I-ProHoster > Блог > izindaba ze-inthanethi > I-OpenVPN 2.6.0 iyatholakala

I-OpenVPN 2.6.0 iyatholakala

Ngemuva kweminyaka emibili nengxenye selokhu kwashicilelwa igatsha le-2.5, ukukhululwa kwe-OpenVPN 2.6.0 sekulungisiwe, iphakethe lokudala amanethiwekhi ayimfihlo abonakalayo akuvumela ukuthi uhlele ukuxhumana okubethelwe phakathi kwemishini emibili yamaklayenti noma unikeze iseva ye-VPN ephakathi. ukusebenza ngesikhathi esisodwa kwamaklayenti amaningana. Ikhodi ye-OpenVPN isatshalaliswa ngaphansi kwelayisensi ye-GPLv2, amaphakheji kanambambili enziwe ngomumo akhiqizelwa i-Debian, Ubuntu, CentOS, RHEL ne-Windows.

Okuqanjiwe okuyinhloko:

  • Ihlinzeka ngosekelo lwenombolo engenamkhawulo yokuxhumeka.
  • Imoduli ye-ovpn-dco kernel ifakiwe, ekuvumela ukuthi usheshise kakhulu ukusebenza kwe-VPN. Ukusheshisa kufinyelelwa ngokuhambisa yonke imisebenzi yokubethela, ukucutshungulwa kwephakethe kanye nokuphathwa kwesiteshi sokuxhumana ohlangothini lwe-Linux kernel, okususa i-overhead ehlobene nokushintsha komongo, kwenza kube nokwenzeka ukukhulisa umsebenzi ngokufinyelela ngokuqondile kuma-API we-kernel yangaphakathi futhi kuqede ukudluliswa kwedatha okuhamba kancane phakathi kwe-kernel. kanye nesikhala somsebenzisi (ukubethela, ukukhishwa kwemfihlo kanye nomzila kwenziwa yimojuli ngaphandle kokuthumela ithrafikhi kusibambi esikhaleni somsebenzisi).

    Ezivivinyweni ezenziwe, uma kuqhathaniswa nokucushwa okusekelwe kusixhumi esibonakalayo se-tun, ukusetshenziswa kwemojula kuklayenti nezinhlangothi zeseva kusetshenziswa i-cipher ye-AES-256-GCM kwenze kwaba nokwenzeka ukuzuza ukwanda okuphindwe ka-8 kokuphumayo (kusuka ku-370 Mbit/s kuya ku-2950 Mbit/s). Uma usebenzisa imojuli kuphela ohlangothini lweklayenti, ukuphuma kukhuphuke ngokuphindwe kathathu kuthrafikhi ephumayo futhi akuzange kushintshe kuthrafikhi engenayo. Uma usebenzisa imojula kuphela ohlangothini lweseva, ukuphuma kukhuphuke izikhathi ezi-4 kuthrafikhi engenayo nangama-35% kuthrafikhi ephumayo.

