Openvpn
OpenVPN - 密碼真的改變了嗎?
我在路由器(openwrt)上執行了openvpn,我正在嘗試最大化吞吐量。我試圖降低用於證書的位數,但似乎並沒有影響速度。猜猜短證書等於更短的登錄時間(這並不重要,因為路由器始終處於開啟狀態)。我嘗試更改和調整 conf 和密碼,但速度保持不變。
這是我的 server.conf
port 443 proto udp dev tun ca /etc/openvpn/keys/ca.crt cert /etc/openvpn/keys/se01.crt key /etc/openvpn/keys/se01.key dh /etc/openvpn/keys/dh2048.pem server 10.8.0.0 255.255.255.0 ifconfig-pool-persist ipp.txt push "redirect-gateway def1 bypass-dhcp" push "dhcp-option DNS 208.67.222.222" push "dhcp-option DNS 208.67.220.220" ;duplicate-cn keepalive 10 120 tls-auth /etc/openvpn/keys/ta.key 0 cipher AES-256-CBC ;cipher AES-128-CBC ;cipher none ;max-clients 100 user openvpn group nogroup persist-key persist-tun status openvpn-status.log log /dev/null log-append /dev/null verb 3 ;mute 20 explicit-exit-notify 1
這裡是客戶
key-direction 1 client dev tun proto udp remote 5.150.254.167 443 resolv-retry infinite nobind verb 3 auth-nocache persist-key persist-tun remote-cert-tls server ;user nobody ;group nogroup cipher AES-256-CBC ;cipher AES-128-CBC ;cipher none -----HERE BEGINS MY CERTS ETC-----
我嘗試禁用加密我得到這個輸出。我不確定如何閱讀它,但在我看來,使用了“密碼 AES-256-GCM”。這是正確的,我該如何改變它以便不推送“密碼AES-256-GCM”?
Tue Feb 6 08:53:16 2018 OpenVPN 2.4.4 mips-openwrt-linux-gnu [SSL (OpenSSL)] [LZO] [LZ4] [EPOLL] [MH/PKTINFO] [AEAD] Tue Feb 6 08:53:16 2018 library versions: OpenSSL 1.0.2n 7 Dec 2017, LZO 2.10 Tue Feb 6 08:53:17 2018 ******* WARNING *******: '--cipher none' was specified. This means NO encryption will be performed and tunnelled data WILL be transmitted in clear text over the network! PLEASE DO RECONSIDER THIS SETTING! Tue Feb 6 08:53:17 2018 Outgoing Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Feb 6 08:53:17 2018 Incoming Control Channel Authentication: Using 160 bit message hash 'SHA1' for HMAC authentication Tue Feb 6 08:53:17 2018 TCP/UDP: Preserving recently used remote address: [AF_INET]5.150.254.167:443 Tue Feb 6 08:53:17 2018 Socket Buffers: R=[163840->163840] S=[163840->163840] Tue Feb 6 08:53:17 2018 UDP link local: (not bound) Tue Feb 6 08:53:17 2018 UDP link remote: [AF_INET]5.150.254.167:443 Tue Feb 6 08:53:17 2018 TLS: Initial packet from [AF_INET]5.150.254.167:443, sid=7e98aa7d eaee25ee Tue Feb 6 08:53:17 2018 VERIFY OK: depth=1, C=DE, ST=DE, L=Berlin, O=Data Privcy, CN=Data Privcy CA, name=Data Privcy, emailAddress=opsec@dataprivcy.com Tue Feb 6 08:53:17 2018 VERIFY KU OK Tue Feb 6 08:53:17 2018 Validating certificate extended key usage Tue Feb 6 08:53:17 2018 ++ Certificate has EKU (str) TLS Web Server Authentication, expects TLS Web Server Authentication Tue Feb 6 08:53:17 2018 VERIFY EKU OK Tue Feb 6 08:53:17 2018 VERIFY OK: depth=0, C=DE, ST=DE, L=Berlin, O=Data Privcy, CN=Data Privcy CA, name=Data Privcy, emailAddress=opsec@dataprivcy.com Tue Feb 6 08:53:17 2018 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA Tue Feb 6 08:53:17 2018 [Data Privcy CA] Peer Connection Initiated with [AF_INET]5.150.254.167:443 Tue Feb 6 08:53:18 2018 SENT CONTROL [Data Privcy CA]: 'PUSH_REQUEST' (status=1) Tue Feb 6 08:53:18 2018 PUSH: Received control message: 'PUSH_REPLY,redirect-gateway