Namuhla uLinus uhambise kuye igatsha elilandelayo elinezixhumanisi ze-VPN . Mayelana nalo mcimbi ohlwini lwamakheli e-WireGuard.
Ukuqoqwa kwekhodi ye-Linux 5.6 kernel entsha kuyaqhubeka okwamanje. I-WireGuard iyi-VPN yesizukulwane esilandelayo esheshayo esebenzisa i-cryptography yesimanje. Yasungulwa ekuqaleni njengendlela elula futhi elula kakhulu kuma-VPN akhona. Umbhali uchwepheshe wezokuphepha kolwazi waseCanada u-Jason A. Donenfeld. Ngo-Agasti 2018, i-WireGuard nguLinus Torvalds. Ngaleso sikhathi, umsebenzi waqala ukufaka i-VPN ku-Linux kernel. Inqubo yathatha isikhashana.
"Ngibona ukuthi uJason wenze isicelo sokudonsa i-WireGuard ku-kernel," kubhala uLinus ngo-Agasti 2, 2018. - Ngingakwazi yini ukuphinde ngimemezele uthando lwami ngale VPN futhi ngethemba ukuhlangana maduze? Ikhodi ingase ingabi ephelele, kodwa ngiyibhekile, futhi uma ngiqhathanisa nezimo ezesabekayo ze-OpenVPN ne-IPSec, kuwumsebenzi wangempela wobuciko. "
Naphezu kwezifiso zikaLinus, ukuhlanganiswa kudonse unyaka nesigamu. Inkinga eyinhloko ivele iboshelwe ekusetshenzisweni kobunikazi kwemisebenzi ye-cryptographic, eyasetshenziselwa ukuthuthukisa ukusebenza. Ngemuva kwezingxoxo ezinde ngoSepthemba 2019 kwaba njalo Humusha ama-patches emisebenzini ye-Crypto API etholakala ku-kernel, lapho abathuthukisi be-WireGuard banezikhalazo emkhakheni wokusebenza nokuphepha okuvamile. Kodwa banqume ukuhlukanisa imisebenzi yomdabu ye-WireGuard crypto ibe yi-Zinc API ehlukile yezinga eliphansi futhi ekugcineni bayithumele ku-kernel. NgoNovemba, abathuthukisi be-kernel bagcina isithembiso sabo futhi dlulisa ingxenye yekhodi isuka ku-Zinc iye ku-kernel eyinhloko. Isibonelo, ku-Crypto API ukuqaliswa okusheshayo kwe-ChaCha20 kanye ne-Poly1305 algorithms elungiselelwe ku-WireGuard.
Ekugcineni, ngoDisemba 9, 2019, uDavid S. Miller, obhekelele uhlelo olungaphansi lwenethiwekhi ye-Linux kernel, egatsheni lenetha elilandelayo ngokusebenzisa isixhumi esibonakalayo se-VPN esivela kuphrojekthi ye-WireGuard.
Futhi namuhla, Januwari 29, 2020, izinguquko ziye ku-Linus ukuze zifakwe ku-kernel.
Izinzuzo ezifunwayo ze-WireGuard ngaphezu kwezinye izixazululo ze-VPN:
- Kulula ukuyisebenzisa.
- Isebenzisa i-cryptography yesimanje: Uhlaka lwephrothokholi yomsindo, i-Curve25519, i-ChaCha20, i-Poly1305, i-BLAKE2, i-SipHash24, i-HKDF, njll.
- Ikhodi ehlangene, efundekayo, kulula ukuyiphenya ngobungozi.
- Ukusebenza okuphezulu.
- Icacile futhi inemininingwane .
Yonke ingqondo eyinhloko ye-WireGuard ithatha imigqa yekhodi engaphansi kuka-4000, kanti i-OpenVPN ne-IPSec zidinga amakhulu ezinkulungwane zemigqa.
