I-OpenVPN 2.4.9 inguqu encinci elungisa ezinye iibhugi

Darkcrizt

Imizuzu ye6

Kwiintsuku ezithile ezidlulileyo Inguqulelo entsha ye-OpenVPN 2.4.9 yakhutshwa, ukuba yile inguqulelo yokulungisa Oko kwamiselwa Ukulungisa ukuba semngciphekweni kwe-CVE-2.020-11.810, evumela ukuguqulela iseshoni yabathengi kwidilesi entsha ye-IP, kude kube lelo xesha yayingabhaliswanga.

Ingxaki ingasetyenziselwa ukuphazamisa umxhasi osanda kuqhagamshelwa kwinqanaba apho ukuchongwa koontanga sele kuvelisiwe, kodwa uthethathethwano ngezitshixo zeseshoni alukagqitywa (umthengi unokumisa iiseshoni zabanye abathengi).

Malunga ne-OpenVPN

Kulabo abangaqhelekanga nge-OpenVPN, kuya kufuneka uyazi loo nto Esi sisixhobo simahla esisekwe kwisoftware, I-SSL (iZiseko zoKhuseleko eziKhuselekileyo), iVPN yeNethiwekhi yangasese yangasese

OpenVPN inika inqaku lokudibanisa inqaku kunye nokuqinisekiswa kwemigangatho yabasebenzisi abaxhumeneyo kunye nemikhosi ukude. Olukhetho oluhle kakhulu kubuchwephesha beWi-Fi (IEEE 802.11 iinethiwekhi ngaphandle kwamacingo) kwaye ixhasa ubumbeko olubanzi, kubandakanya ukulinganisa umthwalo.

I-OpenVPN sisixhobo esiphindaphindayo esenza ukuba kube lula ukuqwalaselwa kwee-VPNs xa kuthelekiswa nezindala kwaye kunzima ngakumbi ukuzilungiselela ezinjenge-IPsec nokwenza ukuba zifikeleleke kubantu abangenamava kolu hlobo lwetekhnoloji.

Yintoni entsha kwi-OpenVPN 2.4.9?

Ngaphandle kokulungiswa kwi-bug ekhankanywe ngasentla, le nguqulo intsha nayo isebenzisa utshintsho kwinkqubo yokuqinisekisa iinkonzo zomsebenzisi ezisebenzisanayo (KwiWindows, indawo emiselweyo iqinisekiswa kuqala, emva koko isicelo sithunyelwe kumlawuli wesizinda.)

Xa usebenzisa ukhetho "-ifayile yomsebenzisi-yokupasa", Ukuba kukho igama lomsebenzisi elinye kwifayile lokucela iphasiwedi, ukuyaixesha ujongano luyafuneka ukulawula iziqinisekiso (yeka ukucela igama eligqithisiweyo usebenzisa i-OpenVPN ngokukhawulezisa ikhonsoli).

Kwiqonga leWindows, kuvunyelwe ukusebenzisa imitya yokukhangela ye-unicode kukhetho lwe - –cryptoapicert ".

Ukulungiswa kwakhona komcimbi kukungakwazi ukukhuphela iiCRL ezininzi (Uluhlu lokurhoxiswa kwesatifikethi) lukwifayile enye xa usebenzisa "-crl-Qinisekisa" ukhetho kwiinkqubo ze-OpenSSL.

Kwaye imicimbi yokudityaniswa isonjululwe kwiqonga leFreeBSD kusetyenziswa iflegi ye-enable-async-push.

Iifayile ezizimeleyo ze-OpenSSL ezizimeleyo kunye nezatifikethi eziphelelwe lixesha zigqithiselwa kwivenkile yeziqinisekiso yeWindows.

Uyifaka njani i-OpenVPN?

Kulabo abanomdla wokukwazi ukufaka i-OpenVPN kwinkqubo yabo, bangayenza belandela imiyalelo ukuba sabelana ngezantsi.

Into yokuqala iya kuba ukufaka isixhobo kunye ne-RSA elula Kuba ukukhupha izatifikethi ezithembakeleyo, kufuneka kube kugunyazisiwe iGunya leSatifikethi elilula:

sudo apt update

sudo apt install openvpn easy-rsa

Ngoku Siza kuqwalasela igunya lesatifikethi nge:

make-cadir ~/openvpn-ca

cd ~/openvpn-ca

Y masihlele ezinye zeenguqulelo onceda ukugqiba ukuba uzenze njani izatifikethi:

gedit vars

Jonga icandelo le-rsa elula kwaye uhlele ukuze libonakale ngoluhlobo:

Emva kohlengahlengiso oluthile:

# These are the default values for fields

# which will be placed in the certificate.

# Don't leave any of these fields blank.

export KEY_COUNTRY="US"

export KEY_PROVINCE="CA"

export KEY_CITY="Tustin"

export KEY_ORG="SSD Nodes"

export KEY_EMAIL= class="hljs-string">"joel@example.com"

export KEY_OU="Marketing"

# X509 Subject Field

export KEY_NAME="vpnserver"

Ugcina kwaye uchwetheze kwisiphelo sendlela:

source vars

./build-ca

Isitshixo esitsha seRSA siyakwenziwa kwaye uya kucelwa ukuba uqinisekise ngeenkcukacha ozifakileyo kwifayile. Yenza le nto ngoku lixesha lokwenza izitshixo zikarhulumente / zabucala zabathengi, apho kwi- [server] babeka khona igama abalifunayo.

