Umthi womthombo we-FreeBSD uhlaziywe ngokuphunyezwa okutsha kwe-VPN WireGuard, esekelwe kwikhowudi yemodyuli ye-kernel eveliswe ngokudibeneyo yi-core FreeBSD kunye namaqela ophuhliso lwe-WireGuard kunye neminikelo evela kuJason A. Donenfeld, umbhali we-VPN WireGuard, kunye noJohn H. Baldwin ), umphuhlisi owaziwayo we-GDB kunye ne-FreeBSD, ophumeze inkxaso ye-SMP kunye ne-NUMA kwi-kernel ye-FreeBSD ekuqaleni kwe-2000s. Emva kokuba umqhubi wamkelwe kwi-FreeBSD (sys/dev/wg), uphuhliso kunye nokugcinwa kwayo kuya kwenziwa ngoku kwindawo yokugcina i-FreeBSD.
Ngaphambi kokuba ikhowudi yamkelwe, uphononongo olupheleleyo lweenguqu lwenziwa ngenkxaso yeSiseko seFreeBSD, apho intsebenziswano yomqhubi kunye nayo yonke i-kernel subsystems nayo yahlalutywa kunye nokwenzeka kokusebenzisa i-cryptographic primitives enikezelwa yi-kernel. yavavanywa.
Ukusebenzisa i-cryptographic algorithms efunwa ngumqhubi, i-API ye-FreeBSD kernel crypto-subsystem yandiswa, apho i-harness yongezwa evumela ukusetyenziswa kwe-algorithms engaxhaswanga kwi-FreeBSD ngokusebenzisa i-crypto-API eqhelekileyo, kusetyenziswa ukuphunyezwa komgaqo-nkqubo. ii-algorithms eziyimfuneko kwilayibrari ye-libsodium. Kwi-algorithms eyakhelwe kumqhubi, kuphela ikhowudi yokubala i-Blake2 hashes esele, ekubeni ukuphunyezwa kwale algorithm enikezelweyo kwi-FreeBSD ibotshelelwe kwi-hash esisigxina.
Ukongezelela, ngexesha lenkqubo yokuphonononga, ukulungiswa kwekhowudi kwenziwa, okwenza kube lula ukunyusa ukusebenza kakuhle kokuhanjiswa komthwalo kwii-CPU ezininzi ezingundoqo (ukulinganisa okulinganayo kwesabelo sokubethelwa kwepakethi kunye nemisebenzi yokuchithwa kwe-CPU cores kwaqinisekiswa). Ngenxa yoko, i-overhead xa iipakethe zokucubungula zazikufutshane naleyo yokuphunyezwa komqhubi weLinux. Ikhowudi ikwabonelela ngokukwazi ukusebenzisa umqhubi we-ossl ukukhawulezisa imisebenzi yokufihla.
Ngokungafaniyo nomzamo wangaphambili wokudibanisa i-WireGuard kwi-FreeBSD, ukuphunyezwa okutsha kusebenzisa i-wg utility esemgangathweni, kunokuba uguqulelo olulungisiweyo lwe-ifconfig, eyenza kube lula ukudibanisa ukucwangciswa kwi-Linux kunye ne-FreeBSD. I-wg utility, kunye nomqhubi, ifakwe kwikhowudi yomthombo we-FreeBSD, eyenziwa ngokutshintsha ilayisenisi yekhowudi ye-wg (ikhowudi ngoku ifumaneka phantsi kwe-MIT kunye neelayisensi ze-GPL). Umzamo wokugqibela wokubandakanya i-WireGuard kwi-FreeBSD yenziwa ngo-2020, kodwa yaphela kwihlazo, ngenxa yoko ikhowudi esele yongeziwe yasuswa ngenxa yomgangatho ophantsi, umsebenzi wokungakhathali kunye ne-buffers, ukusetyenziswa kwe-stubs endaweni yokukhangela, ukuphunyezwa okungaphelelanga. yeprotocol kunye nokwaphulwa kwelayisensi ye-GPL.
Masikukhumbuze ukuba i-VPN WireGuard iphunyezwa ngesiseko seendlela zanamhlanje zokubethela, ibonelela ngokusebenza okuphezulu kakhulu, kulula ukuyisebenzisa, ingenazo iingxaki kwaye izibonakalise ngokwazo kwinani lokuthunyelwa okukhulu okuqhuba umthamo omkhulu wezithuthi. Le projekthi iye yaphuhliswa ukususela ngo-2015, kwaye iqhutywe uphicotho kunye nokuqinisekiswa ngokusemthethweni kweendlela zokubhala ezisetyenziswayo. I-WireGuard isebenzisa ingqikelelo ye-encryption key routing, ebandakanya ukuncamathelisa isitshixo sabucala kujongano lwenethiwekhi nganye kwaye uyisebenzise ukubophelela izitshixo zoluntu.
Izitshixo zikawonke-wonke ziyatshintshwa ukuseka umdibaniso ngendlela efanayo kwi-SSH. Ukuthethathethana nezitshixo kunye nokudibanisa ngaphandle kokuqhuba i-daemon eyahlukileyo kwindawo yomsebenzisi, indlela yeSakhelo seNgxoxo ye-Noise_IK iyasetyenziswa, ngokufanayo nokugcina authorized_keys kwi-SSH. Ukuhanjiswa kwedatha kuqhutyelwa nge-encapsulation kwiipakethi ze-UDP. Ixhasa ukutshintsha idilesi ye-IP yeseva ye-VPN (ehambahambayo) ngaphandle kokuqhawula umdibaniso ngohlengahlengiso oluzenzekelayo lomxumi.
I-Encryption isebenzisa i-ChaCha20 stream cipher kunye ne-Poly1305 umyalezo wokuqinisekisa i-algorithm (MAC), ephuhliswe nguDaniel J. Bernstein, uTanja Lange noPeter Schwabe. I-ChaCha20 kunye ne-Poly1305 zibekwe njengee-analogues ezikhawulezayo nezikhuselekileyo ze-AES-256-CTR kunye ne-HMAC, ukuphunyezwa kwesoftware evumela ukufezekisa ixesha elimiselweyo ngaphandle kokusetyenziswa kwenkxaso ekhethekileyo ye-hardware. Ukuvelisa isitshixo esiyimfihlo ekwabelwana ngaso, i-elliptic curve Diffie-Hellman protocol isetyenziswa ekuphunyezweni kweCurve25519, ekwacetywa nguDaniel Bernstein. I-algorithm ye-BLAKE2s (RFC7693) isetyenziselwa i-hashing.
umthombo: opennet.ru