Kwiintsuku ezithile ezidlulileyo Inguqulelo entsha ye-OpenVPN 2.4.9 yakhutshwa, ukuba yile inguqulelo yokulungisa Oko kwamiselwa Ukulungisa ukuba semngciphekweni kwe-CVE-2.020-11.810, evumela ukuguqulela iseshoni yabathengi kwidilesi entsha ye-IP, kude kube lelo xesha yayingabhaliswanga.
Ingxaki ingasetyenziselwa ukuphazamisa umxhasi osanda kuqhagamshelwa kwinqanaba apho ukuchongwa koontanga sele kuvelisiwe, kodwa uthethathethwano ngezitshixo zeseshoni alukagqitywa (umthengi unokumisa iiseshoni zabanye abathengi).
Malunga ne-OpenVPN
Kulabo abangaqhelekanga nge-OpenVPN, kuya kufuneka uyazi loo nto Esi sisixhobo simahla esisekwe kwisoftware, I-SSL (iZiseko zoKhuseleko eziKhuselekileyo), iVPN yeNethiwekhi yangasese yangasese
OpenVPN inika inqaku lokudibanisa inqaku kunye nokuqinisekiswa kwemigangatho yabasebenzisi abaxhumeneyo kunye nemikhosi ukude. Olukhetho oluhle kakhulu kubuchwephesha beWi-Fi (IEEE 802.11 iinethiwekhi ngaphandle kwamacingo) kwaye ixhasa ubumbeko olubanzi, kubandakanya ukulinganisa umthwalo.
I-OpenVPN sisixhobo esiphindaphindayo esenza ukuba kube lula ukuqwalaselwa kwee-VPNs xa kuthelekiswa nezindala kwaye kunzima ngakumbi ukuzilungiselela ezinjenge-IPsec nokwenza ukuba zifikeleleke kubantu abangenamava kolu hlobo lwetekhnoloji.
Yintoni entsha kwi-OpenVPN 2.4.9?
Ngaphandle kokulungiswa kwi-bug ekhankanywe ngasentla, le nguqulo intsha nayo isebenzisa utshintsho kwinkqubo yokuqinisekisa iinkonzo zomsebenzisi ezisebenzisanayo (KwiWindows, indawo emiselweyo iqinisekiswa kuqala, emva koko isicelo sithunyelwe kumlawuli wesizinda.)
Xa usebenzisa ukhetho "-ifayile yomsebenzisi-yokupasa", Ukuba kukho igama lomsebenzisi elinye kwifayile lokucela iphasiwedi, ukuyaixesha ujongano luyafuneka ukulawula iziqinisekiso (yeka ukucela igama eligqithisiweyo usebenzisa i-OpenVPN ngokukhawulezisa ikhonsoli).
Kwiqonga leWindows, kuvunyelwe ukusebenzisa imitya yokukhangela ye-unicode kukhetho lwe - –cryptoapicert ".
Ukulungiswa kwakhona komcimbi kukungakwazi ukukhuphela iiCRL ezininzi (Uluhlu lokurhoxiswa kwesatifikethi) lukwifayile enye xa usebenzisa "-crl-Qinisekisa" ukhetho kwiinkqubo ze-OpenSSL.
Kwaye imicimbi yokudityaniswa isonjululwe kwiqonga leFreeBSD kusetyenziswa iflegi ye-enable-async-push.
Iifayile ezizimeleyo ze-OpenSSL ezizimeleyo kunye nezatifikethi eziphelelwe lixesha zigqithiselwa kwivenkile yeziqinisekiso yeWindows.
Uyifaka njani i-OpenVPN?
Kulabo abanomdla wokukwazi ukufaka i-OpenVPN kwinkqubo yabo, bangayenza belandela imiyalelo ukuba sabelana ngezantsi.