  • Kungenzeka ukusebenzisa imodi ye-TLS enezitifiketi ezizisayinele (uma usebenzisa inketho ethi “-peer-fingerprint”, ungashiya imingcele ethi “-ca” kanye ne-“-capath” futhi ugweme ukusebenzisa iseva ye-PKI esekelwe ku-Easy-RSA noma isoftware efanayo).
  • Iseva ye-UDP isebenzisa imodi yengxoxo yoxhumano olusekelwe ku-Cookie, esebenzisa i-Cookie esekelwe ku-HMAC njengesihlonzi seseshini, okuvumela iseva ukuthi yenze ukuqinisekiswa okungenasisekelo.
  • Kwengezwe usekelo lokwakha ngomtapo wezincwadi we-OpenSSL 3.0. Kwengezwe inketho ethi "--tls-cert-profile insecure" ukuze ukhethe ubuncane bezinga lokuphepha le-OpenSSL.
  • Kungezwe imiyalo yokulawula emisha yokubala-i-remote-entry-count kanye ne-remote-entry-thola ukuze ubale inombolo yoxhumo lwangaphandle futhi ubonise uhlu lwakho.
  • Ngesikhathi senqubo yesivumelwano esibalulekile, indlela ye-EKM (Exported Keying Material, RFC 5705) manje isiyindlela ekhethwayo yokuthola izinto ezibalulekile zokukhiqiza, esikhundleni se-OpenVPN-specific PRF mechanism. Ukuze usebenzise i-EKM, ilabhulali ye-OpenSSL noma i-mbed TLS 2.18+ iyadingeka.
  • Ukuhambisana ne-OpenSSL kumodi ye-FIPS kunikeziwe, evumela ukusetshenziswa kwe-OpenVPN kumasistimu ahlangabezana nezidingo zokuphepha ze-FIPS 140-2.
  • i-mlock isebenzisa isheke ukuqinisekisa ukuthi inkumbulo eyanele igciniwe. Uma kutholakala ngaphansi kuka-100 MB we-RAM, i-setrlimit() ibizwa ngokuthi ukukhulisa umkhawulo.
  • Kwengezwe inketho ethi “--peer-fingerprint” ukuze kuhlolwe ukufaneleka noma ukubophezela kwesitifiketi kusetshenziswa izigxivizo zeminwe ezisuselwe ku-SHA256 hash, ngaphandle kokusebenzisa i-tls-verify.
  • Amaskriphthi anikezwa ngenketho yokuqinisekisa okukuhlehlisiwe, okusetshenziswa kusetshenziswa inketho ethi “-auth-user-pass-verify”. Ukwesekwa kokwazisa iklayenti mayelana nokuqinisekisa okulindile lapho kusetshenziswa ukuqinisekiswa okuhlehlisiwe kwengezwe kumaskripthi nama-plugin.
  • Imodi ehambelanayo engeziwe (-compat-mode) ukuvumela ukuxhumeka kumaseva amadala asebenzisa i-OpenVPN 2.3.x noma izinguqulo ezindala.
  • Ohlwini oludlule kupharamitha ethi “--data-ciphers”, isiqalo esithi “?” sivunyelwe. ukuchaza ama-cipher ongawakhetha azosetshenziswa kuphela uma asekelwa kulabhulali ye-SSL.
  • Inketho engeziwe "-session-timeout" ongakhawulela ngayo isikhathi esiphezulu seseshini.
  • Ifayela lokumisa livumela ukucacisa igama lomsebenzisi nephasiwedi usebenzisa ithegi .
  • Amandla okulungisa i-MTU yeklayenti anikeziwe, ngokusekelwe kudatha ye-MTU ethunyelwa iseva. Ukushintsha ubukhulu besayizi ye-MTU, inketho ethi “—tun-mtu-max” yengeziwe (okuzenzakalelayo kungu-1600).
  • Kwengezwe ipharamitha ethi "--max-packet-size" ukuze kuchazwe ubukhulu bobukhulu bamaphakethe okulawula.
  • Usekelo olususiwe lwemodi yokuqalisa ye-OpenVPN nge-inetd. Inketho ye-ncp-disable isusiwe. Inketho yokuqinisekisa i-hashi kanye nemodi yokhiye omile yehlisiwe (i-TLS kuphela egciniwe). Izimiso eziyisisekelo ze-TLS 1.0 kanye ne-1.1 zihoxisiwe (ipharamitha ye-tls-version-min isethwe ukuze ithi 1.2 ngokuzenzakalelayo). Ukuqaliswa kokukhiqiza inombolo okungahleliwe okwakhelwe ngaphakathi (-prng) kususiwe; ukusetshenziswa kwe-PRNG kusuka kumitapo yolwazi ye-mbed TLS noma ye-OpenSSL crypto kufanele kusetshenziswe. Ukusekela i-PF (Ukuhlunga Iphakethe) kunqanyuliwe. Ngokuzenzakalelayo, ukucindezela kuvaliwe (--allow-compression=no).
  • Kwengezwe i-CHACHA20-POLY1305 kuhlu oluzenzakalelayo lwe-cipher.

Source: opennet.ru

Engeza amazwana