After two and a half years from the moment of publication of the branch 2.5 prepared release openvpn 2.6.0 , a package for creating virtual private networks that allows you to organize a encrypted connection between two client machines or ensure the operation of a centralized VPN server for the simultaneous operation of several customers. Openvpn code is distributed under the GPLV2 license, ready -made binary bags innovations :
- Support for an unlimited number of compounds.
- The composition of the OVPN-DCO nucleus module includes significantly accelerate VPN performance. Acceleration is achieved due to the removal of all encryption operations, processing of packages and control of the communication channel to the side of the Linux nucleus, which allows you to get rid of overhead costs associated with switching the context, makes it possible to optimize the work due to direct appeal to the internal API of the nucleus and eliminates the slow transfer of data between the data The core and space of the user (encryption, decryption and routing is performed by a module without sending traffic to a processor in the user space).
In the tests compared with the configuration based on the TUN interface, the use of a module on the side of the client and server using the Aes-256- GCM made it possible to achieve a bandwidth of 8 times (from 370 Mbit/S to 2950 Mbit/S). When using the module only on the client side, throughput has increased three times for outgoing traffic and has not changed for the incoming. When using the module only on the server side, throughput increased 4 times for incoming traffic and 35% for outgoing.
- Provides the ability to use the TLS mode with self-signed certificates (when using the option “–peer-Fingerprint” you can not indicate the parameters “–CA” and “–capath” and do without launching the PKI server based on Easy -rs or similar).
- In the UDP server, the cookie-based compound coordination mode is implemented, in which Cookie based on the HMAC-based session is used as the session identifier, which allows the server to verify the condition.
- Added assembly support with the library Opensl 3.0. Added the parameter “–tls-Cert-Profile Insecure” to select the minimum level of security Opensl.
- Added new management commands Remote-Entry-Count and Remote-Entry-Get to calculate the number of external connections and output their list.
- In the process of coordinating the keys, a more priority method for obtaining material for generating keys is now the EKM (Exported Keying Material, RFC 5705) mechanism, instead of the specific OpenVPN PRF mechanism. The EKM is required for the Opensl or MBed TLS 2.18+.
- Established compatibility with Opensl in FIPS mode, which allows the use of OpenVPN on systems that satisfy FIPS 140-2 safety requirements
.
MBed TLS.