kille72 jest możliwość dodać jakąś opcję, aby lte gdy jest ustawione jako failover czyli Load Balance Weight = 0, aby reguły z MultiWAN Routing działały. Aktualnie mimo aktywowania reguły, nie działają dopóki nie ustawię load balance weight co najmniej na 1, jednak wtedy port wan2 używany jest przez wszystkie komputery. Chodzi o to, że nie chcę, aby wan2 był używany, ale chcę, aby zgodnie z regułą którą stworzyłem i aktywowałem dany komputer mógł go wykorzystywać mimo, że ustawiony jest jako failover.
Wygeneruje raz jeszcze klucze i certyfikaty i będzie dobrze
ps
Cytat
# openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN. Each cipher shown below may be use as a
parameter to the --cipher option. The default key size is
shown as well as whether or not it can be changed with the
--keysize directive. Using a CBC or GCM mode is recommended.
In static key mode only CBC mode is allowed.
AES-128-CBC (128 bit key, 128 bit block)
AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC (192 bit key, 128 bit block)
AES-192-CFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC (256 bit key, 128 bit block)
AES-256-CFB (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB (256 bit key, 128 bit block, TLS client/server mode only)
The following ciphers have a block size of less than 128 bits,
and are therefore deprecated. Do not use unless you have to.
BF-CBC (128 bit key by default, 64 bit block)
BF-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC (128 bit key by default, 64 bit block)
CAST5-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC (64 bit key, 64 bit block)
DES-CFB (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1 (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8 (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC (128 bit key, 64 bit block)
DES-EDE-CFB (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC (192 bit key, 64 bit block)
DES-EDE3-CFB (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1 (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8 (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC (192 bit key, 64 bit block)
IDEA-CBC (128 bit key, 64 bit block)
IDEA-CFB (128 bit key, 64 bit block, TLS client/server mode only)
IDEA-OFB (128 bit key, 64 bit block, TLS client/server mode only)
RC2-40-CBC (40 bit key by default, 64 bit block)
RC2-64-CBC (64 bit key by default, 64 bit block)
RC2-CBC (128 bit key by default, 64 bit block)
RC2-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-CBC (128 bit key by default, 64 bit block)
RC5-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
Ja w mojej kompilacji zmienilem 2 defaultowe ustawienia w OpenVPN http://pastebin.com/U4nXGi1Z:
- OpenVPN: default port for server 2 changed to 1195, so both servers on default settings can be started at the same time
- OpenVPN: Change the "default" sever Encryption cipher from BF-CBC to more secure AES-128-CBC
Feb 12 19:55:14 R7000 openvpn: 37.47.x.24 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1542'
Feb 12 19:55:14 R7000 openvpn: 37.47.x.24 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Połączony z 13 luty 2017 08:00:20:
OK
jak podczas tworzenia kluczy wymusić aby generowanie było w oparciu o AES-256-GCM z SHA256?
w paczce OpenVPN 2.4.0 (https://swupdate.openvpn.org/communit...-2.4.0.zip) nie ma EasyRSA - mam jakąś poprzednią wersję EasyRSA 3.0.1 a ta chyba nie jest najnowsza więc w niej muszę wymusić AES-256-GCM - chyba że nie mogę zlokalizować nowszej paczki. Edytowany przez qrs dnia 13-02-2017 08:00
Feb 13 17:47:29 Asus daemon.notice openvpn[27835]: 83.185.x.227 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
Feb 13 17:47:30 Asus daemon.notice openvpn[27835]: lg/83.185.x.227 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
Feb 13 17:47:30 Asus daemon.notice openvpn[27835]: lg/83.185.x.227 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
I jakie wnioski z tego szukajac przyczyn slabosci wifi r6400 natknalem sie na info ze linksysy maja obecnie wzorem asusow blokowane firmware, dwa nawet tu dalem o tym info linksysy arm maja cfe dzielone na pol i jak trzecie firmware przekracza 32kb nvram to jest powrot do softu linksysa , dlatego ludziom linksysy arm warjuja na alternatynym sofcie, problem rozgryzl Xvortex podmieniajac cfe jak widzialem podobnym sposobem jak u nas Staszek podrasowywal swojego asusa
przygotowałem sie, no ale to po kolei:
- dla kluczy wygenerowanych w Windowsie mam błędy - odpuszczam sobie
- klucze wygenerowanie na MacOS działają poprawnie - jestem skazany na MacOS :)
wygenerowałem set kluczy i certyfikatów przy użyciu EasyRSA 3.0.1 w następujący sposób:
Wszystko działa i wygląda w miarę OK, wnioski jednak na końcu.