βI-WireGuard isebenzisa umqondo womzila wokhiye wokubethela, ohlanganisa ukunamathisela ukhiye oyimfihlo kusixhumi esibonakalayo senethiwekhi ngayinye nokusebenzisa okhiye basesidlangalaleni ukuyibopha. Okhiye basesidlangalaleni bayashintshaniswa ukuze kusungulwe uxhumano ngendlela efanayo neye-SSH. Ukuze uxoxisane ngokhiye futhi uxhume ngaphandle kokusebenzisa i-daemon ehlukile endaweni yomsebenzisi, indlela ye-Noise_IK esuka ku- kufana nokugcina okhiye_abagunyaziwe ku-SSH. Ukudluliswa kwedatha kwenziwa ngokusebenzisa i-encapsulation kumaphakethe e-UDP. Isekela ukushintsha ikheli le-IP leseva ye-VPN (ukuzulazula) ngaphandle kokunqamula ukuxhumana nokulungiswa kabusha okuzenzakalelayo kweklayenti, - I-Opennet.
Okokubethela stream cipher kanye ne-algorithm yokuqinisekisa umlayezo (MAC) , eyakhiwe nguDaniel Bernstein (), uTanja Lange noPeter Schwabe. I-ChaCha20 ne-Poly1305 zibekwe njengama-analogue asheshayo futhi aphephile e-AES-256-CTR ne-HMAC, ukuqaliswa kwesofthiwe okuvumela ukufeza isikhathi esinqunyiwe sokwenza ngaphandle kokusebenzisa ukusekelwa okukhethekile kwehadiwe. Ukuze ukhiqize ukhiye oyimfihlo owabiwe, i-elliptic curve Diffie-Hellman protocol isetshenziswa ekusetshenzisweni , futhi ehlongozwa nguDaniel Bernstein. I-algorithm esetshenziselwa i-hashing ithi ".
Imiphumela kusuka kuwebhusayithi esemthethweni:
Umkhawulokudonsa (megabit/s)
I-Ping (ms)
Ukucushwa kokuhlola:
- I-Intel Core i7-3820QM ne-Intel Core i7-5200U
- Gigabit amakhadi Intel 82579LM kanye Intel I218LM
- Linux 4.6.1
- Ukucushwa kwe-WireGuard: 256-bit ChaCha20 ene-Poly1305 ye-MAC
- Ukucushwa kwe-IPsec yokuqala: i-256-bit ChaCha20 ene-Poly1305 ye-MAC
- Ukucushwa kwe-IPsec kwesibili: AES-256-GCM-128 (nge-AES-NI)
- Ukucushwa kwe-OpenVPN: I-AES 256-bit elingana ne-cipher suite ene-HMAC-SHA2-256, imodi ye-UDP
- Ukusebenza kukalwe kusetshenziswa
iperf3, ibonisa umphumela omaphakathi ngaphezu kwemizuzu engama-30.
Ngokombono, uma sekuhlanganiswe isitaki senethiwekhi, i-WireGuard kufanele isebenze ngokushesha okukhulu. Kodwa empeleni lokhu ngeke kube njalo ngenxa yokushintshela emisebenzini ye-cryptographic ye-Crypto API eyakhelwe ku-kernel. Mhlawumbe akuzona zonke ezilungiselelwe izinga lokusebenza le-WireGuard yomdabu.
"Ngokombono wami, i-WireGuard ngokuvamile ilungele umsebenzisi. Zonke izinqumo ezisezingeni eliphansi zenziwa ekucacisweni, ngakho-ke inqubo yokulungiselela ingqalasizinda ye-VPN evamile ithatha imizuzu embalwa kuphela. Cishe akunakwenzeka ukumosha ukucushwa - ngo-Habre ngo-2018. - Inqubo yokufaka kuwebhusayithi esemthethweni, ngithanda ukuphawula ngokuhlukile okuhle kakhulu . Lokhu kulula ukusetshenziswa nokubumbana kwesisekelo sekhodi kwafinyelelwa ngokuqeda ukusatshalaliswa kokhiye. Alukho uhlelo lwesitifiketi oluyinkimbinkimbi kanye nakho konke lokhu kuthusa kwenkampani; okhiye abafushane bokubethela basakazwa njengokhiye be-SSH.β
Iphrojekthi ye-WireGuard ithuthukiswa kusukela ngo-2015, ihlolwe futhi . Ukusekelwa kwe-WireGuard kuhlanganiswe ku-NetworkManager kanye ne-systemd, futhi ama-kernel patches afakwe ekusabalazweni okuyisisekelo kwe-Debian Unstable, Mageia, Alpine, Arch, Gentoo, OpenWrt, NixOS, Subgraph kanye ne-ALT.
Source: www.habr.com