尽管存在明显的安全问题,我还是想在我的个人 openvpn 2.4 服务器(在 CentOS 7.4 上)与我的 Windows OpenVPN 2.4 客户端之间建立完全未加密的连接。我一直在到处寻找答案并尝试了多种设置,但它们要么导致服务器无法启动,要么导致客户端根本无法连接。我找到了一些有关添加到ncp-disable服务器配置、注释掉tls服务器配置文件中不同行等的信息。我也阅读了一些信息,alg=none但我不知道如何将其添加到文件中。
这是我的客户端 ovpn:
client
proto udp
remote MYSERVER.COM 1194
dev tun
resolv-retry infinite
nobind
persist-key
persist-tun
remote-cert-tls server
verify-x509-name server_s5sK0KI7nHgwhrN name
auth SHA1
# auth SHA256
# auth none
auth-nocache
# cipher AES-128-CBC
cipher none
tls-client
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
setenv opt block-outside-dns
verb 3
<ca>
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
</ca>
<cert>
REMOVED
-----BEGIN CERTIFICATE-----
REMOVED
-----END CERTIFICATE-----
</cert>
<key>
-----BEGIN PRIVATE KEY-----
REMOVED
-----END PRIVATE KEY-----
</key>
key-direction 1
<tls-auth>
#
# 2048 bit OpenVPN static key
#
-----BEGIN OpenVPN Static key V1-----
REMOVED
-----END OpenVPN Static key V1-----
</tls-auth>
这是服务器配置:
port 1194
proto udp
dev tun
# auth none
# cipher none
# ncp-disable
user nobody
group nobody
persist-key
persist-tun
keepalive 10 120
topology subnet
server 10.8.0.0 255.255.255.0
ifconfig-pool-persist ipp.txt
push "dhcp-option DNS 8.8.8.8"
push "dhcp-option DNS 8.8.4.4"
push "redirect-gateway def1 bypass-dhcp"
crl-verify crl.pem
ca ca.crt
cert server_s5sK0KI7nHgwhrN.crt
key server_s5sK0KI7nHgwhrN.key
tls-auth tls-auth.key 0
dh dh.pem
# auth SHA256
auth SHA1
# cipher AES-128-CBC
cipher none
tls-server
tls-version-min 1.2
tls-cipher TLS-DHE-RSA-WITH-AES-128-GCM-SHA256
# tls-cipher none
status openvpn.log
log-append openvpn.log
verb 3
尽管两个文件都声明了这一点,但cipher none它仍然使用 AES-256-GCM 密码进行连接:
Tue May 08 23:31:44 2018 Data Channel: using negotiated cipher 'AES-256-GCM'
Tue May 08 23:31:44 2018 Outgoing Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
Tue May 08 23:31:44 2018 Incoming Data Channel: Cipher 'AES-256-GCM' initialized with 256 bit key
我该如何配置它们以实现完全未加密的连接?