translated by perfiffer

sources/tech/20210804 Install OpenVPN on your Linux PC.md

@@ -1,194 +0,0 @@
-[#]: subject: "Install OpenVPN on your Linux PC"
-[#]: via: "https://opensource.com/article/21/7/openvpn-router"
-[#]: author: "D. Greg Scott https://opensource.com/users/greg-scott"
-[#]: collector: "lujun9972"
-[#]: translator: "perfiffer"
-[#]: reviewer: " "
-[#]: publisher: " "
-[#]: url: " "
-
-Install OpenVPN on your Linux PC
-======
-After setting up a VPN server, the next step is installing and
-configuring OpenVPN.
-![Open ethernet cords.][1]
-
-OpenVPN creates an encrypted tunnel between two points, preventing a third party from accessing your network traffic. By setting up your virtual private network (VPN) server, you become your own VPN provider. Many popular VPN services already use [OpenVPN][2], so why tie your connection to a specific provider when you can have complete control?
-
-The [first article][3] in this series demonstrated how to set up and configure a Linux PC to serve as your OpenVPN server. It also discussed how to configure your router so that you can reach your VPN server from an outside network.
-
-This second article demonstrates how to install the OpenVPN server software using steps customized from the [OpenVPN wiki][4].
-
-### Install OpenVPN
-
-First, install OpenVPN and the `easy-rsa` application (to help you set up authentication on your server) using your package manager. This example uses Fedora Linux; if you've chosen something different, use the appropriate command for your distribution:
-
-
-```
-`$ sudo dnf install openvpn easy-rsa`
-```
-
-This creates some empty directories:
-
-  * `/etc/openvpn`
-  * `/etc/openvpn/client`
-  * `/etc/openvpn/server`
-
-
-
-If these aren't created during installation, create them manually.
-
-### Set up authentication
-
-OpenVPN depends on the `easy-rsa` scripts and should have its own copy of them. Copy the `easy-rsa` scripts and files:
-
-
-```
-$ sudo mkdir /etc/openvpn/easy-rsa
-$ sudo cp -rai /usr/share/easy-rsa/3/* \
-/etc/openvpn/easy-rsa/
-```
-
-Authentication is important, and OpenVPN takes it very seriously. The theory is that if Alice needs to access private information inside Bob's company, it's vital that Bob makes sure Alice really is Alice. Likewise, Alice must make sure that Bob is really Bob. We call this mutual authentication.
-
-Today's best practice checks an attribute from two of three possible factors:
-
-  * Something you have
-  * Something you know
-  * Something you are
-
-
-
-There are lots of choices. This OpenVPN setup uses:
-
-  * **Certificates:** Something both the client and server have
-  * **Certificate password:** Something the people know
-
-
-
-Alice and Bob need help to mutually authenticate. Since they both trust Cathy, Cathy takes on a role called **certificate authority** (CA). Cathy attests that Alice and Bob both are who they claim to be. Because Alice and Bob both trust Cathy, now they also trust each other.
-
-But what convinces Cathy that Alice and Bob really are Alice and Bob? Cathy's reputation in the community depends on getting this right, and so if she wants Danielle, Evan, Fiona, Greg, and others to also trust her, she will rigorously test Alice and Bob's claims. After Alice and Bob convince Cathy that they really are Alice and Bob, Cathy signs certificates for them to share with each other and the world.
-
-How do Alice and Bob know Cathy—and not somebody impersonating her—signed the certificates? They use a technology called **public key cryptography:**
-
-  * Find a cryptography algorithm that encrypts with one key and decrypts with another.
-  * Declare one key private and share the other key with the public.
-  * Cathy shares her public key and a clear-text copy of her signature with the world.
-  * Cathy encrypts her signature with her private key. Anyone can decrypt it with her public key.
-  * If Cathy's decrypted signature matches the clear-text copy, Alice and Bob can trust Cathy really did sign it.
-
-
-
-You use this same technology every time you buy goods and services online.
-
-### Implement authentication
-
-OpenVPN's [documentation][5] suggests setting up a CA on a separate system or at least a separate directory on the OpenVPN server. The documentation also suggests generating server and client certificates from the server and clients. Because this is a simple setup, you can use the OpenVPN server as its own CA and put the certificates and keys into specified directories on the server.
