Sithini kuNkulunkulu we-IPv6?
Kulungile, sizosho okufanayo kunkulunkulu wokubethela namuhla.
Lapha sizokhuluma ngomhubhe we-IPv4 ongabetheliwe, kodwa hhayi "ngesibani esifudumele", kodwa mayelana "ne-LED" yesimanje. Futhi kukhona namasokhethi aluhlaza akhanyayo lapha, futhi umsebenzi uyaqhubeka namaphakethe esikhaleni sabasebenzisi.
Kukhona amaphrothokholi e-N e-tunnel akho konke ukunambitheka nombala:
- stylish, imfashini, intsha
- imisebenzi eminingi, njengemimese yaseSwitzerland, i-OpenVPN ne-SSH
- endala hhayi embi GRE
- i-IPIP elula kakhulu, esheshayo, engabethelwe ngokuphelele
- ukuthuthukisa ngenkuthalo
- abanye abaningi.
Kodwa ngingumhleli, ngakho ngizokwandisa u-N kuphela ngengxenye, futhi ngishiye ukuthuthukiswa kwezivumelwano zangempela kubathuthukisi be-Kommersant.
Koyedwa ongakazalwa Engikwenzayo manje ukufinyelela kubabungazi ngemuva kwe-NAT ngaphandle. Ngisebenzisa izivumelwano ezine-cryptography yabantu abadala kulokhu, angikwazanga ukunyakazisa umuzwa wokuthi kufana nokudubula ondlunkulu ngenganono. Ngoba umhubhe usetshenziselwa ingxenye enkulu kuphela ukubhoboza izimbobo ku-NAT-e, ithrafikhi yangaphakathi ngokuvamile nayo ibethelwe, kodwa basaminza ku-HTTPS.
Ngenkathi ngicwaninga amaphrothokholi ahlukahlukene wokuhubhela, ukunaka kwami kwangaphakathi kokuphelela kudonseleke ku-IPIP kaningi ngenxa yobuncane bayo obuphezulu. Kepha inezihibe ezibalulekile eziyisigamu nengxenye zemisebenzi yami:
- idinga ama-IP omphakathi nhlangothi zombili,
- futhi abukho ubuqiniso bakho.
Ngakho-ke, umuntu ongafuni ukuphelela waphindiselwa emuva ekhoneni elimnyama logebhezi, noma kuphi lapho ehlala khona.
Bese kuthi ngolunye usuku, ngisafunda izindatshana ku-Linux ngihlangane ne-FOU (Foo-over-UDP), i.e. noma yini, esongwe nge-UDP. Kuze kube manje, i-IPIP ne-GUE (Generic UDP Encapsulation) kuphela ezisekelwayo.
“Nansi inhlamvu yesiliva! I-IPIP elula inganele kimi.” - Bengicabanga.
Eqinisweni, inhlamvu yaphenduka isiliva ngokuphelele. I-Ecapsulation ku-UDP ixazulula inkinga yokuqala - ungakwazi ukuxhuma kumakhasimende ngemuva kwe-NAT kusukela ngaphandle usebenzisa uxhumano olusungulwe ngaphambili, kodwa lapha ingxenye yengxenye elandelayo ye-IPIP iqhakaza ngokukhanya okusha - noma ubani ovela kunethiwekhi yangasese angakwazi ukucasha ngemuva kokubonakalayo. I-IP yomphakathi kanye nembobo yeklayenti (ku-IPIP ehlanzekile le nkinga ayikho).
Ukuxazulula le nkinga eyodwa nengxenye, insiza yazalwa . Isebenzisa indlela eyenziwe ekhaya yokuqinisekisa isisingathi esikude, ngaphandle kokuphazamisa ukusebenza kwe-kernel FOU, ezocubungula amaphakethe ngokushesha nangempumelelo endaweni ye-kernel.
Asidingi umbhalo wakho!
