mirror of
https://github.com/LCTT/TranslateProject.git
synced 2025-03-27 02:30:10 +08:00
Merge pull request #896 from ThomazL/master
translated by ThomazL 04/25/2014 Very Good !
This commit is contained in:
Xingyu.Wang
commit
447f9e4f0a
@ -1,328 +0,0 @@
|
||||
>Translating by ThomazL
|
||||
|
||||
Building A Raspberry Pi VPN Part One: How And Why To Build A Server
|
||||
================================================================================
|
||||
> Trust no one and build a server that encrypts your Web data from prying eyes.
|
||||
|
||||
Free, unencrypted wireless is everywhere, but you shouldn't be checking your bank account on it unless you don’t mind somebody else snooping. The solution? A [virtual private network][1], or VPN.
|
||||
|
||||
A VPN extends your own private network into public places, so even if you’re using Starbucks' Wi-Fi connection, your Internet browsing stays encrypted and secure.
|
||||
|
||||
There are plenty of ways to set up a VPN, both with [free and paid services][2], but each solution has its own pros and cons, determined by the way the VPN provider operates and charges and the kinds of VPN options it provides.
|
||||
|
||||
The easiest and cheapest solution to keep your data safe is to just abstain from public Wi-Fi completely. But that sounds a little extreme to me when it’s relatively simple and inexpensive to build your own VPN server at home, and run it off of a tiny, inexpensive ($35) Raspberry Pi.
|
||||
|
||||
My Raspberry Pi is about the size of a smartphone, but it runs a fully functional VPN server. That means no matter where I am, I can connect my computer to my home network and access shared files and media over a secure connection. It came in handy on a recent trip to Boston, where I was still able to watch videos stored on my network back home in DC.
|
||||
|
||||
This is the part where I’d link you to a handy tutorial on how to set this up. The problem is one doesn't exist—or at least one that could satisfy this average computer user. And while there are plenty of tutorials about how to set up a VPN server on Raspberry Pi, there are very few that explain why.
|
||||
|
||||
I read several different tutorials and cobbled together the results into this semi-coherent tutorial for setting up a VPN on Raspberry Pi, which even I can understand, complete with the why behind the how. Most prominently, I relied on Eric Jodoin's VPN tutorial for experts, and dumbed it down for me.
|
||||
|
||||
So follow me down the cryptography rabbit hole and learn that no matter how paranoid you are, whoever came up with the methods to generate VPNs was even more so.
|
||||
|
||||
### Materials ###
|
||||
|
||||
#### Hardware ####
|
||||
|
||||
|
||||
|
||||
**Raspberry Pi Model B**: Plus everything that comes with it—by that, I mean a regular power source and a case to put it in. A case can help prevent accidental short-circuits that could permanently damage the machine—the case can even be as simple as a cardboard box you fold yourself.
|
||||
|
||||
**SD card**: I’m suggesting 8GB or more, just to make sure you have the space. As always for all Raspberry Pi projects, this should already have NOOBS installed.
|
||||
|
||||
**Cat5e cable**: This will connect the Pi’s ethernet port to the ethernet port on the router.
|
||||
|
||||
#### Software ####
|
||||
|
||||
[Open VPN][3]: This is the open source VPN service we’ll be installing today.
|
||||
|
||||
### Pre-Project Requirements ###
|
||||
|
||||
1) You need to [set up NOOBS][4] and install [Raspbian][5]. I wrote a [step-by-step][6] for this in my quantified fish tank tutorial, so you can refer to it there.
|
||||
|
||||
2) You need a static IP address for the Raspberry Pi on your home network. This depends on the model of your router, so use the instructions provided by the router’s manufacturer. If you don’t already have this set up, [read ReadWrite’s tutorial][7].
|
||||
|
||||
3) You'll need SSH enabled. We’ll be connecting to the Raspberry Pi with [SSH][8], a connection tool that lets us access the Pi from another computer. This way, we don’t need to set up the Pi to a monitor and wireless keyboard for this project. Once again, check ReadWrite’s [tutorial][9].
|
||||
|
||||
4) You'll need to forward port 1194 ([UDP traffic][10]) to your Raspberry Pi’s internal IP address, but the way you do this will vary depending on your router, so check with your router manufacturer’s information. If you want to use another port or TCP, that’s fine, but just be sure to change 1194 in the tutorial to the correct number for you, and anywhere it says "UDP" to "TCP." You guessed it, there's a [ReadWrite tutorial][11] for this, too.
|
||||
|
||||
You can tell we’re building off of some more basic Raspberry Pi concepts, which is why building a VPN with Raspberry Pi isn't a good first project for most beginners.