Into yokuqala iya kuba ukufaka isixhobo kunye ne-RSA elula Kuba ukukhupha izatifikethi ezithembakeleyo, kufuneka kube kugunyazisiwe iGunya leSatifikethi elilula:
sudo apt update sudo apt install openvpn easy-rsa
Ngoku Siza kuqwalasela igunya lesatifikethi nge:
make-cadir ~/openvpn-ca cd ~/openvpn-ca
Y masihlele ezinye zeenguqulelo onceda ukugqiba ukuba uzenze njani izatifikethi:
gedit vars
Jonga icandelo le-rsa elula kwaye uhlele ukuze libonakale ngoluhlobo:
Emva kohlengahlengiso oluthile:
# These are the default values for fields # which will be placed in the certificate. # Don't leave any of these fields blank. export KEY_COUNTRY="US" export KEY_PROVINCE="CA" export KEY_CITY="Tustin" export KEY_ORG="SSD Nodes" export KEY_EMAIL= class="hljs-string">"joel@example.com" export KEY_OU="Marketing" # X509 Subject Field export KEY_NAME="vpnserver"
Ugcina kwaye uchwetheze kwisiphelo sendlela:
source vars ./build-ca
Isitshixo esitsha seRSA siyakwenziwa kwaye uya kucelwa ukuba uqinisekise ngeenkcukacha ozifakileyo kwifayile. Yenza le nto ngoku lixesha lokwenza izitshixo zikarhulumente / zabucala zabathengi, apho kwi- [server] babeka khona igama abalifunayo.
./build-key-server [server]
Emva koko, kufuneka bakhe izitshixo zeDiffie-Hellman.
./build-dh
Okokugqibela, kufuneka bavelise utyikityo lwe-HMAC ukomeleza isatifikethi.
openvpn --genkey --secret keys/ta.key source vars ./build-key client1
Y ukuba ufuna ukwenza iziqinisekiso ezikhuselweyo zephasiwedi:
vars zomthombo
./build-key-pass client1
Ngoku siza kuqwalasela iseva ye-OpenVPN
cd ~/openvpn-ca/keys sudo cp ca.crt ca.key vpnserver.crt vpnserver.key ta.key dh2048.pem /etc/openvpn gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf
Ngoku kufuneka senze ukuhlela kwifayile yoqwalaselo.
sudo nano /etc/openvpn/server.conf
Kuqala, masiqinisekise ukuba i-OpenVPN ijonge iifayile ezilungileyo ze-.crt kunye.
Ngenxa ye:
ca ca.crt cert server.crt key server.key # This file should be kept secret
Emva:
ca ca.crt cert vpnserver.crt key vpnserver.key # This file should be kept secret
Sisebenzisa i-HMAC efanayo phakathi kwabaxhasi kunye neseva.
Ngenxa ye:
;tls-auth ta.key 0 # This file is secret
Emva:
tls-auth ta.key 0 # This file is secret key-direction 0
Ukuba ukhetha ukusebenzisa i-DNS ngaphandle kwe-opendns, kuya kufuneka utshintshe le migca mibini eqala ngokutyhala «dhcp-ukhetho.
Ngenxa ye:
# If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). ;push "redirect-gateway def1 bypass-dhcp" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. ;push "dhcp-option DNS 208.67.222.222" ;push "dhcp-option DNS 208.67.220.220"
Emva:
# If enabled, this directive will configure # all clients to redirect their default # network gateway through the VPN, causing # all IP traffic such as web browsing and # and DNS lookups to go through the VPN # (The OpenVPN server machine may need to NAT # or bridge the TUN/TAP interface to the internet # in order for this to work properly). push "redirect-gateway def1" # Certain Windows-specific network settings # can be pushed to clients, such as DNS # or WINS server addresses. CAVEAT: # http://openvpn.net/faq.html#dhcpcaveats # The addresses below refer to the public # DNS servers provided by opendns.com. push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220"
Emva koko Kuya kufuneka sikhethe ii-cipher zokuzisebenzisa:
Ngenxa ye:
# Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) ;cipher AES-128-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES
Emva:
# Select a cryptographic cipher. # This config item must be copied to # the client config file as well. ;cipher BF-CBC # Blowfish (default) cipher AES-256-CBC # AES ;cipher DES-EDE3-CBC # Triple-DES auth SHA512
Okokugqibela, masenze ukuba i-OpenVPN isebenzise iakhawunti yomsebenzisi engenalo ilungelo endaweni yengcambu, engakhuselekanga ngokukodwa.
user openvpn group nogroup
Ngoku sinokugcina kwaye sivale le fayile ukwenza loo msebenzisi:
sudo adduser --system --shell /usr/sbin/nologin --no-create-home openvpn
Kwaye siyenza isebenze inkonzo nge:
sudo systemctl enable openvpn@server sudo systemctl start openvpn@server