def1 bypass-dhcp,dhcp-option DNS 208.67.222.222,dhcp-option DNS 208.67.220.220,route 10.8.0.1,topology net30,ping 10,ping-restart 120,ifconfig 10.8.0.14 10.8.0.13,peer-id 0,cipher AES-256-GCM' Tue Feb 6 08:53:18 2018 OPTIONS IMPORT: timers and/or timeouts modified Tue Feb 6 08:53:18 2018 OPTIONS IMPORT: --ifconfig/up options modified Tue Feb 6 08:53:18 2018 OPTIONS IMPORT: route options modified Tue Feb 6 08:53:18 2018 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified Tue Feb 6 08:53:18 2018 OPTIONS IMPORT: peer-id set Tue Feb 6 08:53:18 2018 OPTIONS IMPORT: adjusting link_mtu to 1624 Tue Feb 6 08:53:18 2018 OPTIONS IMPORT: data channel crypto options modified Tue Feb 6 08:53:18 2018 Data Channel: using negotiated cipher 'AES-256-GCM' Tue Feb 6 08:53:18 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Tue Feb 6 08:53:18 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key Tue Feb 6 08:53:18 2018 TUN/TAP device tun0 opened Tue Feb 6 08:53:18 2018 TUN/TAP TX queue length set to 100 Tue Feb 6 08:53:18 2018 do_ifconfig, tt->did_ifconfig_ipv6_setup=0 Tue Feb 6 08:53:18 2018 /sbin/ifconfig tun0 10.8.0.14 pointopoint 10.8.0.13 mtu 1500 Tue Feb 6 08:53:18 2018 /sbin/route add -net 5.150.254.167 netmask 255.255.255.255 gw 192.168.2.1 Tue Feb 6 08:53:18 2018 /sbin/route add -net 0.0.0.0 netmask 128.0.0.0 gw 10.8.0.13 Tue Feb 6 08:53:18 2018 /sbin/route add -net 128.0.0.0 netmask 128.0.0.0 gw 10.8.0.13 Tue Feb 6 08:53:18 2018 /sbin/route add -net 10.8.0.1 netmask 255.255.255.255 gw 10.8.0.13 Tue Feb 6 08:53:18 2018 Initialization Sequence Completed ^CTue Feb 6 08:54:27 2018 event_wait : Interrupted system call (code=4) Tue Feb 6 08:54:27 2018 /sbin/route del -net 10.8.0.1 netmask 255.255.255.255 Tue Feb 6 08:54:27 2018 /sbin/route del -net 5.150.254.167 netmask 255.255.255.255 Tue Feb 6 08:54:27 2018 /sbin/route del -net 0.0.0.0 netmask 128.0.0.0 Tue Feb 6 08:54:27 2018 /sbin/route del -net 128.0.0.0 netmask 128.0.0.0 Tue Feb 6 08:54:27 2018 Closing TUN/TAP interface Tue Feb 6 08:54:27 2018 /sbin/ifconfig tun0 0.0.0.0 Tue Feb 6 08:54:27 2018 SIGINT[hard,] received, process exiting
除了獲得具有更好 CPU 的路由器之外,還可以做些什麼來優化吞吐量?
這是工作中的“協商密碼參數”;‘cipher’ 選項被(預設)’ncp-ciphers’ 列表覆蓋。這是自 OpenVPN 2.4 以來的新功能。另請參閱手冊頁:
--cipher alg Encrypt data channel packets with cipher algorithm alg. The default is BF-CBC, an abbreviation for Blowfish in Cipher Block Chaining mode. When cipher negotiation (NCP) is allowed, OpenVPN 2.4 and newer on both client and server side will auto‐ matically upgrade to AES-256-GCM. See --ncp-ciphers and --ncp-disable for more details on NCP.
和
--ncp-ciphers cipher_list Restrict the allowed ciphers to be negotiated to the ciphers in cipher_list. cipher_list is a colon-separated list of ciphers, and defaults to "AES-256-GCM:AES-128-GCM". For servers, the first cipher from cipher_list will be pushed to clients that support cipher negotiation.
因此,如果您想要例如 AES-128-GCM(可能比 AES-256-GCM 稍快),請添加
ncp-ciphers "AES-128-GCM"
到您的伺服器配置中。不過,對於速度優化,您可能會從調整網路選項中獲得更多收益。參見例如https://community.openvpn.net/openvpn/wiki/Gigabit_Networks_Linux。