|
||||
|
||||
### A Quick Word Of Caution ###
|
||||
|
||||
I've pasted the actual code I used to complete this project, but when going back through the tutorial myself, I noticed that copying and pasting the code from the article onto the command line often results in errors due to spacing and formatting. If you are having a problem with any step of this tutorial, my first troubleshooting suggestion is to rewrite the command manually!
|
||||
|
||||
### First Steps ###
|
||||
|
||||
1) Boot up and change your password. If you’re still using the default username (pi) and password (raspberry), it makes the rest of this security project totally pointless!
|
||||
|
||||
Open up a terminal/PuTTY window and type:
|
||||
|
||||
sudo passwd
|
||||
|
||||
Change the username and password to something strong and memorable ([Microsoft offers some tips][12]), otherwise why bother building a private network?
|
||||
|
||||
2) Now let’s be safe and update the Raspberry Pi. There are two commands you want to input:
|
||||
|
||||
sudo apt-get update
|
||||
|
||||
sudo apt-get upgrade
|
||||
|
||||
This shouldn’t take long, and it’ll save us a troubleshooting step later on.
|
||||
|
||||
3) Next we need the open source software. Type:
|
||||
|
||||
sudo apt-get install openvpn
|
||||
|
||||
|
||||
|
||||
The Raspberry Pi is going to ask if you’re sure, since it uses up a bit of space. But since we prepared by getting an 8GB or bigger SD card, we’re totally fine.
|
||||
|
||||
### Generating Keys ###
|
||||
|
||||
4) You don’t want anyone who finds your VPN server address to be able to connect. So next, we’re going to make a key for the server address. It’s just like keeping the door to your house locked.
|
||||
|
||||
OpenVPN comes with Easy_RSA, a light and easy package for using the RSA encryption method. Developed in 1977, RSA was one of the first usable cryptosystems that is still used today. The encryption key is public, while the decryption key is secret. If you’ve read anything about how Bitcoin works, this might sound a bit familiar.
|
||||
|
||||
With Easy_RSA, you run an algorithm that comes with the software to generate a new unique key.
|
||||
|
||||
So first, let’s give ourselves superuser privileges. You’ll know it’s working when the command line prompt switches from “pi@raspberrypi” to “root@raspberrypi.”
|
||||
|
||||
sudo -s
|
||||
|
||||
This command creates another instance of the window we’re working in, but with root privileges. The reason we need to do this is because if we don’t, the Raspberry Pi will try and tell us we don’t have permission to mess around with making keys.
|
||||
|
||||
So next, we type:
|
||||
|
||||
cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
|
||||
|
||||
Here, “cp” stands for copy and “-r” stands for recursive (having to do with smaller instances, too). That means we’re telling the computer, “Copy this directory and everything underneath it.”
|
||||
|
||||
The space between **/2.0** and **/etc** means we’re copying the first address (an example file) into the second folder, which is where you’ll tell OpenVPN to find your keys.
|
||||
|
||||
cd /etc/openvpn/easy-rsa
|
||||
|
||||
5) Next, we need to cd, or change directory, to the place we just moved the Easy_RSA file. Once there, we need to open the file **/etc/openvpn/easy-rsa/vars** for editing. We could do that by writing nano **/etc/openvpn/easy-rsa/vars**, but since we’re in the folder, there’s a shortcut:
|
||||
|
||||
nano vars
|
||||
|
||||
Nano is a built-in editing tool on Raspbian, and while there are others out there for more tech-savvy people, we’re just going to use nano for all our text editing in this tutorial.
|
||||
|
||||
Now, find and change EASY_RSA variable to:
|
||||
|
||||
export EASY_RSA=”/etc/openvpn/easy-rsa”
|
||||
|
||||
For me, it was on line 13.
|
||||
|
||||
|
||||
|
||||
Why make this change? Basically, you’re answering the computer’s question, “Where do you want the file to go to?” We want it to export to the same folder where we will keep our keys—in this case, the top level of the easy-rsa file tree.
|
||||
|
||||
There’s one extra thing you can do in vars if you’re paranoid about the Illuminati reading your email—change the encryption method from 1024-bit to 2048-bit. The document literally says, “increase this to 2048 if you are paranoid.”
|
||||
|
||||
But since that method makes keys take way longer to generate, we’re not doing it here. We’ll keep it looking like the text below:
|
||||
|
||||
export KEY_SIZE=1024
|
||||
|
||||
Type **Control+X** to save your changes and exit the nano editor.
|
||||
|
||||
### Getting Cryptographic ###
|
||||
|
||||
6) It’s time to build the CA Certificate and Root CA certificate.
|
||||
|
||||
In cryptography, a certificate authority (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key.
