Akwai OpenVPN 2.6.0

Bayan shekaru biyu da rabi da buga reshen 2.5, an shirya fitar da shi OpenVPN 2.6.0, fakitin ƙirƙirar hanyoyin sadarwa masu zaman kansu na kama-da-wane wanda ke ba ku damar tsara haɗin da aka ɓoye tsakanin na'urorin abokin ciniki guda biyu ko samar da sabar VPN mai tsakiya don aiki tare da abokan ciniki da yawa. OpenVPN an rarraba su a ƙarƙashin lasisin GPLv2, ana samar da fakitin binary da aka shirya don Debian, Ubuntu, CentOS, RHEL da kuma Windows.

Manyan sabbin abubuwa:

  • Yana ba da goyan baya ga adadin haɗi mara iyaka.
  • An haɗa da tsarin kernel na ovpn-dco, wanda ke ba da damar hanzarta aiki mai mahimmanci. VPNAna samun saurin gudu ta hanyar motsa duk ayyukan ɓoye bayanai, sarrafa fakiti, da kuma sarrafa tashar sadarwa zuwa ɓangaren kernel. Linux, wanda ke kawar da overload da ke da alaƙa da sauya mahallin, yana ba da damar ingantawa ta hanyar shiga kai tsaye ga APIs na ciki na kernel, kuma yana kawar da jinkirin canja wurin bayanai tsakanin kernel da sararin mai amfani (ana yin ɓoye bayanai, ɓoye bayanai, da kuma hanyar sadarwa ta module ba tare da aika zirga-zirga zuwa mai sarrafa sararin mai amfani ba).

    A cikin gwaje-gwajen da aka yi, idan aka kwatanta da daidaitawa dangane da tuntuɓar tuntuɓar, yin amfani da tsarin a kan abokin ciniki da bangarorin uwar garken ta amfani da cipher AES-256-GCM ya ba da damar samun haɓakar ninki 8 a cikin kayan sarrafawa (daga 370). Mbit/s zuwa 2950 Mbit/s). Lokacin amfani da tsarin kawai a gefen abokin ciniki, abin da aka samar ya karu sau uku don zirga-zirgar zirga-zirgar zirga-zirga kuma bai canza don zirga-zirga mai shigowa ba. Lokacin amfani da tsarin kawai a gefen uwar garken, kayan aiki ya ƙaru da sau 4 don zirga-zirgar zirga-zirgar shigowa da kuma 35% don zirga-zirga mai fita.

  • Yana yiwuwa a yi amfani da yanayin TLS tare da takaddun sa hannu (lokacin amfani da zaɓin "-peer-fingerprint", za ku iya barin sigogin "-ca" da "-capath" kuma ku guje wa sabar PKI dangane da Easy-RSA ko irin wannan software).
  • UDP uwar garken tana aiwatar da yanayin shawarwarin haɗin kan kuki, wanda ke amfani da kuki na tushen HMAC azaman mai gano zaman, yana ƙyale sabar ta yi tabbacin rashin jiha.
  • Ƙara tallafi don ginawa tare da ɗakin karatu na OpenSSL 3.0. Ƙara "--tls-cert-profile insecure" zaɓi don zaɓar mafi ƙarancin matakin tsaro na OpenSSL.
  • Ƙara sabon umarni na sarrafawa mai nisa-ƙididdigar shigarwa da nesa-shigarwa-samu don ƙidaya adadin haɗin waje da nuna jerin su.
  • A lokacin aiwatar da yarjejeniyar mahimmanci, hanyar da aka fi so don samun kayan samar da maɓalli yanzu ita ce tsarin EKM (Exported Keying Material, RFC 5705), maimakon takamaiman tsarin. OpenVPN PRF. Amfani da EKM yana buƙatar ɗakin karatu na OpenSSL ko kuma TLS 2.18+.
  • An samar da jituwa tare da OpenSSL a cikin yanayin FIPS, wanda ke ba da damar amfani da OpenVPN akan tsarin da ya cika buƙatun tsaro na FIPS 140-2.
  • mlock yana aiwatar da cak don tabbatar da cewa an tanadi isassun ƙwaƙwalwar ajiya. Lokacin da ƙasa da 100 MB na RAM ke samuwa, ana kiran setrlimit () don ƙara iyaka.
  • An ƙara zaɓin "--peer-fingerprint" don bincika inganci ko ɗaure takaddun shaida ta amfani da hoton yatsa dangane da hash SHA256, ba tare da amfani da tls-tabbatar ba.
  • Ana ba da rubutun tare da zaɓi na tabbatarwa da aka jinkirta, aiwatar da su ta amfani da zaɓin "-auth-user-pass-verify". Taimako don sanar da abokin ciniki game da tabbatarwa mai jiran aiki lokacin amfani da ingantaccen tabbaci an ƙara zuwa rubutun da plugins.
  • An ƙara yanayin daidaitawa (--compat-mode) don ba da damar haɗawa zuwa tsoffin sabar da ke amfani da OpenVPN Sigogi 2.3.x ko tsofaffin.
  • Jerin da aka wuce ta hanyar sigar "--data-ciphers" yana ba da damar prefix ɗin "?" don ƙayyade lambobin sirri na zaɓi waɗanda za a yi amfani da su ne kawai idan an tallafa musu. SSL-ɗakin karatu.
  • Ƙara wani zaɓi "-lokaci-lokaci-lokaci" wanda da shi za ka iya iyakance iyakar lokacin zama.
  • Fayil ɗin daidaitawa yana ba da damar tantance suna da kalmar wucewa ta amfani da alamar .
  • An ba da ikon daidaita MTU na abokin ciniki, dangane da bayanan MTU da uwar garken ke watsawa. Don canza matsakaicin girman MTU, zaɓin “—tun-mtu-max” an ƙara (tsoho shine 1600).
  • Ƙara ma'aunin "--max-packet-size" don ayyana iyakar girman fakitin sarrafawa.
  • An cire tallafi don yanayin ƙaddamarwa OpenVPN Ta hanyar inetd. An cire zaɓin ncp-disable. An cire zaɓin verify-hash da yanayin maɓalli mai tsayayye (yana riƙe TLS kawai). An cire TLS 1.0 da 1.1 (yanzu an saita sigar tls-version-min zuwa 1.2 ta tsohuwa). An cire ginannen lambar da aka gina a ciki (--prng); ya kamata a yi amfani da aiwatar da PRNG daga ɗakunan karatu na mbed TLS ko OpenSSL. An dakatar da tallafi don Tace Fakiti (PF). An kashe matsawa ta tsohuwa (--allow-compression=no).
  • An ƙara CACHA20-POLY1305 zuwa tsoffin sifofi.

source: budenet.ru

Sayi amintaccen masauki don shafuka tare da kariyar DDoS, sabar VPS VDS 🔥 Sayi ingantaccen masaukin yanar gizo tare da kariyar DDoS, sabar VPS VDS | ProHoster