Kulungile, uma ulazi ichweba lomphakathi kanye ne-IP yeklayenti (isibonelo, wonke umuntu ongemuva kwayo akayi ndawo, i-NAT izama ukwenza imephu izimbobo 1-in-1), ungakha umhubhe we-IPIP-over-FOU nge imiyalo elandelayo, ngaphandle kwemibhalo.
kuseva:
# Подгрузить модуль ядра FOU
modprobe fou
# Создать IPIP туннель с инкапсуляцией в FOU.
# Модуль ipip подгрузится автоматически.
ip link add name ipipou0 type ipip
remote 198.51.100.2 local 203.0.113.1
encap fou encap-sport 10000 encap-dport 20001
mode ipip dev eth0
# Добавить порт на котором будет слушать FOU для этого туннеля
ip fou add port 10000 ipproto 4 local 203.0.113.1 dev eth0
# Назначить IP адрес туннелю
ip address add 172.28.0.0 peer 172.28.0.1 dev ipipou0
# Поднять туннель
ip link set ipipou0 up
kuklayenti:
modprobe fou
ip link add name ipipou1 type ipip
remote 203.0.113.1 local 192.168.0.2
encap fou encap-sport 10001 encap-dport 10000 encap-csum
mode ipip dev eth0
# Опции local, peer, peer_port, dev могут не поддерживаться старыми ядрами, можно их опустить.
# peer и peer_port используются для создания соединения сразу при создании FOU-listener-а.
ip fou add port 10001 ipproto 4 local 192.168.0.2 peer 203.0.113.1 peer_port 10000 dev eth0
ip address add 172.28.0.1 peer 172.28.0.0 dev ipipou1
ip link set ipipou1 up
kuphi
ipipou*- Igama lenethiwekhi yendawo yomhubhe203.0.113.1— iseva ye-IP yomphakathi198.51.100.2- IP yomphakathi yeklayenti192.168.0.2- I-IP yeklayenti eyabelwe isikhombikubona eth010001- Imbobo yeklayenti yendawo ye-FOU20001- imbobo yeklayenti lomphakathi ye-FOU10000- Imbobo yeseva yomphakathi ye-FOUencap-csum- inketho yokwengeza isheke le-UDP kumaphakethe e-UDP ahlanganisiwe; ingathathelwa indawo yinoencap-csum, ingasaphathwa, ubuqotho sebuvele bulawulwa isendlalelo se-encapsulation yangaphandle (ngenkathi iphakethe lingaphakathi komhubhe)eth0- isixhumi esibonakalayo sendawo lapho kuzoboshelwa khona umhubhe we-ipip172.28.0.1- I-IP yesixhumi esibonakalayo somhubhe weklayenti (yangasese)172.28.0.0- Isiphakeli seseva ye-IP (yangasese)
Uma nje uxhumano lwe-UDP luphila, umhubhe uzobe usebenza, kodwa uma uphuka, uzoba nenhlanhla - uma i-IP yeklayenti: ichweba lihlala lifana - lizophila, uma lishintsha - lizophuka.
Indlela elula yokubuyisela yonke into emuva ukukhulula amamojula e-kernel: modprobe -r fou ipip
Ngisho noma ukuqinisekiswa kungadingeki, i-IP yomphakathi yeklayenti kanye nembobo azaziwa njalo futhi ngokuvamile azibikezeli noma ziyahlukahluka (kuye ngohlobo lwe-NAT). Uma uyeka encap-dport ohlangothini lweseva, umhubhe ngeke usebenze, awuhlakaniphile ngokwanele ukuthatha imbobo yokuxhumana ekude. Kulesi simo, i-ipipou ingasiza futhi, noma i-WireGuard nezinye ezifana nayo zingakusiza.
Isebenza kanjani?
Iklayenti (okuvame ukuba ngemuva kwe-NAT) livula umhubhe (njengakusibonelo esingenhla), bese lithumela iphakethe lokuqinisekisa kuseva ukuze lilungise umhubhe ohlangothini lwawo. Ngokuya ngezilungiselelo, lokhu kungaba iphakethe elingenalutho (ukuze nje iseva ibone i-IP yomphakathi: imbobo yokuxhumana), noma ngedatha iseva engakwazi ukuhlonza iklayenti. Idatha ingaba umushwana wokungena olula embhalweni ocacile (isifaniso ne-HTTP Basic Auth sifika engqondweni) noma idatha eklanywe ngokukhethekile esayinwe ngokhiye oyimfihlo (ofana ne-HTTP Digest Auth enamandla kuphela, bona umsebenzi client_auth ngekhodi).