-
-Generate certificates from the server and copy them to each client as part of client setup.
-
-This implementation uses self-signed certificates. This works because the server trusts itself, and clients trust the server. Therefore, the server is the best CA to sign certificates.
-
-From the OpenVPN server, set up the CA:
-
-
-```
-$ sudo mkdir /etc/openvpn/ca
-$ cd /etc/openvpn/ca
-$ sudo /etc/openvpn/easy-rsa/easyrsa init-pki
-$ sudo /etc/openvpn/easy-rsa/easyrsa build-ca
-```
-
-Use an easy-to-remember but hard-to-guess passphrase.
-
-Set up the server key pair and certificate request:
-
-
-```
-$ cd /etc/openvpn/server
-$ sudo /etc/openvpn/easy-rsa/easyrsa init-pki
-$ sudo /etc/openvpn/easy-rsa/easyrsa gen-req OVPNserver2020 nopass
-```
-
-In this example, `OVPNServer2020` is whatever hostname you assigned your OpenVPN server in the first article in this series.
-
-### Generate and sign certs
-
-Now you must send a server request to the CA and generate and sign the server certificate.
-
-This step essentially copies the request file from `/etc/openvpn/server/pki/reqs/OVPNserver2020.req` to `/etc/openvpn/ca/pki/reqs/OVPNserver2020.req` to prepare it for review and signing:
-
-
-```
-$ cd /etc/openvpn/ca
-$ sudo /etc/openvpn/easy-rsa/easyrsa \
-import-req /etc/openvpn/server/pki/reqs/OVPNserver2020.req OVPNserver2020
-```
-
-### Review and sign the request
-
-You've generated a request, so now you must review and sign the certs:
-
-
-```
-$ cd /etc/openvpn/ca
-$ sudo /etc/openvpn/easy-rsa/easyrsa \
-show-req OVPNserver2020
-```
-
-Sign as the server:
-
-
-```
-$ cd /etc/openvpn/ca
-$ sudo /etc/openvpn/easy-rsa/easyrsa \
-sign-req server OVPNserver2020
-```
-
-Put a copy of the server and CA certificates where they belong for the config file to pick them up:
-
-
-```
-$ sudo cp /etc/openvpn/ca/pki/issued/OVPNserver2020.crt \
-/etc/openvpn/server/pki/
-$ sudo cp /etc/openvpn/ca/pki/ca.crt \
-/etc/openvpn/server/pki/
-```
-
-Next, generate [Diffie-Hellman][6] parameters so that clients and the server can exchange session keys:
-
-
-```
-$ cd /etc/openvpn/server
-$ sudo /etc/openvpn/easy-rsa/easyrsa gen-dh
-```
-
-### Almost there
-
-The next article in this series will demonstrate how to configure and start the OpenVPN server you just built.
-
-* * *
-
-_This article is based on D. Greg Scott's [blog][7] and is reused with permission._
-
---------------------------------------------------------------------------------
-
-via: https://opensource.com/article/21/7/openvpn-router
-
-作者：[D. Greg Scott][a]
-选题：[lujun9972][b]
-译者：[译者ID](https://github.com/译者ID)
-校对：[校对者ID](https://github.com/校对者ID)
-
-本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
-
-[a]: https://opensource.com/users/greg-scott
-[b]: https://github.com/lujun9972
-[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/openwires_fromRHT_520_0612LL.png?itok=PqZi55Ab (Open ethernet cords.)