logi na R7000:
Cytat
Feb 15 21:10:57 R7000 kernel: tun: Universal TUN/TAP device driver, 1.6
Feb 15 21:10:57 R7000 kernel: tun: (C) 1999-2004 Max Krasnyansky
Feb 15 21:10:57 R7000 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Feb 15 21:10:57 R7000 kernel: device tun21 entered promiscuous mode
Feb 15 21:10:57 R7000 openvpn: WARNING: file '/opt/OpenVPN/server1.key' is group or others accessible
Feb 15 21:10:57 R7000 openvpn: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 15 21:10:57 R7000 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Feb 15 21:10:57 R7000 openvpn: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Feb 15 21:18:50 R7000 openvpn: 37.47.36.51 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1542'
Feb 15 21:18:50 R7000 openvpn: 37.47.36.51 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Feb 15 21:19:00 R7000 openvpn: 37.47.36.51 WARNING: 'link-mtu' is used inconsistently, local='link-mtu 1554', remote='link-mtu 1542'
Feb 15 21:19:00 R7000 openvpn: 37.47.36.51 WARNING: 'auth' is used inconsistently, local='auth SHA256', remote='auth SHA1'
Feb 15 21:19:25 R7000 kernel: tun: Universal TUN/TAP device driver, 1.6
Feb 15 21:19:25 R7000 kernel: tun: (C) 1999-2004 Max Krasnyansky
Feb 15 21:19:25 R7000 kernel: ADDRCONF(NETDEV_UP): tun21: link is not ready
Feb 15 21:19:25 R7000 kernel: device tun21 entered promiscuous mode
Feb 15 21:19:25 R7000 openvpn: WARNING: file '/opt/OpenVPN/server1.key' is group or others accessible
Feb 15 21:19:25 R7000 openvpn: do_ifconfig, tt->did_ifconfig_ipv6_setup=0
Feb 15 21:19:25 R7000 kernel: ADDRCONF(NETDEV_CHANGE): tun21: link becomes ready
Feb 15 21:19:25 R7000 openvpn: Could not determine IPv4/IPv6 protocol. Using AF_INET6
Feb 15 21:25:15 R7000 openvpn: 37.47.36.51 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 15 21:25:15 R7000 openvpn: 37.47.36.51 WARNING: INSECURE cipher with block size less than 128 bit (64 bit). This allows attacks like SWEET32. Mitigate by using a --cipher with a larger block size (e.g. AES-256-CBC).
Feb 15 21:25:15 R7000 openvpn: 37.47.36.51 WARNING: cipher with small block size in use, reducing reneg-bytes to 64MB to mitigate SWEET32 attacks.
2017-02-16 19:51:25 OpenVPN 2.4.0 x86_64-apple-darwin [SSL (OpenSSL)] [LZO] [LZ4] [PKCS11] [MH/RECVDA] [AEAD] built on Jan 28 2017
2017-02-16 19:51:25 library versions: LibreSSL 2.5.0, LZO 2.09
2017-02-16 19:51:25 MANAGEMENT: TCP Socket listening on [AF_INET]127.0.0.1:1337
2017-02-16 19:51:25 Need hold release from management interface, waiting...
