UDavid Miller (), enoxanduva lwenkqubo esezantsi yothungelwano ye Linux kernel, kwi-net-elandelayo isebe ngokuphunyezwa kojongano lweVPN kwiprojekthi . Ekuqaleni konyaka ozayo, utshintsho oluqokelelwe kwi-net-ilandelayo yesebe luya kwenza isiseko sokukhululwa kwe-Linux kernel 5.6.
Iinzame zokutyhala ikhowudi ye-WireGuard kwi-kernel engundoqo yenziwe kwiminyaka embalwa edlulileyo, kodwa yahlala ingaphumeleli ngenxa yokuba ibotshelelwe ekuphunyezweni kobunini bemisebenzi ye-cryptographic eyayisetyenziselwa ukuphucula ukusebenza. Ekuqaleni, le misebenzi yayinjalo kwi-kernel njenge-API eyongezelelweyo yezinga eliphantsi leZinc, enokuthi ekugqibeleni ithathe indawo ye-Crypto API eqhelekileyo.
Ukulandela iingxoxo kwinkomfa ye-Kernel Recipes, abadali be-WireGuard ngoSeptemba ukudlulisa ama-patches akho ukusebenzisa i-Crypto API ekhoyo kwi-core, apho abaphuhlisi be-WireGuard banezikhalazo kwintsimi yokusebenza kunye nokhuseleko jikelele. Kwagqitywa ekubeni kuqhutyekwe nokuphuhlisa i-Zinc API, kodwa njengeprojekthi eyahlukileyo.
NgoNovemba, abaphuhlisi be-kernel ekuphenduleni i-compromise kwaye yavuma ukudlulisa inxalenye yekhowudi ukusuka kwi-Zinc ukuya kwi-kernel engundoqo. Ngokwenene, ezinye iinqununu zeZinc ziya kuhanjiswa kwi-core, kodwa kungekhona njenge-API eyahlukileyo, kodwa njengenxalenye ye-Crypto API subsystem. Ngokomzekelo, i-Crypto API esele ukuphunyezwa ngokukhawuleza kwe-ChaCha20 kunye ne-Poly1305 algorithms elungiselelwe kwi-WireGuard.
Ngokunxulumene nokuhanjiswa okuzayo kwe-WireGuard kwingundoqo engundoqo, umseki weprojekthi malunga nokuhlengahlengiswa kwendawo yokugcina. Ukwenza lula uphuhliso, indawo yokugcina i-monolithic "WireGuard.git", eyenzelwe ukuba ibe yodwa, iya kuthatyathelwa indawo ngamanqwanqwa amathathu ahlukeneyo, alungele ngakumbi ukulungelelanisa umsebenzi ngekhowudi kwi-kernel ephambili:
- - umthi opheleleyo we-kernel kunye notshintsho olusuka kwiprojekthi ye-Wireguard, amabala apho aya kujongwa kwakhona ukuze afakwe kwi-kernel kwaye adluliselwe rhoqo kwi-net/net-alandelayo amasebe.
- - indawo yokugcina izinto eziluncedo kunye nemibhalo eqhutywa kwindawo yabasebenzisi, efana ne-wg kunye ne-wg-ngokukhawuleza. Indawo yokugcina ingasetyenziselwa ukwenza iipakethe zonikezelo.
- - indawo yokugcina kunye neyantlukwano yemodyuli, enikezelwe ngokwahlukileyo kwi-kernel kwaye ibandakanya umaleko we-comat.h ukuqinisekisa ukuhambelana neenkozo ezindala. Uphuhliso oluphambili luya kwenziwa kwi-wireguard-linux.git repository, kodwa nje ukuba kukho ithuba kunye nesidingo phakathi kwabasebenzisi, inguqu eyahlukileyo yeepatches nayo iya kuxhaswa kwifom yokusebenza.
Masikukhumbuze ukuba i-VPN WireGuard iphunyezwa ngesiseko seendlela zanamhlanje zokubethela, ibonelela ngokusebenza okuphezulu kakhulu, kulula ukuyisebenzisa, ingenazo iingxaki kwaye izibonakalise ngokwazo kwinani lokuthunyelwa okukhulu okuqhuba umthamo omkhulu wezithuthi. Iprojekthi iphuhliswa ukususela ngo-2015, iphicothwe kwaye iindlela zofihlo ezisetyenziswayo. Inkxaso ye-WireGuard sele idityaniswe kwi-NetworkManager kunye ne-systemd, kunye neepatches ze-kernel zibandakanyiwe kwisiseko sonikezelo. , Mageia, Alpine, Arch, Gentoo, OpenWrt, NixOS, ΠΈ .
I-WireGuard isebenzisa ingqikelelo ye-encryption key routing, ebandakanya ukuncamathelisa isitshixo sabucala kujongano lwenethiwekhi nganye kwaye uyisebenzise ukubophelela izitshixo zoluntu. Izitshixo zikawonke-wonke ziyatshintshwa ukuseka umdibaniso ngendlela efanayo kwi-SSH. Ukuthethathethana nezitshixo kunye nokudibanisa ngaphandle kokusebenzisa i-daemon eyahlukileyo kwindawo yomsebenzisi, indlela yeNoise_IK esuka iyafana nokugcina authorized_keys kwi-SSH. Ukuhanjiswa kwedatha kuqhutyelwa nge-encapsulation kwiipakethi ze-UDP. Ixhasa ukutshintsha idilesi ye-IP yomncedisi we-VPN (ukuzulazula) ngaphandle kokuqhawula uxhulumaniso kunye nokuqwalasela kwakhona umxhasi ngokuzenzekelayo.
Eyoguqulelo oluntsonkothileyo stream cipher kunye ne-algorithm yoqinisekiso lomyalezo (MAC) , iyilwe nguDaniel Bernstein (), Tanya Lange
(Tanja Lange) kunye noPeter Schwabe. I-ChaCha20 kunye ne-Poly1305 zibekwe njengee-analogues ezikhawulezayo nezikhuselekileyo ze-AES-256-CTR kunye ne-HMAC, ukuphunyezwa kwesoftware evumela ukufezekisa ixesha elimiselweyo ngaphandle kokusetyenziswa kwenkxaso ekhethekileyo ye-hardware. Ukuvelisa iqhosha eliyimfihlo ekwabelwana ngalo, i-elliptic curve Diffie-Hellman protocol isetyenziswa ekuphunyezweni , ikwacetywe nguDaniel Bernstein. I-algorithm esetyenziselwa i-hashing yi .
e I-WireGuard yokusebenza ibonise amaxesha e-3.9 aphezulu kunye ne-3.8 amaxesha aphezulu okuphendula xa kuthelekiswa ne-OpenVPN (i-256-bit AES kunye ne-HMAC-SHA2-256). Xa kuthelekiswa ne-IPsec (256-bit ChaCha20 + Poly1305 kunye ne-AES-256-GCM-128), i-WireGuard ibonisa ukuphuculwa komsebenzi omncinci (13-18%) kunye ne-latency ephantsi (21-23%). Iimvavanyo zenziwa ngokusebenzisa ukuphunyezwa ngokukhawuleza kwe-encryption algorithms ephuhliswe yiprojekthi - ukudluliselwa kumgangatho oqhelekileyo we-Crypto API ye-kernel kunokukhokelela ekusebenzeni kakubi.
umthombo: opennet.ru