Isihlahla somthombo we-FreeBSD sibuyekeziwe ngokuqaliswa okusha kwe-VPN WireGuard, ngokusekelwe kukhodi yemojuli ye-kernel ekhiqizwe ngokuhlanganyela yiqembu eliyinhloko le-FreeBSD ne-WireGuard ngeminikelo evela ku-Jason A. Donenfeld, umbhali we-VPN WireGuard, no-John H. Baldwin ), unjiniyela owaziwayo we-GDB kanye ne-FreeBSD, owasebenzisa ukusekelwa kwe-SMP ne-NUMA ku-FreeBSD kernel ekuqaleni kwawo-2000. Ngemuva kokuthi umshayeli amukelwe ku-FreeBSD (sys/dev/wg), ukuthuthukiswa kwayo nokugcinwa kwayo kuzokwenziwa endaweni yokugcina ye-FreeBSD.
Ngaphambi kokuthi ikhodi yamukelwe, ukubuyekezwa okugcwele kwezinguquko kwenziwa ngokusekelwa yiFreeBSD Foundation, lapho ukusebenzisana komshayeli namanye ama-kernel subsystems nakho kwahlaziywa kanye nethuba lokusebenzisa i-cryptographic primitives enikezwe i-kernel. yahlolwa.
Ukuze usebenzise ama-algorithms e-cryptographic adingwa umshayeli, i-API ye-FreeBSD kernel crypto-subsystem yanwetshwa, lapho i-harness yengezwa khona evumela ukusetshenziswa kwe-algorithms engasekelwe ku-FreeBSD nge-crypto-API ejwayelekile, kusetshenziswa ukuqaliswa kwe- ama-algorithms adingekayo avela kumtapo wezincwadi we-libsodium. Kuma-algorithms akhelwe kumshayeli, ikhodi yokubala i-Blake2 hashes kuphela esele, njengoba ukuqaliswa kwale algorithm ehlinzekwe ku-FreeBSD kuhlanganiswe nosayizi we-hashi ongashintshi.
Ngaphezu kwalokho, phakathi nenqubo yokubuyekeza, kwenziwa ukwenziwa ngcono kwekhodi, okwenze kwaba nokwenzeka ukwandisa ukusebenza kahle kokusatshalaliswa komthwalo kuma-CPU anezingqikithi eziningi (ukulinganisa okulinganayo kokwabiwa kwemisebenzi yokubethela kwephakethe kanye nokuqanjwa kwekhodi kuma-CPU cores kwaqinisekiswa). Njengomphumela, i-overhead lapho icubungula amaphakethe yayiseduze naleyo yokuqaliswa komshayeli we-Linux. Ikhodi iphinde inikeze amandla okusebenzisa umshayeli we-ossl ukusheshisa imisebenzi yokubethela.
Ngokungafani nomzamo wangaphambilini wokuhlanganisa i-WireGuard ku-FreeBSD, ukuqaliswa okusha kusebenzisa insiza ye-wg evamile, kunenguqulo eguquliwe ye-ifconfig, eyenza kube nokwenzeka ukuhlanganisa ukucushwa ku-Linux ne-FreeBSD. Insiza ye-wg, kanye nomshayeli, ifakiwe kukhodi yomthombo we-FreeBSD, eyenziwe yaba nokwenzeka ngokushintsha ilayisense yekhodi ye-wg (ikhodi manje isiyatholakala ngaphansi kwamalayisensi e-MIT kanye ne-GPL). Umzamo wokugcina wokufaka i-WireGuard ku-FreeBSD wenziwe ngo-2020, kodwa waphetha ngehlazo, ngenxa yalokho ikhodi evele ingeziwe isusiwe ngenxa yekhwalithi ephansi, umsebenzi wokunganaki onama-buffers, ukusetshenziswa kwe-stubs esikhundleni sokuhlola, ukuqaliswa okungaphelele. yephrothokholi kanye nokwephulwa kwelayisensi ye-GPL.
Ake sikukhumbuze ukuthi i-VPN WireGuard isetshenziswa ngesisekelo sezindlela zesimanje zokubethela, inikeza ukusebenza okuphezulu kakhulu, kulula ukuyisebenzisa, ayinazo izinkinga futhi izitholele yona enanini lokuthunyelwa okukhulu okucubungula umthamo omkhulu wethrafikhi. Le phrojekthi ibilokhu ithuthukiswa kusukela ngo-2015, futhi iye yacwaningwa futhi yaqinisekiswa ngokusemthethweni izindlela zokubethela ezisetshenzisiwe. I-WireGuard isebenzisa umqondo womzila wokhiye wokubethela, obandakanya ukunamathisela ukhiye oyimfihlo ku-interface ngayinye yenethiwekhi nokuwusebenzisela ukubopha okhiye basesidlangalaleni.
Okhiye basesidlangalaleni bayashintshaniswa ukuze kusungulwe uxhumano ngendlela efanayo neye-SSH. Ukuze uxoxisane ngokhiye futhi uxhume ngaphandle kokusebenzisa i-daemon ehlukile endaweni yomsebenzisi, kusetshenziswa indlela ye-Noise Protocol Framework's Noise_IK, efana nokugcina okhiye_abagunyaziwe ku-SSH. Ukudluliswa kwedatha kwenziwa ngokusebenzisa i-encapsulation kumaphakethe e-UDP. Isekela ukushintsha ikheli le-IP leseva ye-VPN (ukuzulazula) ngaphandle kokunqamula ukuxhumana ngokuhlelwa kabusha kweklayenti okuzenzakalelayo.
Ukubethela kusebenzisa i-ChaCha20 stream cipher kanye ne-Poly1305 umyalezo we-algorithm (MAC), othuthukiswe nguDaniel J. Bernstein, Tanja Lange kanye no-Peter Schwabe. I-ChaCha20 ne-Poly1305 zibekwe njengama-analogue asheshayo naphephile we-AES-256-CTR ne-HMAC, ukuqaliswa kwesofthiwe okuvumela ukufeza isikhathi esinqunyiwe sokwenza ngaphandle kokusebenzisa ukusekelwa okukhethekile kwehadiwe. Ukukhiqiza ukhiye oyimfihlo owabiwe, i-elliptic curve Diffie-Hellman protocol isetshenziswa ekusetshenzisweni kwe-Curve25519, nayo ehlongozwe nguDaniel Bernstein. I-algorithm ye-BLAKE2s (RFC7693) isetshenziselwa i-hashing.
Source: opennet.ru