2017-02-16 19:51:25 MANAGEMENT: Client connected from [AF_INET]127.0.0.1:1337
2017-02-16 19:51:25 *Tunnelblick: openvpnstart starting OpenVPN
2017-02-16 19:51:25 *Tunnelblick: Established communication with OpenVPN
2017-02-16 19:51:25 MANAGEMENT: CMD 'pid'
2017-02-16 19:51:25 MANAGEMENT: CMD 'state on'
2017-02-16 19:51:25 MANAGEMENT: CMD 'state'
2017-02-16 19:51:25 MANAGEMENT: CMD 'bytecount 1'
2017-02-16 19:51:25 MANAGEMENT: CMD 'hold release'
2017-02-16 19:51:25 WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info.
2017-02-16 19:51:25 NOTE: the current --script-security setting may allow this configuration to call user-defined scripts
2017-02-16 19:51:25 TCP/UDP: Preserving recently used remote address: [AF_INET]192.168.0.10:1194
2017-02-16 19:51:25 Socket Buffers: R=[196724->196724] S=[9216->9216]
2017-02-16 19:51:25 UDP link local: (not bound)
2017-02-16 19:51:25 UDP link remote: [AF_INET]192.168.0.10:1194
2017-02-16 19:51:25 MANAGEMENT: >STATE:1487271085,WAIT,,,,,,
2017-02-16 19:51:26 MANAGEMENT: >STATE:1487271086,AUTH,,,,,,
2017-02-16 19:51:26 TLS: Initial packet from [AF_INET]192.168.0.10:1194, sid=e6506887 b1b75842
2017-02-16 19:51:26 VERIFY OK: depth=1, CN=localhost
2017-02-16 19:51:26 VERIFY OK: depth=0, CN=server1
2017-02-16 19:51:26 Control Channel: TLSv1.2, cipher TLSv1/SSLv3 ECDHE-RSA-AES256-GCM-SHA384, 2048 bit RSA
2017-02-16 19:51:26 [server1] Peer Connection Initiated with [AF_INET]192.168.0.10:1194
2017-02-16 19:51:27 MANAGEMENT: >STATE:1487271087,GET_CONFIG,,,,,,
2017-02-16 19:51:27 SENT CONTROL [server1]: 'PUSH_REQUEST' (status=1)
2017-02-16 19:51:27 PUSH: Received control message: 'PUSH_REPLY,route 192.168.0.0 255.255.255.0,dhcp-option DNS 192.168.0.10,redirect-gateway def1,route 10.8.0.1,topology net30,ping 15,ping-restart 60,ifconfig 10.8.0.6 10.8.0.5,peer-id 0,cipher AES-256-GCM'
2017-02-16 19:51:27 OPTIONS IMPORT: timers and/or timeouts modified
2017-02-16 19:51:27 OPTIONS IMPORT: --ifconfig/up options modified
2017-02-16 19:51:27 OPTIONS IMPORT: route options modified
2017-02-16 19:51:27 OPTIONS IMPORT: --ip-win32 and/or --dhcp-option options modified
2017-02-16 19:51:27 OPTIONS IMPORT: peer-id set
2017-02-16 19:51:27 OPTIONS IMPORT: adjusting link_mtu to 1625
2017-02-16 19:51:27 OPTIONS IMPORT: data channel crypto options modified
2017-02-16 19:51:27 Data Channel Encrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-02-16 19:51:27 Data Channel Decrypt: Cipher 'AES-256-GCM' initialized with 256 bit key
2017-02-16 19:51:27 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-02-16 19:51:27 Opening utun (connect(AF_SYS_CONTROL)): Resource busy
2017-02-16 19:51:27 Opened utun device utun2
2017-02-16 19:51:27 do_ifconfig, tt->did_ifconfig_ipv6_setup=0
2017-02-16 19:51:27 MANAGEMENT: >STATE:1487271087,ASSIGN_IP,,10.8.0.6,,,,
2017-02-16 19:51:27 /sbin/ifconfig utun2 delete
ifconfig: ioctl (SIOCDIFADDR): Can't assign requested address
2017-02-16 19:51:27 NOTE: Tried to delete pre-existing tun/tap instance -- No Problem if failure
2017-02-16 19:51:27 /sbin/ifconfig utun2 10.8.0.6 10.8.0.5 mtu 1500 netmask 255.255.255.255 up
2017-02-16 19:51:27 /Applications/Tunnelblick.app/Contents/Resources/client.up.tunnelblick.sh -9 -d -f -m -w -ptADGNWradsgnw utun2 1500 1553 10.8.0.6 10.8.0.5 init
**********************************************
Start of output from client.up.tunnelblick.sh
