Ipezeka OpenVPN 2.6.0

Patatha zaka ziwiri ndi theka kuchokera pamene nthambi ya 2.5 inatulutsidwa, kutulutsidwa kwa bukuli kwakonzeka. OpenVPN 2.6.0, phukusi lopangira ma netiweki achinsinsi, zomwe zimakulolani kukonza kulumikizana kobisika pakati pa makina awiri a kasitomala kapena kupereka seva ya VPN yolumikizidwa pakati kuti makasitomala angapo agwire ntchito nthawi imodzi. OpenVPN Pogawidwa pansi pa layisensi ya GPLv2, ma phukusi a binary okonzedwa kale amapangidwa kuti Debian, Ubuntu, CentOS, RHEL ndi Windows.

Zatsopano zazikulu:

  • Amapereka chithandizo kwa chiwerengero chopanda malire cha maulumikizidwe.
  • Gawo la kernel la ovpn-dco likuphatikizidwa, zomwe zimathandiza kuti magwiridwe antchito aziyenda bwino kwambiri. VPNKufulumizitsa kumachitika posuntha ntchito zonse zobisa, kukonza mapaketi, ndi kasamalidwe ka njira zolumikizirana kumbali ya kernel. Linux, yomwe imachotsa overhead yokhudzana ndi kusintha kwa context, imalola kukonza bwino mwa kulowa mwachindunji ma API amkati a kernel, ndikuchotsa kusamutsa deta pang'onopang'ono pakati pa kernel ndi malo ogwiritsira ntchito (kubisa, kuchotsa ma crypt, ndi routing kumachitika ndi module popanda kutumiza magalimoto kwa wogwiritsa ntchito-malo ogwiritsira ntchito).

    M'mayesero omwe adachitika, poyerekeza ndi kasinthidwe kotengera mawonekedwe a tun, kugwiritsa ntchito gawoli pa kasitomala ndi mbali za seva pogwiritsa ntchito cipher AES-256-GCM kunapangitsa kuti zitheke kuchulukitsa ka 8 (kuchokera ku 370). Mbit/s mpaka 2950 Mbit/s). Mukamagwiritsa ntchito gawoli pambali ya kasitomala, kutulutsa kumachulukira katatu pamagalimoto otuluka ndipo sikunasinthe pamagalimoto obwera. Mukamagwiritsa ntchito gawoli pambali ya seva, kutulutsa kumachulukira nthawi 4 pamagalimoto obwera ndi 35% pamagalimoto otuluka.

  • Ndikotheka kugwiritsa ntchito mawonekedwe a TLS okhala ndi ziphaso zodzilembera nokha (pogwiritsa ntchito njira ya "-peer-fingerprint", mutha kusiya magawo a "-ca" ndi "-capath" ndikupewa kuyendetsa seva ya PKI kutengera Easy-RSA kapena mapulogalamu ofanana).
  • Seva ya UDP imagwiritsa ntchito njira yolankhulirana yochokera ku Cookie, yomwe imagwiritsa ntchito Cookie yochokera ku HMAC ngati chizindikiritso cha gawolo, zomwe zimalola seva kutsimikizira kopanda malire.
  • Zowonjezera zothandizira kumanga ndi laibulale ya OpenSSL 3.0. Onjezani "--tls-cert-profile insecure" njira kuti musankhe mulingo wocheperako wachitetezo wa OpenSSL.
  • Onjezani malamulo atsopano olamulira akutali-kulowa-kuwerengera ndi kulowera-kutali-pezani kuti muwerenge kuchuluka kwa maulumikizidwe akunja ndikuwonetsa mndandanda wawo.
  • Pa nthawi ya mgwirizano wa makiyi, njira yabwino kwambiri yopezera zinthu zopangira makiyi tsopano ndi njira ya EKM (Exported Keying Material, RFC 5705), m'malo mwa njira yeniyeniyo. OpenVPN PRF. Kugwiritsa ntchito EKM kumafuna laibulale ya OpenSSL kapena mbed TLS 2.18+.
  • Kugwirizana ndi OpenSSL mu FIPS mode, komwe kumalola kugwiritsa ntchito OpenVPN pa makina omwe amakwaniritsa zofunikira za chitetezo cha FIPS 140-2.
  • mlock amagwiritsa cheke kuti atsimikizire kuti kukumbukira kokwanira kwasungidwa. Pamene zosakwana 100 MB ya RAM ikupezeka, setrlimit() imatchedwa kuwonjezera malire.
  • Onjezani njira ya "-peer-fingerprint" kuti muwone ngati satifiketi ikugwira ntchito kapena imangika pogwiritsa ntchito chala chotengera SHA256 hash, osagwiritsa ntchito tls-verify.
  • Ma script amaperekedwa ndi mwayi wotsimikizika wochedwetsedwa, wokhazikitsidwa pogwiritsa ntchito njira ya "-auth-user-pass-verify". Thandizo lodziwitsa kasitomala za kudikirira kutsimikizika mukamagwiritsa ntchito kutsimikizika kosiyidwa kwawonjezedwa ku zolemba ndi mapulagini.
  • Yawonjezera mawonekedwe ogwirizana (--compat-mode) kuti alole kulumikizana ndi ma seva akale omwe amagwiritsa ntchito OpenVPN Mabaibulo a 2.3.x kapena akale.
  • Mndandanda womwe wadutsa kudzera mu gawo la "--data-ciphers" umalola kuti "?" atchule ma ciphers omwe angasankhidwe omwe angagwiritsidwe ntchito pokhapokha ngati athandizidwa. SSL-laibulale.
  • Njira yowonjezera "-session-timeout" yomwe mungathe kuchepetsa nthawi yochuluka ya gawo.
  • Fayilo yosinthira imalola kufotokoza dzina ndi mawu achinsinsi pogwiritsa ntchito tag .
  • Kuthekera kosintha mwachangu MTU ya kasitomala kumaperekedwa, kutengera data ya MTU yofalitsidwa ndi seva. Kuti musinthe kukula kwakukulu kwa MTU, kusankha "-tun-mtu-max" yawonjezedwa (zosakhazikika ndi 1600).
  • Wowonjezera "--max-packet-size" parameter kuti afotokoze kukula kwakukulu kwa mapaketi owongolera.
  • Chithandizo chochotsedwa cha njira yoyambira OpenVPN kudzera mu inetd. Njira ya ncp-disable yachotsedwa. Njira ya verify-hash ndi static key mode zachotsedwa (kusunga TLS yokha). TLS 1.0 ndi 1.1 zachotsedwa (parameter ya tls-version-min tsopano yayikidwa ku 1.2 mwachisawawa). Jenereta ya pseudo-random number yomangidwa mkati (--prng) yachotsedwa; kukhazikitsa kwa PRNG kuchokera ku malaibulale a mbed TLS kapena OpenSSL crypto kuyenera kugwiritsidwa ntchito. Chithandizo cha Packet Filtering (PF) chayimitsidwa. Kukanikiza kwayimitsidwa mwachisawawa (--allow-compression=no).
  • Onjezani CHACHA20-POLY1305 pamndandanda wosasinthika wa cipher.

Source: opennet.ru

Gulani kuchititsa kodalirika kwamasamba okhala ndi chitetezo cha DDoS, ma seva a VPS VDS Gulani malo odalirika osungira mawebusayiti okhala ndi chitetezo cha DDoS, ma seva a VPS VDS | ProHoster