebenza. Kwimo yayo yangoku, uguqulelo oluzimeleyo lwe-WireGuard lunokusetyenziswa ngeekernel ukusuka ΠΈ , kwaye zikwafumaneka njengeziziba zeLinux kernels ΠΈ . Ukuhanjiswa kusetyenziswa iikernel zamva nje ezifana neArch, Gentoo kunye
I-Fedora 32 iya kukwazi ukusebenzisa i-WireGuard ngohlaziyo lwe-5.6 kernel.
Eyona nkqubo yophuhliso ngoku iqhutywa kwindawo yokugcina , equka umthi opheleleyo we-Linux kernel kunye notshintsho olusuka kwiprojekthi ye-Wireguard. Iipetshi ezivela kule ndawo yokugcina ziya kujongwa kwakhona ukuze zifakwe kwi-kernel ephambili kwaye zityhalelwe rhoqo kumnatha/kumasebe alandelayo. Ukuphuhliswa kwezinto eziluncedo kunye nemibhalo eqhutywa kwindawo yomsebenzisi, njenge-wg kunye ne-wg-ngokukhawuleza, iqhutyelwa kwindawo yokugcina. , engasetyenziselwa ukwenza iipakethe kunikezelo.
Masikukhumbuze ukuba i-VPN WireGuard iphunyezwa ngesiseko seendlela zanamhlanje zokubethela, ibonelela ngokusebenza okuphezulu kakhulu, kulula ukuyisebenzisa, ingenazo iingxaki kwaye izibonakalise ngokwazo kwinani lokuthunyelwa okukhulu okuqhuba umthamo omkhulu wezithuthi. Iprojekthi iphuhliswa ukususela ngo-2015, iphicothwe kwaye iindlela zofihlo ezisetyenziswayo. Inkxaso ye-WireGuard sele idityaniswe kwi-NetworkManager kunye ne-systemd, kunye neepatches ze-kernel zibandakanyiwe kwisiseko sonikezelo. , Mageia, Alpine, Arch, Gentoo, OpenWrt, NixOS, ΠΈ .
I-WireGuard isebenzisa ingqikelelo ye-encryption key routing, ebandakanya ukuncamathelisa isitshixo sabucala kujongano lwenethiwekhi nganye kwaye uyisebenzise ukubophelela izitshixo zoluntu. Izitshixo zikawonke-wonke ziyatshintshwa ukuseka umdibaniso ngendlela efanayo kwi-SSH. Ukuthethathethana nezitshixo kunye nokudibanisa ngaphandle kokusebenzisa i-daemon eyahlukileyo kwindawo yomsebenzisi, indlela yeNoise_IK esuka iyafana nokugcina authorized_keys kwi-SSH. Ukuhanjiswa kwedatha kuqhutyelwa nge-encapsulation kwiipakethi ze-UDP. Ixhasa ukutshintsha idilesi ye-IP yomncedisi we-VPN (ukuzulazula) ngaphandle kokuqhawula uxhulumaniso ngohlengahlengiso oluzenzekelayo lomxumi.
Eyoguqulelo oluntsonkothileyo stream cipher kunye ne-algorithm yoqinisekiso lomyalezo (MAC) , iyilwe nguDaniel Bernstein (), Tanya Lange
(Tanja Lange) kunye noPeter Schwabe. I-ChaCha20 kunye ne-Poly1305 zibekwe njengee-analogues ezikhawulezayo nezikhuselekileyo ze-AES-256-CTR kunye ne-HMAC, ukuphunyezwa kwesoftware evumela ukufezekisa ixesha elimiselweyo ngaphandle kokusetyenziswa kwenkxaso ekhethekileyo ye-hardware. Ukuvelisa iqhosha eliyimfihlo ekwabelwana ngalo, i-elliptic curve Diffie-Hellman protocol isetyenziswa ekuphunyezweni , ikwacetywe nguDaniel Bernstein. I-algorithm esetyenziselwa i-hashing yi .
Ngaphantsi endala I-WireGuard yokusebenza ibonise amaxesha e-3.9 aphezulu kunye ne-3.8 amaxesha aphezulu okuphendula xa kuthelekiswa ne-OpenVPN (256-bit AES kunye ne-HMAC-SHA2-256). Xa kuthelekiswa ne-IPsec (256-bit ChaCha20 + Poly1305 kunye ne-AES-256-GCM-128), i-WireGuard ibonisa ukuphuculwa kokusebenza okuncinci (13-18%) kunye ne-latency ephantsi (21-23%). Iziphumo zovavanyo ezifakwe kwiwebhusayithi yeprojekthi zigubungela umiliselo oludala oluzimeleyo lwe-WireGuard kwaye ziphawulwe njengomgangatho ophezulu onganelanga. Ukusukela ekuvavanyeni, i-WireGuard kunye nekhowudi ye-IPsec iye yaphuculwa ngakumbi kwaye ngoku ikhawuleza. Uvavanyo olupheleleyo ngakumbi olubandakanya ukuphunyezwa okudityanisiweyo kwi-kernel akukenziwa. Nangona kunjalo, kuphawulwe ukuba i-WireGuard isagqithisa i-IPsec kwezinye iimeko ngenxa yokuxutywa kwemisonto emininzi, ngelixa i-OpenVPN ihlala icotha kakhulu.
umthombo: opennet.ru