Disabled IPv6 for 'Wi-Fi'
Retrieved from OpenVPN: name server(s) [ 192.168.0.10 ], search domain(s) [ ] and SMB server(s) [ ] and using default domain name [ openvpn ]
Not aggregating ServerAddresses because running on OS X 10.6 or higher
Setting search domains to 'openvpn' because running under OS X 10.6 or higher and the search domains were not set manually and 'Prepend domain name to search domains' was not selected
Saved the DNS and SMB configurations so they can be restored
Changed DNS ServerAddresses setting from '172.20.10.1' to '192.168.0.10'
Changed DNS SearchDomains setting from '' to 'openvpn'
Changed DNS DomainName setting from '' to 'openvpn'
Did not change SMB NetBIOSName setting of ''
Did not change SMB Workgroup setting of ''
Did not change SMB WINSAddresses setting of ''
DNS servers '192.168.0.10' will be used for DNS queries when the VPN is active
NOTE: The DNS servers do not include any free public DNS servers known to Tunnelblick. This may cause DNS queries to fail or be intercepted or falsified even if they are directed through the VPN. Specify only known public DNS servers or DNS servers located on the VPN network to avoid such problems.
Flushed the DNS cache via dscacheutil
/usr/sbin/discoveryutil not present. Not flushing the DNS cache via discoveryutil
Notified mDNSResponder that the DNS cache was flushed
Setting up to monitor system configuration with process-network-changes
End of output from client.up.tunnelblick.sh
**********************************************
2017-02-16 19:51:31 *Tunnelblick: No 'connected.sh' script to execute
2017-02-16 19:51:31 /sbin/route add -net 192.168.0.10 172.20.10.1 255.255.255.255
add net 192.168.0.10: gateway 172.20.10.1
2017-02-16 19:51:31 /sbin/route add -net 0.0.0.0 10.8.0.5 128.0.0.0
add net 0.0.0.0: gateway 10.8.0.5
2017-02-16 19:51:31 /sbin/route add -net 128.0.0.0 10.8.0.5 128.0.0.0
add net 128.0.0.0: gateway 10.8.0.5
2017-02-16 19:51:31 MANAGEMENT: >STATE:1487271091,ADD_ROUTES,,,,,,
2017-02-16 19:51:31 /sbin/route add -net 192.168.0.0 10.8.0.5 255.255.255.0
add net 192.168.0.0: gateway 10.8.0.5
2017-02-16 19:51:31 /sbin/route add -net 10.8.0.1 10.8.0.5 255.255.255.255
add net 10.8.0.1: gateway 10.8.0.5
2017-02-16 19:51:31 Initialization Sequence Completed
2017-02-16 19:51:31 MANAGEMENT: >STATE:1487271091,CONNECTED,SUCCESS,10.8.0.6,192.168.0.10,1194,,
2017-02-16 11:42:24 NET Internet:ReachableViaWiFi/-R t------
2017-02-16 11:42:24 VERIFY OK: depth=1
cert. version : 3
serial number : DC:A2:A5:B5:0F:1A:AB:34
issuer name : CN=localhost
subject name : CN=localhost
issued on : 2017-02-15 20:03:28
expires on : 2027-02-13 20:03:28
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign
2017-02-16 11:42:24 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : CN=localhost
subject name : CN=server1
issued on : 2017-02-15 20:03:47
expires on : 2027-02-13 20:03:47
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication
wnioski:
- wygenerowałem AES-256-GCM jednak Tomato nie wspiera AES-256-GCM o czym świadczy brak tego typu na liście
- na MacOS chyba nie da się póki co wygenerować nic mocniejszego niż SHA1 - źródło podam jak znajdę, pamiętam jednak że czytałem o tym
- trzeba czekać na kolejne updaty
- albo nie znam się i można to było zrobić lepiej
Ja tam generuje klucze na Windowsie i działają.
