Pulogalamu ya ProHoster > Blog > nkhani zapaintaneti > OpenVPN 2.6.0 ilipo

OpenVPN 2.6.0 ilipo

Pambuyo pazaka ziwiri ndi theka kuyambira pomwe nthambi ya 2.5 idasindikizidwa, kutulutsidwa kwa OpenVPN 2.6.0 kwakonzedwa, phukusi lopanga ma network achinsinsi omwe amakulolani kuti mupange kulumikizana kwachinsinsi pakati pa makina awiri a kasitomala kapena kupereka seva yapakati ya VPN. kwa opareshoni imodzi yamakasitomala angapo. Khodi ya OpenVPN imagawidwa pansi pa layisensi ya GPLv2, mapaketi a binary okonzeka amapangidwira Debian, Ubuntu, CentOS, RHEL ndi Windows.

Zatsopano zazikulu:

  • Amapereka chithandizo kwa chiwerengero chopanda malire cha maulumikizidwe.
  • Ovpn-dco kernel module ikuphatikizidwa, yomwe imakupatsani mwayi wofulumizitsa ntchito ya VPN. Kuthamanga kumatheka posuntha ntchito zonse zolembera, kukonza mapaketi ndi kasamalidwe ka njira zoyankhulirana ku mbali ya Linux kernel, yomwe imachotsa mutu womwe umakhudzana ndi kusinthana kwa nkhani, zimapangitsa kuti zitheke kukhathamiritsa ntchito polowa mwachindunji ma API a kernel ndikuchotsa kusamutsa kwa data pang'onopang'ono pakati pa kernel. ndi malo ogwiritsira ntchito (kubisa, kutsekedwa ndi kuwongolera kumachitidwa ndi gawo popanda kutumiza magalimoto kwa wothandizira pamalo ogwiritsira ntchito).

    M'mayesero omwe adachitika, poyerekeza ndi kasinthidwe kotengera mawonekedwe a tun, kugwiritsa ntchito gawoli pa kasitomala ndi mbali za seva pogwiritsa ntchito cipher AES-256-GCM kunapangitsa kuti zitheke kuchulukitsa ka 8 (kuchokera ku 370). Mbit/s mpaka 2950 Mbit/s). Mukamagwiritsa ntchito gawoli pambali ya kasitomala, kutulutsa kumachulukira katatu pamagalimoto otuluka ndipo sikunasinthe pamagalimoto obwera. Mukamagwiritsa ntchito gawoli pambali ya seva, kutulutsa kumachulukira nthawi 4 pamagalimoto obwera ndi 35% pamagalimoto otuluka.

  • Ndikotheka kugwiritsa ntchito mawonekedwe a TLS okhala ndi ziphaso zodzilembera nokha (pogwiritsa ntchito njira ya "-peer-fingerprint", mutha kusiya magawo a "-ca" ndi "-capath" ndikupewa kuyendetsa seva ya PKI kutengera Easy-RSA kapena mapulogalamu ofanana).
  • Seva ya UDP imagwiritsa ntchito njira yolankhulirana yochokera ku Cookie, yomwe imagwiritsa ntchito Cookie yochokera ku HMAC ngati chizindikiritso cha gawolo, zomwe zimalola seva kutsimikizira kopanda malire.
  • Zowonjezera zothandizira kumanga ndi laibulale ya OpenSSL 3.0. Onjezani "--tls-cert-profile insecure" njira kuti musankhe mulingo wocheperako wachitetezo wa OpenSSL.
  • Onjezani malamulo atsopano olamulira akutali-kulowa-kuwerengera ndi kulowera-kutali-pezani kuti muwerenge kuchuluka kwa maulumikizidwe akunja ndikuwonetsa mndandanda wawo.
  • Pamgwirizano wofunikira, njira ya EKM (Exported Keying Material, RFC 5705) tsopano ndiyo njira yabwino yopezera zinthu zofunika kwambiri m'malo mwa OpenVPN-specific PRF. Kuti mugwiritse ntchito EKM, laibulale ya OpenSSL kapena mbed TLS 2.18+ ndiyofunika.
  • Kugwirizana ndi OpenSSL mumayendedwe a FIPS kumaperekedwa, komwe kumalola kugwiritsa ntchito OpenVPN pamakina omwe amakwaniritsa zofunikira zachitetezo cha FIPS 140-2.
  • mlock amagwiritsa cheke kuti atsimikizire kuti kukumbukira kokwanira kwasungidwa. Pamene zosakwana 100 MB ya RAM ikupezeka, setrlimit() imatchedwa kuwonjezera malire.
  • Onjezani njira ya "-peer-fingerprint" kuti muwone ngati satifiketi ikugwira ntchito kapena imangika pogwiritsa ntchito chala chotengera SHA256 hash, osagwiritsa ntchito tls-verify.
  • Ma script amaperekedwa ndi mwayi wotsimikizika wochedwetsedwa, wokhazikitsidwa pogwiritsa ntchito njira ya "-auth-user-pass-verify". Thandizo lodziwitsa kasitomala za kudikirira kutsimikizika mukamagwiritsa ntchito kutsimikizika kosiyidwa kwawonjezedwa ku zolemba ndi mapulagini.
  • Mawonekedwe ofananira owonjezera (-compat-mode) kuti alole kulumikizana ndi ma seva akale omwe ali ndi OpenVPN 2.3.x kapena mitundu yakale.
  • Pamndandanda womwe wadutsa pagawo la "--data-ciphers", mawu oyambira "?" amaloledwa. kutanthauzira ma ciphers osankha omwe angogwiritsidwa ntchito ngati athandizidwa mulaibulale ya SSL.
  • Njira yowonjezera "-session-timeout" yomwe mungathe kuchepetsa nthawi yochuluka ya gawo.
  • Fayilo yosinthira imalola kufotokoza dzina ndi mawu achinsinsi pogwiritsa ntchito tag .
  • Kuthekera kosintha mwachangu MTU ya kasitomala kumaperekedwa, kutengera data ya MTU yofalitsidwa ndi seva. Kuti musinthe kukula kwakukulu kwa MTU, kusankha "-tun-mtu-max" yawonjezedwa (zosakhazikika ndi 1600).
  • Wowonjezera "--max-packet-size" parameter kuti afotokoze kukula kwakukulu kwa mapaketi owongolera.
  • Thandizo lachotsedwa pamachitidwe otsegulira OpenVPN kudzera pa inetd. Njira ya ncp-disable yachotsedwa. Njira yotsimikizira-hashi ndi makina a static key zatsitsidwa (TLS yokha ndiyomwe yasungidwa). Ma protocol a TLS 1.0 ndi 1.1 achotsedwa ntchito (gawo la tls-version-min lakhazikitsidwa kukhala 1.2 mwachisawawa). Kukhazikitsa kwa pseudo-random number jenereta (-prng) kwachotsedwa; kukhazikitsa PRNG kuchokera ku mbed TLS kapena OpenSSL crypto library kuyenera kugwiritsidwa ntchito. Thandizo la PF (Packet Filtering) lathetsedwa. Mwachikhazikitso, kukanikiza kumayimitsidwa (--allow-compression=no).
  • Onjezani CHACHA20-POLY1305 pamndandanda wosasinthika wa cipher.

Source: opennet.ru

Kuwonjezera ndemanga