OpenVPN 2.6.0 yamasulidwa kale ndipo ikubwera ndi zosintha zambiri

Mdima wamdima | | mapulogalamu

Palibe ndemanga

OpenVPN

OpenVPN ndi chida cholumikizira chotengera pulogalamu yaulere: SSL, VPN Virtual Private Network.

Patatha zaka ziwiri ndi theka kuchokera pamene nthambi ya 2.5 inatulutsidwa, kukhazikitsidwa kudalengezedwandi mtundu watsopano wa TsegulaniVPN 2.6.0, phukusi lopangira maukonde achinsinsi omwe amalola kukonza kulumikizana kwachinsinsi pakati pa makina awiri a kasitomala kapena kupereka seva yapakati ya VPN kuti makasitomala angapo azigwira ntchito nthawi imodzi.

Kwa iwo omwe sakudziwa OpenVPN, muyenera kudziwa izi iyi ndi pulogalamu yaulere yolumikizira, SSL (Malo Okhazikika Otetezedwa), VPN Virtual Private Network.

OpenVPN imapereka kulumikizana kwa point-to-point ndi kutsimikizika kwachikhalidwe kwa ogwiritsa ntchito olumikizidwa ndi omwe amakhala nawo kutali. Ndi njira yabwino kwambiri pamatekinoloje a Wi-Fi (IEEE 802.11 opanda zingwe ma netiweki) ndipo imathandizira kukonza kwakukulu, kuphatikiza kulowetsa katundu.

Zinthu zatsopano za OpenVPN 2.6.0

M'masinthidwe atsopanowa awonetsedwa kuti ovpn-dco kernel module ikuphatikizidwa mu phukusi, zomwe zimatha kufulumizitsa kwambiri ntchito ya VPN.

Kuthamangitsa kumatheka posuntha ntchito zonse za encryption, kukonza mapaketi ndi kasamalidwe ka njira yolumikizirana pafupi ndi linux kernel, zomwe zimalola kuchotsa mutu wokhudzana ndi kusintha kwa nkhani, kumapangitsa kuti ntchitoyo ikwaniritsidwe mwakulowa mwachindunji mkati mwa kernel, kuwonjezera pa API ndikuchotsa kusuntha kwapang'onopang'ono pakati pa kernel ndi malo ogwiritsira ntchito (moduleyo imapanga encryption). , decryption, and routing popanda kutumiza traffic kwa controller mu malo ogwiritsa).

M'mayesero omwe anachitika, poyerekeza ndi kasinthidwe kotengera mawonekedwe a tun, kugwiritsa ntchito gawoli pa kasitomala ndi mbali ya seva pogwiritsa ntchito kubisa kwa AES-256-GCM komwe kumaloledwa kukwaniritsa kuwonjezeka kwa nthawi 8 (kuchokera ku 370 Mbit / mpaka 2950 Mbit / s). Pogwiritsa ntchito gawoli pambali ya kasitomala, magwiridwe antchito adakwera katatu pamagalimoto otuluka ndipo sanasinthe pamayendedwe omwe akubwera. Pogwiritsa ntchito gawoli pambali ya seva, magwiridwe antchito adakula nthawi 4 pamagalimoto obwera ndi 35% pakutuluka.

Kusintha kwina komwe kumasiyana ndi mtundu watsopanowu ndikuti kuthekera kogwiritsa ntchito TLS mode kumaperekedwa ndi ziphaso zodzilembera nokha (pogwiritsa ntchito njira ya "-peer-fingerprint", mutha kusiya magawo a "-ca" ndi "-capath" ndikupewa kuyambitsa seva ya PKI potengera Easy-RSA kapena mapulogalamu ofanana).

Kuphatikiza pa izi, zimadziwikanso kuti seva ya UDP imagwiritsa ntchito njira yolankhulirana yochokera ku cookie yomwe imagwiritsa ntchito cookie yochokera ku HMAC ngati chizindikiritso cha gawo, zomwe zimalola seva kuchita zotsimikizira zopanda malire.

Kumbali inayi, idawonjezera thandizo pakuphatikiza ndi laibulale ya OpenSSL 3.0, komanso kuwonjezera njira "-tls-cert-profile insecure" kuti musankhe mulingo wocheperako wachitetezo cha OpenSSL.

Titha kupezanso kuti malamulo atsopano olamulira akutali-kulowa-kuwerengera ndi kutali-kulowa-kulowa awonjezedwa kuti awerenge chiwerengero cha maulumikizidwe akunja ndikuzilemba.

Pakukambilana kofunikira, makina a EKM (Exported Keying Material, RFC 5705) tsopano ndi njira yofunika kwambiri yopezera zinthu zofunika kwambiri, m'malo mwa njira yeniyeni ya OpenVPN PRF. EKM imafuna laibulale ya OpenSSL kapena mbed TLS 2.18+.

Thandizo la OpenSSL limaperekedwa mumayendedwe a FIPS, kulola OpenVPN kugwiritsidwa ntchito pamakina omwe amakwaniritsa zofunikira zachitetezo cha FIPS 140-2.

Pazosintha zina zomwe zimachokera ku mtundu watsopano:

  • mlock zida zowunika kugawika kwa kukumbukira kokwanira. Ngati zosakwana 100 MB za RAM zilipo, setrlimit() imatchedwa kuti muwonjezere malire.
  • Njira yowonjezerera "-peer-fingerprint" kuti mutsimikizire kapena kumanga satifiketi ndi thumbprint kutengera SHA256 hashi, osagwiritsa ntchito tls-verify.
  • Pazolemba, kutsimikizika kwaulesi kumaperekedwa, kumayendetsedwa ndi "-auth-user-pass-verify". Thandizo lowonjezera pakudziwitsa kasitomala za kudikirira kutsimikizika mukamagwiritsa ntchito kutsimikizika kochedwa m'malemba ndi mapulagini.
  • Mawonekedwe ofananira (-compat-mode) kuti alole kulumikizana ndi ma seva akale omwe akuyendetsa OpenVPN 2.3.x kapena kale.

Pomaliza, ngati mukufuna kudziwa zambiri za izi, mutha kudziwa zambiri Mu ulalo wotsatira.


Zomwe zili m'nkhaniyi zikutsatira mfundo zathu za malamulo okonzekera. Kuti mufotokoze cholakwika dinani Apa.

Khalani oyamba kuyankha

Siyani ndemanga yanu

Anu email sati lofalitsidwa. Amafuna minda amalembedwa ndi *

*

*

  1. Wotsogolera pazosankhazi: Miguel Ángel Gatón
  2. Cholinga cha deta: Control SPAM, kasamalidwe ka ndemanga.
  3. Kukhazikitsa: Kuvomereza kwanu
  4. Kulumikizana kwa zomwe zafotokozedwazo: Zomwezo siziziwululidwa kwa anthu ena kupatula pakukakamizidwa mwalamulo.
  5. Zosunga: Zosungidwa ndi Occentus Networks (EU)
  6. Ufulu: Nthawi iliyonse mutha kuchepetsa, kuchira ndikuchotsa zidziwitso zanu.