Generalnie używasz "cmd.exe". Zmieniasz katalog do "...\OpenVPN\easy-rsa".
I tutaj masz takie pliki jak
# openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN. Each cipher shown below may be use as a
parameter to the --cipher option. The default key size is
shown as well as whether or not it can be changed with the
--keysize directive. Using a CBC or GCM mode is recommended.
In static key mode only CBC mode is allowed.
AES-128-CBC (128 bit key, 128 bit block)
AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC (192 bit key, 128 bit block)
AES-192-CFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC (256 bit key, 128 bit block)
AES-256-CFB (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB (256 bit key, 128 bit block, TLS client/server mode only)
The following ciphers have a block size of less than 128 bits,
and are therefore deprecated. Do not use unless you have to.
BF-CBC (128 bit key by default, 64 bit block)
BF-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC (128 bit key by default, 64 bit block)
CAST5-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC (64 bit key, 64 bit block)
DES-CFB (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1 (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8 (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC (128 bit key, 64 bit block)
DES-EDE-CFB (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC (192 bit key, 64 bit block)
DES-EDE3-CFB (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1 (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8 (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC (192 bit key, 64 bit block)
IDEA-CBC (128 bit key, 64 bit block)
IDEA-CFB (128 bit key, 64 bit block, TLS client/server mode only)
IDEA-OFB (128 bit key, 64 bit block, TLS client/server mode only)
RC2-40-CBC (40 bit key by default, 64 bit block)
RC2-64-CBC (64 bit key by default, 64 bit block)
RC2-CBC (128 bit key by default, 64 bit block)
RC2-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-CBC (128 bit key by default, 64 bit block)
RC5-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
widze ze nie jest to takie proste postawienie vpn a szkoda bo sam bym sobie postawil w domu serwerek i laczyl sie przez niego. jak przebrniesz qrs przez postawienie vpn na nowym tomato to jak bedziesz mial czas napisz tutorial co zrobiles to przyda sie mi i pewnie innym
sprawdzę wieczorem cipher AES-256-GCM bo być może jest to brakujący klocek układanki
Ogólnie wszystko chodzi stabilnie i bez błędów - openvpn na Tomato jest poprawnie zaimplementowany przez kille72
Połączony z 17 luty 2017 07:57:06:
taki pomysł, a może w Tomato wspierać tylko bezpieczne szyfrowanie i wywalić te z listy uznane za złamane? Zmniejszy to wielkość źródła jakoś znacząco?
qrs napisał(a):
taki pomysł, a może w Tomato wspierać tylko bezpieczne szyfrowanie i wywalić te z listy uznane za złamane? Zmniejszy to wielkość źródła jakoś znacząco?
Taki jest plan, wywalic z GUI te malo bezpieczne i tak zmienilem w mojej kompilacji default Encryption cipher BF-CBC (Blowfish) na AES-128-CBC ktory jest o wiele bardziej bezpieczny.
Nie zminiejszy wielkosci bo to bedzie tylko wywalone z GUI, OpenVPN wspiera dalej wszystkie te ponizej, nie wiem czy da rade je jakos poblokowac przed kompilacja w jakims pliku config.
# openvpn --show-ciphers
The following ciphers and cipher modes are available for use
with OpenVPN. Each cipher shown below may be use as a
parameter to the --cipher option. The default key size is
shown as well as whether or not it can be changed with the
--keysize directive. Using a CBC or GCM mode is recommended.
In static key mode only CBC mode is allowed.