Kuseva (ohlangothini olune-IP yomphakathi), lapho i-ipipou iqala, idala isibambi somugqa we-nfqueue futhi ilungise isihlungi se-netfilter ukuze amaphakethe adingekayo athunyelwe lapho kufanele abe khona: amaphakethe aqala ukuxhumeka kulayini we-nfqueue, futhi [cishe] bonke abanye baya ngqo kumlaleli FOU.
Kulabo abangazi, i-nfqueue (noma i-NetfilterQueue) iyinto ekhethekile yabafundi abasafufusa abangazi ukuthi bawakha kanjani amamojula e-kernel, esebenzisa i-netfilter (nfttables/iptables) ikuvumela ukuthi uqondise kabusha amaphakethe enethiwekhi esikhaleni somsebenzisi futhi uwacubungule lapho usebenzisa. izindlela zakudala eziseduze: lungisa (uyazikhethela ) bese uyibuyisela ku-kernel, noma uyilahle.
Kwezinye izilimi zokuhlela kunezibopho zokusebenza nge-nfqueue, ngoba i-bash yayingekho (heh, akumangazi), kwadingeka ngisebenzise i-python: i-ipipou isebenzisa .
Uma ukusebenza kungabalulekile, usebenzisa le nto ungakwazi ukusungula ingqondo yakho ngokushesha futhi kalula ukuze usebenze ngamaphakethe ezingeni eliphansi kakhulu, isibonelo, dala izivumelwano zokudlulisa idatha zokuhlola, noma uhambise izinsiza zasendaweni nezikude ngokuziphatha okungajwayelekile.
Amasokhethi aluhlaza asebenzisana ne-nfqueue, isibonelo, lapho umhubhe usuvele umisiwe futhi i-FOU ilalele embobeni oyifunayo, ngeke ukwazi ukuthumela iphakethe lisuka endaweni efanayo ngendlela evamile - limatasa, kodwa ungathatha futhi uthumele iphakethe elikhiqizwe ngokungahleliwe ngqo kusixhumi esibonakalayo senethiwekhi usebenzisa isokhethi eluhlaza, nakuba ukukhiqiza iphakethe elinjalo kuzodinga ukuthinta kancane kancane. Lena yindlela amaphakethe anokufakazela ubuqiniso adalwa ngayo ku-ipipou.
Njengoba i-ipipou icubungula kuphela amaphakethe okuqala avela ekuxhumekeni (nalawo akwazile ukuvuza emgqeni ngaphambi kokusungulwa kokuxhumeka), ukusebenza cishe akuhlupheki.
Ngokushesha nje lapho iseva ye-ipipou ithola iphakethe eliqinisekisiwe, umhubhe uyakhiwa futhi wonke amaphakethe alandelayo ekuxhumekeni asevele acutshungulwa yi-kernel edlula i-nfqueue. Uma uxhumano kwehluleka, iphakethe lokuqala elilandelayo lizothunyelwa kulayini we-nfqueue, kuye ngokuthi izilungiselelo, uma kungelona iphakethe elinobuqiniso, kodwa kusukela ku-IP yokugcina ekhunjulwe kanye nechweba leklayenti, lingadluliswa. kuvuliwe noma kulahliwe. Uma iphakethe eliqinisekisiwe livela ku-IP entsha kanye nembobo, umhubhe ulungiswa kabusha ukuze uwasebenzise.
I-IPIP-over-FOU evamile inenkinga eyodwa ngaphezulu lapho usebenza ne-NAT - akunakwenzeka ukudala imigudu ye-IPIP emibili ehlanganiswe ku-UDP nge-IP efanayo, ngoba amamojula e-FOU ne-IPIP ahlukene kakhulu. Labo. ipheya lamaklayenti ngemuva kwe-IP yomphakathi efanayo ngeke likwazi ukuxhuma ngesikhathi esisodwa kuseva efanayo ngale ndlela. Esikhathini esizayo, , izoxazululwa ezingeni le-kernel, kodwa lokhu akuqinisekile. Okwamanje, izinkinga ze-NAT zingaxazululwa yi-NAT - uma kwenzeka ukuthi amakheli amabili e-IP asevele athathwe omunye umhubhe, i-ipipou izokwenza i-NAT isuka emphakathini iye kwenye i-IP yangasese, voila! - ungakha imigudu kuze kuphele amachweba.
