• 欢迎访问速搜资源吧,如果在网站上找不到你需要的资源,可以在留言板上留言,管理员会尽量满足你!

【速搜问答】OpenVPN是什么

问答 admin 1年前 (2020-09-08) 235次浏览 已收录 0个评论

汉英对照:
Chinese-English Translation:

OpenVPN是一个用于创建虚拟私人网络加密通道的软件包,允许创建的VPN使用公开密钥、电子证书、或者用户名密码来进行身份验证。大量使用了OpenSSL加密库中的SSL/TLS协议函数库。

OpenVPN is a software package used to create a virtual private network encryption channel, which allows the VPN to use public key, electronic certificate, or user name password for authentication. The SSL / TLS protocol library in OpenSSL encryption library is widely used.

OpenVPN 是一个用于创建虚拟私人网络加密通道的软件包,最早由 James Yonan 编写。OpenVPN 允许创建的 VPN 使用公开密钥、电子证书、或者用户名/密码来进行身份验证。 它大量使用了 OpenSSL 加密库中的 SSL/TLS 协议函数库。

OpenVPN is a software package for creating a virtual private network encryption channel. It was first written by James yonan. OpenVPN allows you to create a VPN that uses a public key, an electronic certificate, or a user name / password for authentication. It uses a lot of SSL / TLS protocol function library in OpenSSL encryption library.

目前 OpenVPN 能在 Solaris、Linux、OpenBSD、FreeBSD、NetBSD、Mac OS X 与 Microsoft Windows 以及 Android 和 iOS 上运行,并包含了许多安全性的功能。它不与 IPsec 兼容。

At present, OpenVPN can run on Solaris, Linux, OpenBSD, FreeBSD, NetBSD, Mac OS X, Microsoft Windows, Android and IOS, and contains many security functions. It is not compatible with IPSec.

原理

principle

OpenVPN 的技术核心是虚拟网卡,其次是 SSL 协议实现。

The core technology of OpenVPN is virtual network card, followed by SSL protocol.

OpenVPN 中的虚拟网卡

Virtual network card in OpenVPN

虚拟网卡是使用网络底层编程技术实现的一个驱动软件。安装此类程序后主机上会增加一个非真实的网卡(TAP 或 TUN),并可以像其它网卡一样进行配置。服务程序可以在应用层打开虚拟网卡,如果应用软件(如网络浏览器)向虚拟网卡发送数据,则服务程序可以读取到该数据。如果服务程序写合适的数据到虚拟网卡,应用软件也可以接收得到。虚拟网卡在很多的操作系统中都有相应的实现,这也是 OpenVPN 能够跨平台使用的一个重要原因。

Virtual network card (VNC) is a driver software implemented by using network underlying programming technology. After installing such a program, an unreal network card (tap or Tun) will be added to the host computer, which can be configured like other network cards. The service program can open the virtual network card in the application layer. If the application software (such as web browser) sends data to the virtual network card, the service program can read the data. If the service program writes appropriate data to the virtual network card, the application software can also receive it. Virtual network card has been implemented in many operating systems, which is an important reason why OpenVPN can be used across platforms.

在 OpenVPN 中,如果用户访问一个远程的虚拟地址(属于虚拟网卡配用的地址系列,区别于真实地址),则操作系统会通过路由机制将数据包(TUN 模式)或数据帧(TAP 模式)发送到虚拟网卡上,服务程序接收该数据并进行相应的处理后,会通过 SOCKET 从外网上发送出去。这完成了一个单向传输的过程,反之亦然。当远程服务程序通过 SOCKET 从外网上接收到数据,并进行相应的处理后,又会发送回给虚拟网卡,则该应用软件就可以接收到。

In OpenVPN, if a user accesses a remote virtual address (belonging to the address series of virtual network card, which is different from the real address), the operating system will send the data packet (Tun mode) or data frame (tap mode) to the virtual network card through the routing mechanism. After receiving the data and processing the data, the server will use socket Send it from the Internet. This completes a one-way transmission process and vice versa. When the remote service program receives the data from the external network through socket and processes it, it will send it back to the virtual network card, then the application software can receive it.

加密

encryption

OpenVPN 使用 OpenSSL 库来加密数据与控制信息。这意味着,它能够使用任何 OpenSSL 支持的算法。它提供了 HMAC 功能以提高连接的安全性。此外,OpenSSL 的硬件加速也能提高它的性能。2.3.0 以后版本引入 PolarSSL。

OpenVPN uses OpenSSL library to encrypt data and control information. This means that it can use any OpenSSL supported algorithm. It provides HMAC function to improve the security of the connection. In addition, the hardware acceleration of OpenSSL can also improve its performance. Polarssl was introduced after 2.3.0.

身份验证

Authentication

OpenVPN 提供了多种身份验证方式,用以确认连接双方的身份,包括:

OpenVPN provides a variety of authentication methods to confirm the identities of both sides of the connection, including:

预共享密钥

Pre shared key

数字证书

digital certificate

用户名/密码组合

User name / password combination

预共享密钥最为简单,但它只能用于创建点对点的 VPN;基于 PKI 的第三方证书提供了最完善的功能,但是需要额外维护一个 PKI 证书系统。OpenVPN2.0 后引入了用户名/口令组合的身份验证方式,它可以省略客户端证书,但是仍需要一份服务器证书用作加密。

The pre shared key is the simplest, but it can only be used to create point-to-point VPN; the third-party certificate based on PKI provides the most perfect function, but needs to maintain an additional PKI certificate system. After openvpn2.0, the user name / password combination authentication method is introduced, which can omit the client certificate, but still need a server certificate for encryption.