-[2]: https://openvpn.net/
-[3]: https://opensource.com/article/21/7/vpn-openvpn-part-1
-[4]: https://community.openvpn.net/openvpn/wiki
-[5]: https://openvpn.net/community-resources/
-[6]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
-[7]: https://www.dgregscott.com/how-to-build-a-vpn-in-four-easy-steps-without-spending-one-penny/

translated/tech/20210804 Install OpenVPN on your Linux PC.md

@@ -0,0 +1,175 @@
+[#]: subject: "Install OpenVPN on your Linux PC"
+[#]: via: "https://opensource.com/article/21/7/openvpn-router"
+[#]: author: "D. Greg Scott https://opensource.com/users/greg-scott"
+[#]: collector: "lujun9972"
+[#]: translator: "perfiffer"
+[#]: reviewer: " "
+[#]: publisher: " "
+[#]: url: " "
+
+在你的个人 Linux 电脑上安装 `0penVPN`
+======
+安装完 “虚拟专用网络” 服务器，下一步就是安装和配置 0penVPN。
+![Open ethernet cords.][1]
+
+0penVPN 在两点之间创建一个加密通道，阻止第三方访问你的网络流量数据。通过设置你的 “虚拟专用网络” 服务，你可以成为你自己的 “虚拟专用网络” 服务商。许多流行的 “虚拟专用网络” 服务都使用 0penVPN，所以当你可以掌控自己的网络时，为什么还要将你的网络连接绑定到特定的提供商呢？
+
+本系列的[第一篇文章](https://linux.cn/article-13680-1.html)展示了如何安装和配置一台 Linux 电脑作为你的 0penVPN 服务器。同时也讲述了如何配置你的路由器以便你可以在外部网络连接到你的 VPN 服务器。
+
+第二篇文章将演示根据 [0penVPN wiki][4] 给定的步骤安装一个 0penVPN 服务软件。
+
+### 安装 0penVPN
+
+首先，使用包管理器安装 0penVPN 和 `easy-rsa` 应用程序（帮助你在服务器上设置身份验证）。本例使用的是Fedora Linux，如果你选择了不同的发行版，请选用合适的命令。
+
+```
+$ sudo dnf install openvpn easy-rsa
+```
+
+此操作会创建一些空目录：
+
+  * `/etc/openvpn`
+  * `/etc/openvpn/client`
+  * `/etc/openvpn/server`
+
+
+如果这些目录在安装的过程中没有创建，请手动创建它们。
+
+### 设置身份验证
+
+0penVPN 依赖于 `easy-rsa` 脚本，并且应该有自己的副本。复制 `easy-rsa` 脚本和文件：
+
+```
+$ sudo mkdir /etc/openvpn/easy-rsa
+$ sudo cp -rai /usr/share/easy-rsa/3/* \
+/etc/openvpn/easy-rsa/
+```
+
+身份验证很重要，0penVPN 非常重视它。身份验证的理论是，如果 Alice 需要访问 Bob 公司内部的私人信息，那么 Bob 确保 Alice 真的是 Alice 就至关重要。同样的，Alice 也必须确保 Bob 是真正的 Bob。我们称之为相互认证。
+
+现有的最佳实践是从三个可能因素中的选择两个检查属性：
+
+  * 你拥有的
+  * 你知道的
+  * 你是谁
+
+
+选择有很多。0penVPN 安装使用如下：
+
+  * **Certificates:** 客户端和服务端都拥有的东西
+  * **Certificate password:** 人们都知道的东西
+
+
+Alice 和 Bob 需要帮助彼此来验证身份。由于他们都相信 Cathy， Cathy 承担了称为 **证书颁发机构** (CA) 的角色。Cathy 证明 Alice 和 Bob 都是他们自己。因为 Alice 和 Bob 都信任 Cathy，现在他们也相互信任了。
+
+但是是什么让 Cathy 相信 Alice 和 Bob 是真的 Alice 和 Bob？Cathy 在社区的声誉取决于如何正确处理这件事，因此如果她希望 Denielle，Evan，Fiona，Greg 和其他人也信任她，她就需要严格测试 Alice 和 Bob 的话。当 Alice 和 Bob 向 Cathy 证明了他们是真的 Alice 和 Bob 之后，Cathy 将向 Alice 和 Bob 签署证书，让他们彼此和全世界分享。
+
+Alice 和 Bob 如何知道是 Cathy 签署了证书，而不是某个人冒充她签发了证书？他们使用一项叫做**公钥加密技术：**
+
+  * 找到一种用一个密钥加密并用另一个密钥解密的加密算法。
+  * 将其中一个设为私钥，将另外一个设为公钥。
+  * Cathy 与全世界分享她的公钥和她签名的明文副本。
+  * Cathy 用她的私钥加密她的签名，任何人都可以用她分享的公钥解密。
+  * 如果 Cathy 的签名解密后与明文副本匹配，Alice 和 Bob 就可以相信 Cathy 确实签署了它。 
+
+每次在线购买商品和服务时，使用的就是这种技术。
