I-OpenVPN 2.5.0 isivele ikhishiwe futhi iza nezinguquko eziningi

Darkcrizt

Imizuzu ye-4

Ngemuva kweminyaka ecishe ibe mine selokhu kwashicilelwa igatsha 2.4 nokuthi yiziphi izinhlobo ezincane ebezikhishwa (ukulungiswa kwamaphutha nezinye izici ezingeziwe) Ukukhishwa kwe-OpenVPN 2.5.0 kwalungiswa.

Le nguqulo entsha iza nezinguquko eziningi ezinkulu, kokuthakazelisa kakhulu esingakuthola kuhlobene nezinguquko zokubethela, kanye nokushintshela ku-IPv6 nokwamukelwa kwamaphrothokholi amasha.

Mayelana ne-OpenVPN

Kulabo abangajwayele i-OpenVPN, kufanele ukwazi lokho leli ithuluzi lokuxhuma elisuselwa mahhala, I-SSL (Isendlalelo Samasokisi Aphephile), i-VPN Virtual Network Eyimfihlo.

I-OpenVPN inikeza ukuxhumeka kwephoyinti nephuzu ngokuqinisekiswa okulandelanayo kwabasebenzisi abaxhunyiwe nabasingathi ukude. Kuyindlela enhle kakhulu kubuchwepheshe be-Wi-Fi (IEEE 802.11 amanethiwekhi angenantambo) futhi isekela ukucushwa okubanzi, kufaka phakathi ukulinganiswa komthwalo.

I-OpenVPN iyithuluzi le-multiplatform elenze lula ukumiswa kwe-VPNs uma kuqhathaniswa nokwakudala futhi okunzima kakhulu ukuyilungisa njenge-IPsec nokwenza ukuthi ifinyeleleke kalula kubantu abangenalwazi kulolu hlobo lobuchwepheshe.

Izici ezintsha eziyinhloko ze-OpenVPN 2.5.0

Kuzinguquko ezibaluleke kakhulu singathola ukuthi le nguqulo entsha ye-OpenVPN 2.5.0 iyi isekela ukubethela i-datalink isebenzisa ukubethela kokusakaza ChaCha20 kanye ne-algorithm ukuqinisekiswa komlayezo (MAC) I-Poly1305 ezibekwe njengabalingani abasheshayo nabaphephe kakhulu be-AES-256-CTR ne-HMAC, ukuqaliswa kwesoftware yayo okuvumela ukufeza izikhathi ezihleliwe zokwenza ngaphandle kokusekelwa okukhethekile kwehadiwe.

La amandla okunikeza iklayenti ngalinye ukhiye ohlukile we-tls-crypt, evumela izinhlangano ezinkulu nabahlinzeki be-VPN ukuthi basebenzise izindlela ezifanayo zokuvikela izitaki ze-TLS namasu wokuvikela we-DoS abekade etholakala ngokulungiselela okuncane kusetshenziswa i-tls-auth noma i-tls-crypt.

Olunye ushintsho olubalulekile yi- indlela ethuthukisiwe yokuxoxisana ngemfihlo esetshenziselwa ukuvikela ishaneli yokudlulisa idatha. Iqambe kabusha ama-ncp-ciphers kuma-data-ciphers ukugwema ukungaqondakali ngenketho ye-tls-cipher nokugcizelela ukuthi ama-data-ciphers akhethwa ukulungiselela amashaneli wesiteshi sedatha (igama lakudala ligcinelwe ukuhambisana).

Amaklayenti manje athumela uhlu lwawo wonke ama-cipher wedatha abawasekelayo kuseva besebenzisa okuguquguqukayo kwe-IV_CIPHERS, okuvumela iseva ukuthi ikhethe i-cipher yokuqala ehambisana nezinhlangothi zombili.

Ukusekelwa kokubethela kwe-BF-CBC kususiwe kuzilungiselelo ezizenzakalelayo. I-OpenVPN 2.5 manje isekela kuphela i-AES-256-GCM ne-AES-128-GCM ngokuzenzakalela. Lokhu kuziphatha kungashintshwa ngokusebenzisa inketho yokubethela idatha. Lapho uthuthukela enguqulweni entsha ye-OpenVPN, ukumiswa kwe- Ukubethela kwe-BF-CBC kumafayili amadala wokumisa izoguqulwa ukuze yengeze i-BF-CBC ku-suite ye-data cipher nemodi yokusekelayo yokubethela idatha inikwe amandla.

Kungezwe ukusekelwa kokuqinisekiswa kwe-asynchronous (kuhlehliselwe) ku-auth-pam plugin. Ngokufanayo, inketho "-client-connect" kanye ne-plugin connect API kungeze ikhono lokuhlehlisa ukubuyisa ifayili lokumisa.

KuLinux, ukungezwa kokuhlangana kwenethiwekhi kungeziwe ukuhambisa umzila nokudlulisa phambili (i-VRF). Inketho I- "–Bind-dev" inikezwa ukubeka isixhumi sangaphandle kuVRF.

Ukusekelwa kokumiswa kwamakheli we-IP nemizila kusetshenziswa isikhombimsebenzisi se-Netlink esinikezwe i-Linux kernel. I-Netlink isetshenziswa lapho yakhiwe ngaphandle kwenketho ye- "- enable-iproute2" futhi ikuvumela ukuthi usebenzise i-OpenVPN ngaphandle kwamalungelo angeziwe adingekayo ukusebenzisa insiza ye- "ip".

Iphrothokholi yengeze ikhono lokusebenzisa ukuqinisekiswa kwezinto ezimbili noma ukufakazela ubuqiniso obengeziwe ngeWebhu (i-SAML), ngaphandle kokuphazamisa iseshini ngemuva kokuqinisekiswa kokuqala (ngemuva kokuqinisekisa kokuqala, iseshini ihlala isesimweni 'esingaqinisekisiwe' bese ilinda ukuqinisekiswa kwesibili isigaba sokuqedela).

Kwabanye izinguquko ezigqamile:

  • Manje usungasebenza kuphela ngamakheli we-IPv6 ngaphakathi komhubhe we-VPN (phambilini bekungenakwenzeka ukwenza lokhu ngaphandle kokucacisa amakheli e-IPv4).
  • Amandla okubopha ukubethela kwedatha nokusetha kokubethela idatha kumakhasimende kusuka kuskripthi sokuxhuma iklayenti.
  • Amandla okucacisa usayizi we-MTU wesixhumi se-tun / tap ku-Windows.
    Ukusekelwa kokukhetha injini ye-OpenSSL ukufinyelela ukhiye oyimfihlo (isb. I-TPM).
    Inketho "–auth-gen-token" manje isekela ukukhiqizwa kwamathokheni asuselwa ku-HMAC.
  • Amandla wokusebenzisa / ama-netmask angama-31 kuzilungiselelo ze-IPv4 (i-OpenVPN ayisazami ukusetha ikheli lokusakaza).
  • Kungezwe inketho ye- "–block-ipv6" ukuvimba noma iyiphi iphakethe le-IPv6.
  • Izinketho ze- "–ifconfig-ipv6" ne "–ifconfig-ipv6-push" zikuvumela ukuthi ucacise igama lomsingathi esikhundleni sekheli le-IP (ikheli lizonqunywa yi-DNS).
  • Ukuxhaswa kwe-TLS 1.3. I-TLS 1.3 idinga okungenani i-OpenSSL 1.1.1. Kungezwe izinketho ze - "–tls-ciphersuites" kanye ne - "tls-groups" ukulungisa amapharamitha we-TLS.

Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.