功能与端口

Function and port

OpenVPN 所有的通信都基于一个单一的 IP 端口,默认且推荐使用 UDP 协议通讯,同时也支持 TCP。IANA(Internet Assigned Numbers Authority)指定给 OpenVPN 的官方端口为 1194。OpenVPN 2.0 以后版本每个进程可以同时管理数个并发的隧道。OpenVPN 使用通用网络协议(TCP 与 UDP)的特点使它成为 IPsec 等协议的理想替代,尤其是在 ISP(Internet service provider)过滤某些特定 VPN 协议的情况下。

All communication of OpenVPN is based on a single IP port. UDP protocol is recommended by default and also supports TCP. The official port assigned by IANA (Internet assigned numbers authority) to OpenVPN is 1194. After OpenVPN 2.0, each process can manage several concurrent tunnels at the same time. OpenVPN uses general network protocols (TCP and UDP), which makes it an ideal alternative to IPSec and other protocols, especially when ISP (Internet service provider) filters some specific VPN protocols.

OpenVPN 连接能通过大多数的代理服务器,并且能够在 NAT 的环境中很好地工作。

OpenVPN connection can pass through most proxy servers and work well in NAT environment.

服务端具有向客户端“推送”某些网络配置信息的功能,这些信息包括:IP 地址、路由设置等。

The server has the function of “pushing” some network configuration information to the client, including IP address, routing settings, etc.

OpenVPN 提供了两种虚拟网络接口:通用 TUN/TAP 驱动,通过它们,可以创建三层 IP 隧道,或者虚拟二层以太网,后者可以传送任何类型的二层以太网络数据。

OpenVPN provides two kinds of virtual network interface: General tungtap driver. Through them, you can create layer-3 IP tunnel or virtual layer-2 Ethernet, which can transmit any type of layer-2 Ethernet data.

传送的数据可通过 LZO 算法压缩。

The transmitted data can be compressed by LZO algorithm.

安全

security

OpenVPN 与生俱来便具备了许多安全特性:它在用户空间运行,无须对内核及网络协议栈作修改;初始完毕后以 chroot 方式运行,放弃 root 权限;使用 mlockall 以防止敏感数据交换到磁盘。

OpenVPN is born with many security features: it runs in user space without modifying the kernel and network protocol stack; it runs in chroot mode after initial completion, giving up the root authority; using mlockall to prevent sensitive data from being exchanged to disk.

OpenVPN 通过 PKCS#11 支持硬件加密标识,如智能卡。

OpenVPN supports hardware encryption identification, such as smart card, through PKCs ා 11.

受中国大陆的限制

Restricted by mainland China

防火长城会针对 OpenVPN 服务器回送证书完成握手创建有效加密连接时干扰连接,在使用 TCP 协议模式时握手会被连接重置,而使用 UDP 协议时含有服务器认证证书的数据包会被故意丢弃,使 OpenVPN 无法创建有效加密连接而连接失败。而在中国大陆内部的连接不受这种限制。

Fire wall will complete the handshake for the OpenVPN server to send back the certificate. When creating an effective encrypted connection, it will interfere with the connection. When using TCP protocol mode, the handshake will be reset. When using UDP protocol, the packets containing the server authentication certificate will be deliberately discarded, which makes the OpenVPN unable to create an effective encrypted connection and the connection fails. The internal connections in mainland China are not subject to such restrictions.

伪装的改进

Improvement of camouflage

Stunnel,通过使用 Stunnel 转发 OpenVPN 流量以消除 OpenVPN 的协议特征,达到提供安全保护与流量伪装的目的(通常将 Stunnel 设置于 443 端口伪装成 Web 网站)。

Stunnel is used to forward OpenVPN traffic to eliminate the protocol characteristics of OpenVPN, so as to provide security protection and traffic camouflage (usually set stunnel at port 443 to disguise as a web site).

KCPtun,使用 KCPtun 将 OpenVPN 流量转为 UDP 流量传输,也可以消除 OpenVPN 的协议特征。

Kcptun, using kcptun to transfer OpenVPN traffic to UDP traffic can also eliminate the protocol features of OpenVPN.

SSH,使用 SSH 创建隧道转发 OpenVPN 流量,但 SSH 会暴露自身协议特征,故这种方式已被淘汰。

SSH, Using SSH to create a tunnel to forward OpenVPN traffic, but SSH will expose its own protocol characteristics, so this method has been eliminated.


速搜资源网 , 版权所有丨如未注明 , 均为原创丨转载请注明原文链接:【速搜问答】OpenVPN是什么
喜欢 (0)
[361009623@qq.com]
分享 (0)
发表我的评论
取消评论
表情 贴图 加粗 删除线 居中 斜体 签到

Hi,您需要填写昵称和邮箱!

  • 昵称 (必填)
  • 邮箱 (必填)
  • 网址