./build-key-server [server]

Emva koko, kufuneka bakhe izitshixo zeDiffie-Hellman.

./build-dh

Okokugqibela, kufuneka bavelise utyikityo lwe-HMAC ukomeleza isatifikethi.

openvpn --genkey --secret keys/ta.key

source vars

./build-key client1

Y ukuba ufuna ukwenza iziqinisekiso ezikhuselweyo zephasiwedi:

vars zomthombo

./build-key-pass client1

Ngoku siza kuqwalasela iseva ye-OpenVPN

cd ~/openvpn-ca/keys

sudo cp ca.crt ca.key vpnserver.crt vpnserver.key ta.key dh2048.pem /etc/openvpn

gunzip -c /usr/share/doc/openvpn/examples/sample-config-files/server.conf.gz | sudo tee /etc/openvpn/server.conf

Ngoku kufuneka senze ukuhlela kwifayile yoqwalaselo.

sudo nano /etc/openvpn/server.conf

Kuqala, masiqinisekise ukuba i-OpenVPN ijonge iifayile ezilungileyo ze-.crt kunye.

Ngenxa ye:

ca ca.crt

cert server.crt

key server.key  # This file should be kept secret

Emva:

ca ca.crt

cert vpnserver.crt

key vpnserver.key  # This file should be kept secret

Sisebenzisa i-HMAC efanayo phakathi kwabaxhasi kunye neseva.

Ngenxa ye:

;tls-auth ta.key 0 # This file is secret

Emva:

tls-auth ta.key 0 # This file is secret

key-direction 0

Ukuba ukhetha ukusebenzisa i-DNS ngaphandle kwe-opendns, kuya kufuneka utshintshe le migca mibini eqala ngokutyhala «dhcp-ukhetho.

Ngenxa ye:

# If enabled, this directive will configure

# all clients to redirect their default

# network gateway through the VPN, causing

# all IP traffic such as web browsing and

# and DNS lookups to go through the VPN

# (The OpenVPN server machine may need to NAT

# or bridge the TUN/TAP interface to the internet

# in order for this to work properly).

;push "redirect-gateway def1 bypass-dhcp"

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS

# or WINS server addresses.  CAVEAT:

# http://openvpn.net/faq.html#dhcpcaveats

# The addresses below refer to the public

# DNS servers provided by opendns.com.

;push "dhcp-option DNS 208.67.222.222"

;push "dhcp-option DNS 208.67.220.220"

Emva:

# If enabled, this directive will configure

# all clients to redirect their default

# network gateway through the VPN, causing

# all IP traffic such as web browsing and

# and DNS lookups to go through the VPN

# (The OpenVPN server machine may need to NAT

# or bridge the TUN/TAP interface to the internet

# in order for this to work properly).

push "redirect-gateway def1"

# Certain Windows-specific network settings

# can be pushed to clients, such as DNS

# or WINS server addresses.  CAVEAT:

# http://openvpn.net/faq.html#dhcpcaveats

# The addresses below refer to the public

# DNS servers provided by opendns.com.

push "dhcp-option DNS 208.67.222.222"

push "dhcp-option DNS 208.67.220.220"

Emva koko Kuya kufuneka sikhethe ii-cipher zokuzisebenzisa:

Ngenxa ye:

# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

;cipher BF-CBC        # Blowfish (default)

;cipher AES-128-CBC   # AES

;cipher DES-EDE3-CBC  # Triple-DES

Emva:

# Select a cryptographic cipher.

# This config item must be copied to

# the client config file as well.

;cipher BF-CBC        # Blowfish (default)

cipher AES-256-CBC   # AES

;cipher DES-EDE3-CBC  # Triple-DES

auth SHA512

Okokugqibela, masenze ukuba i-OpenVPN isebenzise iakhawunti yomsebenzisi engenalo ilungelo endaweni yengcambu, engakhuselekanga ngokukodwa.

user openvpn

group nogroup

Ngoku sinokugcina kwaye sivale le fayile ukwenza loo msebenzisi:

sudo adduser --system --shell /usr/sbin/nologin --no-create-home openvpn

Kwaye siyenza isebenze inkonzo nge:

sudo systemctl enable openvpn@server

sudo systemctl start openvpn@server

Shiya uluvo lwakho

Idilesi yakho ye email aziyi kupapashwa. ezidingekayo ziphawulwe *

*

*

  1. Uxanduva lwedatha: UMiguel Ángel Gatón
  2. Injongo yedatha: Ulawulo lwe-SPAM, ulawulo lwezimvo.
  3. Umthetho: Imvume yakho
  4. Unxibelelwano lwedatha: Idatha ayizukuhanjiswa kubantu besithathu ngaphandle koxanduva lomthetho.
  5. Ukugcinwa kweenkcukacha
  6. Amalungelo: Ngalo naliphi na ixesha unganciphisa, uphinde uphinde ucime ulwazi lwakho.