AES-128-CBC (128 bit key, 128 bit block)
AES-128-CFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB1 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-CFB8 (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-GCM (128 bit key, 128 bit block, TLS client/server mode only)
AES-128-OFB (128 bit key, 128 bit block, TLS client/server mode only)
AES-192-CBC (192 bit key, 128 bit block)
AES-192-CFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB1 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-CFB8 (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-GCM (192 bit key, 128 bit block, TLS client/server mode only)
AES-192-OFB (192 bit key, 128 bit block, TLS client/server mode only)
AES-256-CBC (256 bit key, 128 bit block)
AES-256-CFB (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB1 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-CFB8 (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-GCM (256 bit key, 128 bit block, TLS client/server mode only)
AES-256-OFB (256 bit key, 128 bit block, TLS client/server mode only)
The following ciphers have a block size of less than 128 bits,
and are therefore deprecated. Do not use unless you have to.
BF-CBC (128 bit key by default, 64 bit block)
BF-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
BF-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-CBC (128 bit key by default, 64 bit block)
CAST5-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
CAST5-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
DES-CBC (64 bit key, 64 bit block)
DES-CFB (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB1 (64 bit key, 64 bit block, TLS client/server mode only)
DES-CFB8 (64 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-CBC (128 bit key, 64 bit block)
DES-EDE-CFB (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE-OFB (128 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CBC (192 bit key, 64 bit block)
DES-EDE3-CFB (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB1 (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-CFB8 (192 bit key, 64 bit block, TLS client/server mode only)
DES-EDE3-OFB (192 bit key, 64 bit block, TLS client/server mode only)
DES-OFB (64 bit key, 64 bit block, TLS client/server mode only)
DESX-CBC (192 bit key, 64 bit block)
IDEA-CBC (128 bit key, 64 bit block)
IDEA-CFB (128 bit key, 64 bit block, TLS client/server mode only)
IDEA-OFB (128 bit key, 64 bit block, TLS client/server mode only)
RC2-40-CBC (40 bit key by default, 64 bit block)
RC2-64-CBC (64 bit key by default, 64 bit block)
RC2-CBC (128 bit key by default, 64 bit block)
RC2-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC2-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-CBC (128 bit key by default, 64 bit block)
RC5-CFB (128 bit key by default, 64 bit block, TLS client/server mode only)
RC5-OFB (128 bit key by default, 64 bit block, TLS client/server mode only)
Ponoc AES-256-GCM jest bezpieczniejszy od AES-256-CBC, ale AES-256-CBC bardziej popularny? Zna sie ktos na tym?
· Łącznie użytkowników: 24,115 · Najnowszy użytkownik: Ja
Czat
Musisz się zalogować, aby opublikować wiadomość.
Maniek91PL
06-11-2024 22:37
dzięki !
maxikaaz
29-10-2024 14:27
@Maniek91PL - Administration=> Admin Access, i tam masz "Allow Wireless Access" do zaznaczenia
Maniek91PL
26-10-2024 22:07
siemka! ktoś przypomni co się ustawiało jeśli nie mogę wejść od strony wifi do tomato? od lan działa
overflow2
04-10-2024 17:34
Kupowałem Asusy n10u albo n12d1 ale nie widzę ich, chyba już nie produkują, Chodzi o coś nowego i taniego. Transfery niewielkie.
maxikaaz
04-10-2024 09:38
@overflow2 patrząc po dostępności funkcji w nowych kompilacjach, to chyba nawet WRT54G/GL jeszcze ma OpenVPN, albo jakiś odpowiednik... zależy, na jakie transfery liczysz.
overflow2
30-09-2024 20:53
Jaki aktualnie najtańszy router do tomato do openvpn?
maxikaaz
27-07-2024 15:07
@servee - na początek router do rozebrania i obejrzenia, ciężko wróżyć tak tylko po objawach
maxikaaz
27-07-2024 14:55
@servee - cały kontroler nie pada tak sobie z powodu "zbiegu okoliczności", więc prawdopodobnie gdzieś przepięcie.
servee
25-07-2024 13:33
@maxikaaz: działało, aż pewnego pięknego dnia przestało działać. W tym dniu była też burza, ale to raczej zbieg okoliczności.
maxikaaz
25-07-2024 11:38
@servee - o ile problem jest w obrębie samych wyjść (dławiki, warystory), to naprawialne, ale jeśli w samym SoC - to nienaprawialne ze względu na koszta. A co było przyczyną?