Ngoba Akuwona wonke amaphakethe ekuxhumekeni asayinwe, khona-ke lesi sivikelo esilula sisengozini ye-MITM, ngakho-ke uma kukhona i-villain ecashe endleleni phakathi kweklayenti neseva engakwazi ukulalela ithrafikhi futhi iyisebenzise, ingaqondisa kabusha amaphakethe aqinisekisiwe ngokusebenzisa. elinye ikheli bese udala umhubhe ovela kumsingathi ongathenjwa .
Uma kukhona onemibono yokuthi kungalungiswa kanjani lokhu ngenkathi ushiya inqwaba yethrafikhi emnyombweni, ungangabazi ukukhuluma.
Ngendlela, i-encapsulation ku-UDP izibonakalise kahle kakhulu. Uma kuqhathaniswa ne-encapsulation phezu kwe-IP, izinzile kakhulu futhi ivame ukushesha naphezu kokungaphezulu kwekhanda le-UDP. Lokhu kungenxa yokuthi ababungazi abaningi ku-inthanethi basebenza kahle kuphela ngezivumelwano ezintathu ezidume kakhulu: i-TCP, i-UDP, i-ICMP. Ingxenye ebonakalayo ingalahla yonke enye into ngokuphelele, noma iyicubungule kancane, ngoba yenzelwe lezi ezintathu kuphela.
Isibonelo, yingakho i-QUICK, lapho i-HTTP/3 isekelwe khona, yadalwa phezulu kwe-UDP, hhayi phezu kwe-IP.
Awu, amagama anele, sekuyisikhathi sokubona ukuthi kusebenza kanjani "emhlabeni wangempela".
Impi
Isetshenziselwa ukulingisa umhlaba wangempela iperf3. Ngokwezinga lokusondelana neqiniso, lokhu kucishe kufane nokulingisa umhlaba wangempela eMinecraft, kodwa okwamanje kuzokwenza.
Ababambe iqhaza emqhudelwaneni:
- ireferensi yesiteshi esikhulu
- iqhawe lalesi sihloko ipipou
- I-OpenVPN enokuqinisekisa kodwa akukho ukubethela
- I-OpenVPN kumodi ehlanganisa konke
- I-WireGuard ngaphandle kwe-PresharedKey, ene-MTU=1440 (kusukela nge-IPv4-kuphela)
Idatha yobuchwepheshe yezigebengu
Amamethrikhi athathwa ngemiyalo elandelayo:
kuklayenti:
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2 -u -b 12M; tail -1 "$CPULOG"
# Где "-b 12M" это пропускная способность основного канала, делённая на число потоков "-P", чтобы лишние пакеты не плодить и не портить производительность.
I-TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -c SERVER_IP -4 -t 60 -f m -i 10 -B LOCAL_IP -P 2; tail -1 "$CPULOG"
Ukubambezeleka kwe-ICMP
ping -c 10 SERVER_IP | tail -1
kuseva (isebenza kanyekanye neklayenti):
UDP
CPULOG=NAME.udp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
I-TCP
CPULOG=NAME.tcp.cpu.log; sar 10 6 >"$CPULOG" & iperf3 -s -i 10 -f m -1; tail -1 "$CPULOG"
Ukucushwa komhubhe
ipipi
isifiso
/etc/ipipou/server.conf:
server
number 0
fou-dev eth0
fou-local-port 10000
tunl-ip 172.28.0.0
auth-remote-pubkey-b64 eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-secret topsecret
auth-lifetime 3600
reply-on-auth-ok
verb 3
systemctl start ipipou@server
ikhasimende
/etc/ipipou/client.conf:
client
number 0
fou-local @eth0
fou-remote SERVER_IP:10000
tunl-ip 172.28.0.1
# pubkey of auth-key-b64: eQYNhD/Xwl6Zaq+z3QXDzNI77x8CEKqY1n5kt9bKeEI=
auth-key-b64 RuBZkT23na2Q4QH1xfmZCfRgSgPt5s362UPAFbecTso=
auth-secret topsecret
keepalive 27
verb 3
systemctl start ipipou@client