+
+### 认证实现
+0penVPN 的 [文档][5]建议在单独的系统上或者至少在 0penVPN 服务器的单独目录上设置 CA。该文档还建议分别从服务端和客户端生成各自的证书。因为这是一个简单的演示设置，你可以使用 0penVPN 服务器设置 CA，并将证书和密钥放入服务器上的指定目录中。
+
+从服务端生成证书，并将证书拷贝到各个客户端，避免客户端再次设置。
+
+此实现使用自签名证书。这是因为服务器信任自己，而客户端信任服务器。因此，服务器是签署证书的最佳 CA。
+
+在 0penVPN 服务器上设置 CA：
+
+```
+$ sudo mkdir /etc/openvpn/ca
+$ cd /etc/openvpn/ca
+$ sudo /etc/openvpn/easy-rsa/easyrsa init-pki
+$ sudo /etc/openvpn/easy-rsa/easyrsa build-ca
+```
+
+使用一个易记难猜的密码。
+
+设置服务器密钥对和认证请求：
+
+```
+$ cd /etc/openvpn/server
+$ sudo /etc/openvpn/easy-rsa/easyrsa init-pki
+$ sudo /etc/openvpn/easy-rsa/easyrsa gen-req OVPNserver2020 nopass
+```
+
+在此例中，`0VPNServer2020` 是你在本系列第一篇文章中为 0penVPN 服务器设置的主机名。 
+
+### 生成和签署证书
+
+现在你必须向 CA 发送服务器请求并生成和签署服务器证书。
+
+此步骤实质上是将请求文件从 `/etc/openvpn/server/pki/reqs/OVPNserver2020.req` 复制到 `/etc/openvpn/ca/pki/reqs/OVPNserver2020.req` 以准备审查和签名：
+
+```
+$ cd /etc/openvpn/ca
+$ sudo /etc/openvpn/easy-rsa/easyrsa \
+import-req /etc/openvpn/server/pki/reqs/OVPNserver2020.req OVPNserver2020
+```
+
+### 审查并签署请求
+
+你已经生成了一个请求，所以现在你必须审查并签署证书：
+
+```
+$ cd /etc/openvpn/ca
+$ sudo /etc/openvpn/easy-rsa/easyrsa \
+show-req OVPNserver2020
+```
+
+以服务器身份签署请求：
+
+```
+$ cd /etc/openvpn/ca
+$ sudo /etc/openvpn/easy-rsa/easyrsa \
+sign-req server OVPNserver2020
+```
+
+将服务器和 CA 证书的副本放在它们所属的位置，以便配置文件获取它们：
+
+```
+$ sudo cp /etc/openvpn/ca/pki/issued/OVPNserver2020.crt \
+/etc/openvpn/server/pki/
+$ sudo cp /etc/openvpn/ca/pki/ca.crt \
+/etc/openvpn/server/pki/
+```
+
+接下来，生成 [Diffie-Hellman][6] 参数，以便客户端和服务器可以交换会话密钥：
+
+```
+$ cd /etc/openvpn/server
+$ sudo /etc/openvpn/easy-rsa/easyrsa gen-dh
+```
+
+### 快完成了
+本系列的下一篇文章将演示如何配置和启动你刚刚构建的 0penVPN 服务器。
+* * *
+
+本文的部分内容改编自 D. Greg Scott 的博客，并经许可重新发布。
+--------------------------------------------------------------------------------
+
+via: https://opensource.com/article/21/7/openvpn-router
+
+作者：[D. Greg Scott][a]
+选题：[lujun9972][b]
+译者：[perfiffer](https://github.com/perfiffer)
+校对：[校对者ID](https://github.com/校对者ID)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
+
+[a]: https://opensource.com/users/greg-scott
+[b]: https://github.com/lujun9972
+[1]: https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/openwires_fromRHT_520_0612LL.png?itok=PqZi55Ab (Open ethernet cords.)
+[2]: https://openvpn.net/
+[3]: https://opensource.com/article/21/7/vpn-openvpn-part-1
+[4]: https://community.openvpn.net/openvpn/wiki
+[5]: https://openvpn.net/community-resources/
+[6]: https://en.wikipedia.org/wiki/Diffie%E2%80%93Hellman_key_exchange
+[7]: https://www.dgregscott.com/how-to-build-a-vpn-in-four-easy-steps-without-spending-one-penny/