ProHoster > Блог > labaran intanet > OpenVPN 2.6.0 yana samuwa

OpenVPN 2.6.0 yana samuwa

Bayan shekaru biyu da rabi tun lokacin da aka buga reshen 2.5, an shirya sakin OpenVPN 2.6.0, kunshin don ƙirƙirar cibiyoyin sadarwa masu zaman kansu waɗanda ke ba ku damar tsara haɗin ɓoye tsakanin injinan abokin ciniki biyu ko samar da sabar VPN ta tsakiya. don aiki na lokaci guda na abokan ciniki da yawa. An rarraba lambar OpenVPN a ƙarƙashin lasisin GPLv2, an ƙirƙiri fakitin binary shirye-shirye don Debian, Ubuntu, CentOS, RHEL da Windows.

Manyan sabbin abubuwa:

  • Yana ba da goyan baya ga adadin haɗi mara iyaka.
  • An haɗa tsarin ovpn-dco kernel, wanda ke ba ku damar haɓaka ayyukan VPN sosai. Ana samun haɓakawa ta hanyar motsa duk ayyukan ɓoyewa, sarrafa fakiti da sarrafa tashar sadarwa zuwa gefen kernel na Linux, wanda ke kawar da abin da ke da alaƙa da sauya mahallin, yana ba da damar haɓaka aiki ta hanyar samun dama ga kernel APIs na ciki kai tsaye kuma yana kawar da jinkirin canja wurin bayanai tsakanin kwaya. da sarari mai amfani (rufe-tsare, ɓarnawa da kwatance ana yin su ta hanyar tsarin ba tare da aika zirga-zirga zuwa mai kula da sararin samaniya ba).

    A cikin gwaje-gwajen da aka yi, idan aka kwatanta da daidaitawa dangane da tuntuɓar tuntuɓar, yin amfani da tsarin a kan abokin ciniki da bangarorin uwar garken ta amfani da cipher AES-256-GCM ya ba da damar samun haɓakar ninki 8 a cikin kayan sarrafawa (daga 370). Mbit/s zuwa 2950 Mbit/s). Lokacin amfani da tsarin kawai a gefen abokin ciniki, abin da aka samar ya karu sau uku don zirga-zirgar zirga-zirgar zirga-zirga kuma bai canza don zirga-zirga mai shigowa ba. Lokacin amfani da tsarin kawai a gefen uwar garken, kayan aiki ya ƙaru da sau 4 don zirga-zirgar zirga-zirgar shigowa da kuma 35% don zirga-zirga mai fita.

  • Yana yiwuwa a yi amfani da yanayin TLS tare da takaddun sa hannu (lokacin amfani da zaɓin "-peer-fingerprint", za ku iya barin sigogin "-ca" da "-capath" kuma ku guje wa sabar PKI dangane da Easy-RSA ko irin wannan software).
  • UDP uwar garken tana aiwatar da yanayin shawarwarin haɗin kan kuki, wanda ke amfani da kuki na tushen HMAC azaman mai gano zaman, yana ƙyale sabar ta yi tabbacin rashin jiha.
  • Ƙara tallafi don ginawa tare da ɗakin karatu na OpenSSL 3.0. Ƙara "--tls-cert-profile insecure" zaɓi don zaɓar mafi ƙarancin matakin tsaro na OpenSSL.
  • Ƙara sabon umarni na sarrafawa mai nisa-ƙididdigar shigarwa da nesa-shigarwa-samu don ƙidaya adadin haɗin waje da nuna jerin su.
  • A yayin aiwatar da maɓalli na yarjejeniyar, tsarin EKM (Maɓallin Maɓallin Fitarwa, RFC 5705) yanzu shine hanyar da aka fi so don samun kayan haɓaka maɓalli, maimakon tsarin PRF na musamman na OpenVPN. Don amfani da EKM, ana buƙatar ɗakin karatu na OpenSSL ko mbed TLS 2.18+.
  • An ba da dacewa tare da OpenSSL a yanayin FIPS, wanda ke ba da damar amfani da OpenVPN akan tsarin da ya dace da bukatun FIPS 140-2.
  • mlock yana aiwatar da cak don tabbatar da cewa an tanadi isassun ƙwaƙwalwar ajiya. Lokacin da ƙasa da 100 MB na RAM ke samuwa, ana kiran setrlimit () don ƙara iyaka.
  • An ƙara zaɓin "--peer-fingerprint" don bincika inganci ko ɗaure takaddun shaida ta amfani da hoton yatsa dangane da hash SHA256, ba tare da amfani da tls-tabbatar ba.
  • Ana ba da rubutun tare da zaɓi na tabbatarwa da aka jinkirta, aiwatar da su ta amfani da zaɓin "-auth-user-pass-verify". Taimako don sanar da abokin ciniki game da tabbatarwa mai jiran aiki lokacin amfani da ingantaccen tabbaci an ƙara zuwa rubutun da plugins.
  • Ƙara yanayin dacewa (-compat-mode) don ba da damar haɗi zuwa tsofaffin sabobin da ke gudana OpenVPN 2.3.x ko tsofaffin sigogin.
  • A cikin lissafin da aka wuce ta hanyar "-data-ciphers", an ba da izinin prefix "?". don ayyana maɓallan zaɓi waɗanda za a yi amfani da su kawai idan ana goyan baya a cikin ɗakin karatu na SSL.
  • Ƙara wani zaɓi "-lokaci-lokaci-lokaci" wanda da shi za ka iya iyakance iyakar lokacin zama.
  • Fayil ɗin daidaitawa yana ba da damar tantance suna da kalmar wucewa ta amfani da alamar .
  • An ba da ikon daidaita MTU na abokin ciniki, dangane da bayanan MTU da uwar garken ke watsawa. Don canza matsakaicin girman MTU, zaɓin “—tun-mtu-max” an ƙara (tsoho shine 1600).
  • Ƙara ma'aunin "--max-packet-size" don ayyana iyakar girman fakitin sarrafawa.
  • Cire tallafi don yanayin ƙaddamar da OpenVPN ta inetd. An cire zaɓin ncp-disable. Zaɓin tabbatar-hash da yanayin maɓalli na tsaye an soke su (TLS kawai aka riƙe). An soke ka'idojin TLS 1.0 da 1.1 (an saita siginar tls-version-min zuwa 1.2 ta tsohuwa). An cire ginannen aikin janareta na lambar bazuwar (-prng); aiwatar da PRNG daga mbd TLS ko ɗakunan karatu na OpenSSL ya kamata a yi amfani da su. An daina goyan bayan PF (Tacewar fakiti). Ta hanyar tsoho, an kashe matsawa (--allow-compression=no).
  • An ƙara CACHA20-POLY1305 zuwa tsoffin sifofi.

source: budenet.ru

Add a comment