I-OpenVPN 2.6.0 isivele ikhishiwe futhi iza nezinguquko eziningi

Darkcrizt

Imizuzu ye-4

I-OpenVPN

I-OpenVPN iyithuluzi lokuxhumana elisekelwe kusofthiwe yamahhala: SSL, VPN Virtual Private Network.

Ngemva kweminyaka emibili nengxenye selokhu kwakhululwa igatsha le-2.5, kwethulwa kwamenyezelwakanye nenguqulo entsha ye I-OpenVPN 2.6.0, iphakethe lokudala amanethiwekhi ayimfihlo abonakalayo avumela ukuhlela ukuxhumana okubethelwe phakathi kwemishini yamaklayenti amabili noma ukunikeza iseva ye-VPN emaphakathi ukuze amaklayenti amaningi asebenze ngesikhathi esisodwa.

Kulabo abangajwayele i-OpenVPN, kufanele ukwazi lokho leli ithuluzi lokuxhuma elisuselwa mahhala, I-SSL (Isendlalelo Samasokisi Aphephile), i-VPN Virtual Network Eyimfihlo.

I-OpenVPN inikeza ukuxhumeka kwephoyinti nephuzu ngokuqinisekiswa okulandelanayo kwabasebenzisi abaxhunyiwe nabasingathi ukude. Kuyindlela enhle kakhulu kubuchwepheshe be-Wi-Fi (IEEE 802.11 amanethiwekhi angenantambo) futhi isekela ukucushwa okubanzi, kufaka phakathi ukulinganiswa komthwalo.

Izici ezintsha eziyinhloko ze-OpenVPN 2.6.0

Enguqulweni entsha kugqanyiselwa lokho i-ovpn-dco kernel module ifakiwe kuphakheji, okungasheshisa kakhulu ukusebenza kwe-VPN.

Ukusheshisa kufinyelelwa ngokuhambisa yonke imisebenzi yokubethela, ukucubungula amaphakethe kanye nokuphathwa kwesiteshi sokuxhumana eduze kwe-linux kernel, okuvumela ukuqeda i-overhead ehlotshaniswa nokushintshwa komongo, kwenza kube lula ukwenza umsebenzi ngokufinyelela ngqo ku-kernel yangaphakathi, ngaphezu kwayo i-API futhi kuqede ukudluliswa kwedatha okuhamba kancane phakathi kwe-kernel nesikhala somsebenzisi (imodyuli yenza ukubethela , ukususa ukubethela, kanye nokwenza umzila ngaphandle kokuthumela ithrafikhi kusilawuli esikhaleni somsebenzisi).

Ezivivinyweni ezenziwe, uma kuqhathaniswa nokucushwa okusekelwe kusixhumi esibonakalayo se-tun, ukusetshenziswa kwemojula kuklayenti kanye nohlangothi lweseva kusetshenziswa ukubethela kwe-AES-256-GCM kuvunyelwe ukufeza ukwanda kokusebenza izikhathi eziyi-8 (kusuka ku-370 Mbit / s kuya ku-2950 Mbit/s). Ngokusebenzisa imojuli kuphela ohlangothini lweklayenti, ukusebenza kukhuphuke izikhathi ezintathu kuthrafikhi ephumayo futhi akuzange kushintshe kuthrafikhi engenayo. Ngokusebenzisa imojula kuphela ohlangothini lweseva, ukusebenza kukhuphuke izikhathi ezi-4 kuthrafikhi engenayo kanye no-35% kokuphumayo.

Olunye ushintsho oluvela enguqulweni entsha ukuthi ikhono lokusebenzisa imodi ye-TLS linikeziwe ngezitifiketi ezizisayinele (ngokusebenzisa inketho ethi “-peer-fingerprint”, ungashiya imingcele ethi “–ca” kanye “–capath” futhi ugweme ukuqala iseva ye-PKI ngokusekelwe ku-Easy-RSA noma isofthiwe efanayo).

Ngaphezu kwalokhu, kuphinde kuqashelwe ukuthi iseva ye-UDP isebenzisa imodi yengxoxo yoxhumano olusekelwe kukhukhi esebenzisa ikhukhi elisuselwe ku-HMAC njengesihlonzi sesikhathi, esivumela iseva ukuthi yenze ukuqinisekiswa okungenasisekelo.

Ngakolunye uhlangothi, yengeze ukwesekwa kokuhlanganiswa nomtapo wezincwadi we-OpenSSL 3.0, kanye nokwengeza inketho “-tls-cert-profile-insecure” ukuze ukhethe ubuncane bezinga lokuphepha le-OpenSSL.

Singathola futhi ukuthi imiyalo emisha yokulawula i-remote-entry-count kanye ne-remote-entry-get yengeziwe ukubala inombolo yokuxhumana kwangaphandle nokubala.

Enqubweni eyinhloko yezingxoxo, indlela ye-EKM (I-Exported Keying Material, i-RFC 5705) manje iyindlela ebaluleke kakhulu yokuthola izinto ezibalulekile zokukhiqiza, kunendlela ethile ye-OpenVPN PRF. I-EKM idinga ilabhulali ye-OpenSSL noma mbed TLS 2.18+.

Ukusekelwa kwe-OpenSSL kunikezwa ngemodi ye-FIPS, okuvumela i-OpenVPN ukuthi isetshenziswe kumasistimu ahlangabezana nezidingo zokuphepha ze-FIPS 140-2.

Kwezinye izinguquko ezigqame kusuka enguqulweni entsha:

  • I-mlock isebenzisa ukuhlola ukwabiwa kwememori eyanele. Uma kutholakala ngaphansi kuka-100 MB we-RAM, i-setrlimit() ibizwa ngokuthi ukukhulisa umkhawulo.
  • Inketho eyengeziwe ethi “-peer-fingerprint” ukuze uqinisekise noma ubophe isitifiketi ngezigxivizo zesithupha ezisuselwe ku-SHA256 hash, ngaphandle kokusebenzisa i-tls-verify.
  • Ngemibhalo, ukuqinisekiswa okuvilaphayo kunikezwa, okusetshenziswa inketho ethi “-auth-user-pass-verify”. Ukwesekwa okwengeziwe kokwazisa iklayenti mayelana nokuqinisekisa okulindile lapho kusetshenziswa ukuqinisekiswa okubambezelekile kumaskripthi nama-plugin.
  • Imodi ehambisanayo eyengeziwe (–imodi ye-compat) ukuze uvumele uxhumano kumaseva amadala asebenzisa i-OpenVPN 2.3.x noma ngaphambili.

Ekugcineni, uma unentshisekelo yokwazi kabanzi ngakho, ungaxhumana nemininingwane Kulesi sixhumanisi esilandelayo.


Shiya umbono wakho

Ikheli lakho le ngeke ishicilelwe. Ezidingekayo ibhalwe nge *

*

*

  1. Ubhekele imininingwane: Miguel Ángel Gatón
  2. Inhloso yedatha: Lawula Ugaxekile, ukuphathwa kwamazwana.
  3. Ukusemthethweni: Imvume yakho
  4. Ukuxhumana kwemininingwane: Imininingwane ngeke idluliselwe kubantu besithathu ngaphandle kwesibopho esisemthethweni.
  5. Isitoreji sedatha: Idatabase ebanjwe yi-Occentus Networks (EU)
  6. Amalungelo: Nganoma yisiphi isikhathi ungakhawulela, uthole futhi ususe imininingwane yakho.