openvpn (akukho ukubethela, ngokufakazela ubuqiniso)
isifiso
openvpn --genkey --secret ovpn.key # Затем надо передать ovpn.key клиенту
openvpn --dev tun1 --local SERVER_IP --port 2000 --ifconfig 172.16.17.1 172.16.17.2 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
ikhasimende
openvpn --dev tun1 --local LOCAL_IP --remote SERVER_IP --port 2000 --ifconfig 172.16.17.2 172.16.17.1 --cipher none --auth SHA1 --ncp-disable --secret ovpn.key
openvpn (ngokubethela, ukuqinisekiswa, nge-UDP, yonke into njengoba kulindelekile)
Ilungiselelwe ukusetshenziswa
ucingo
isifiso
/etc/wireguard/server.conf:
[Interface]
Address=172.31.192.1/18
ListenPort=51820
PrivateKey=aMAG31yjt85zsVC5hn5jMskuFdF8C/LFSRYnhRGSKUQ=
MTU=1440
[Peer]
PublicKey=LyhhEIjVQPVmr/sJNdSRqTjxibsfDZ15sDuhvAQ3hVM=
AllowedIPs=172.31.192.2/32
systemctl start wg-quick@server
ikhasimende
/etc/wireguard/client.conf:
[Interface]
Address=172.31.192.2/18
PrivateKey=uCluH7q2Hip5lLRSsVHc38nGKUGpZIUwGO/7k+6Ye3I=
MTU=1440
[Peer]
PublicKey=DjJRmGvhl6DWuSf1fldxNRBvqa701c0Sc7OpRr4gPXk=
AllowedIPs=172.31.192.1/32
Endpoint=SERVER_IP:51820
systemctl start wg-quick@client
Imiphumela
Uphawu olubi olumanzi
Ukulayisha kwe-CPU yesiphakeli akubonisi kakhulu, ngoba... Ziningi ezinye izinsiza ezisebenza lapho, kwesinye isikhathi zidla izinsiza:
proto bandwidth[Mbps] CPU_idle_client[%] CPU_idle_server[%]
# 20 Mbps канал с микрокомпьютера (4 core) до VPS (1 core) через Атлантику
# pure
UDP 20.4 99.80 93.34
TCP 19.2 99.67 96.68
ICMP latency min/avg/max/mdev = 198.838/198.997/199.360/0.372 ms
# ipipou
UDP 19.8 98.45 99.47
TCP 18.8 99.56 96.75
ICMP latency min/avg/max/mdev = 199.562/208.919/220.222/7.905 ms
# openvpn0 (auth only, no encryption)
UDP 19.3 99.89 72.90
TCP 16.1 95.95 88.46
ICMP latency min/avg/max/mdev = 191.631/193.538/198.724/2.520 ms
# openvpn (full encryption, auth, etc)
UDP 19.6 99.75 72.35
TCP 17.0 94.47 87.99
ICMP latency min/avg/max/mdev = 202.168/202.377/202.900/0.451 ms
# wireguard
UDP 19.3 91.60 94.78
TCP 17.2 96.76 92.87
ICMP latency min/avg/max/mdev = 217.925/223.601/230.696/3.266 ms
## около-1Gbps канал между VPS Европы и США (1 core)
# pure
UDP 729 73.40 39.93
TCP 363 96.95 90.40
ICMP latency min/avg/max/mdev = 106.867/106.994/107.126/0.066 ms
# ipipou
UDP 714 63.10 23.53
TCP 431 95.65 64.56
ICMP latency min/avg/max/mdev = 107.444/107.523/107.648/0.058 ms
# openvpn0 (auth only, no encryption)
UDP 193 17.51 1.62
TCP 12 95.45 92.80
ICMP latency min/avg/max/mdev = 107.191/107.334/107.559/0.116 ms
# wireguard
UDP 629 22.26 2.62
TCP 198 77.40 55.98
ICMP latency min/avg/max/mdev = 107.616/107.788/108.038/0.128 ms
20 Mbps isiteshi
isiteshi nge-1 Gbps enethemba
Kuzo zonke izimo, i-ipipou iseduze kakhulu ekusebenzeni esiteshini esiyisisekelo, esihle kakhulu!
Umhubhe we-openvpn ongabetheliwe uziphathe ngendlela exakile kuzo zombili izimo.
Uma kukhona ozoyihlola, kuzojabulisa ukuzwa impendulo.
Kwangathi i-IPv6 ne-NetPrickle ingaba nathi!
Source: www.habr.com