|
||||
|
||||
You probably use this all the time and don’t even know it. For example, when I log into my bank account, I see an HTTPS in front of the address. If I click on the lock, I see that a company called [GeoTrust][13] verified my bank website’s legitimacy, so I know it's not a phishing scam. (Of course, the recent [Heartbleed bug][14] revealed that HTTPS isn't the security measure we all used to think it was.)
|
||||
|
||||
In the case of Raspberry Pi, I’m acting as my own certificate authority and signing off on the OpenVPN keys myself, instead of trusting it to a third party company.
|
||||
|
||||
cd /etc/openvpn/easy-rsa
|
||||
|
||||
Now that we’ve changed directories, type each of these lines one after another:
|
||||
|
||||
**source ./vars** → This “sources” or loads the vars document you edited earlier.
|
||||
|
||||
**./clean-all** → This will remove any previous keys, if there are any. If you have keys you don’t want to remove in this folder (like you’re doing this tutorial a second time), skip this command.
|
||||
|
||||
**./build-ca** → This final line builds your certificate authority.
|
||||
|
||||
After the third command, the Raspberry Pi is going to shoot back with a bunch of optional fields for you to fill out if you want to—Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit, Common Name, Name, and Email Address. If you don't care to fill out these fields, just hit “enter” each instance to have the Pi fill in the default value. The screenshot below shows what that looks like:
|
||||
|
||||
|
||||
|
||||
Now you can name the server. I creatively named mine “Server.” Call it whatever you want, but don’t forget it:
|
||||
|
||||
./build-key-server [Server_Name]
|
||||
|
||||
Once again, the Pi is going to spit out some optional fields. Press enter or whatever you want, but pay attention to these three fields:
|
||||
|
||||
**Common Name** MUST be the server name you picked. It should default to this.
|
||||
|
||||
**A challenge password?** MUST be left blank.
|
||||
|
||||
**Sign the certificate? [y/n]** Obviously, you must type “y.”
|
||||
|
||||
You’ll get a message that says the certificate will be certified for 3,650 more days. So basically if you use your VPN long enough, you’ll have to do this process again in 10 years.
|
||||
|
||||
**1 out of 1 certificate requests certified, commit? [y/n]** Obviously, type “y.”
|
||||
|
||||
|
||||
|
||||
6) That’s the server side setup. Now it’s time to build keys for each user, or "client." I have five keys at home—one for each computer, tablet, and cell phone in the house. It’s possible to be lazy and create just one client key for all of them, but in that case, only one device would be able to access the VPN at a time.
|
||||
|
||||
./build-key-pass UserName
|
||||
|
||||
I found it simplest to make the usernames Client1, Client2, Client3…
|
||||
|
||||
|
||||
|
||||
And after that, more prompts!
|
||||
|
||||
**Enter PEM pass phrase** Make it a password you will remember! It asks you to input this twice, so there’s no danger of ruining it.
|
||||
|
||||
**A challenge password?** MUST be left blank.
|
||||
|
||||
**Sign the certificate? [y/n]** Signing certifies it for 10 more years.
|
||||
|
||||
cd keys
|
||||
|
||||
openssl rsa -in Client1.key -des3 -out Client1.3des.key
|
||||
|
||||
The important takeaway from this string of text is that we’re using des3 encryption, in which a complex [encryptionalgorithm][15] that's applied three times to each data block to keep hackers from breaking through it with brute force. OpenSSL stands for an open source implementation of Secure Socket Layer, a standard method of setting up a secure connection. You need to perform this step for every client you set up.
|
||||
|
||||
Some argue this step is unnecessary, and that you could simply skip this line. But if you’re running OpenVPN Connect clients on Android or iOS, this needs to be done. Otherwise, current versions could have difficulty parsing the keys you just generated.
|
||||
|
||||
Enter pass phrase for Client1.key
|
||||
|
||||
Honestly, I just used the same passphrase as before. And then two more times, as shown.
|
||||
|
||||
|
||||
|
||||
Now that we’ve created a server certificate and (at least one) client certificate, type the following:
|
||||
|
||||
cd /etc/openvpn/easy-rsa/
|
||||
|
||||
OR
|
||||
|
||||
cd ..
|
||||
|
||||
Either way, the computer will take you up one directory, back to /easy-rsa/.
|
||||
|
||||
7) Now let’s generate the [Diffie-Hellman key exchange][16]. This is the central code that makes your VPN server tick, an exchange that lets two entities with no prior knowledge of one another share secret keys over a public server. Like RSA, it’s one of the earliest cryptosystems out there.
|
||||
|
||||
./build-dh
|
||||
|
||||
This could take a while, longer if you’re on 2048-bit encryption. There’s no way really to predict how long it will take because it is using random numbers and looking for some specific relationships. In fact, while I was making this tutorial, it only took 5 minutes with 1024-bit encryption.
|
||||
|
||||
|
||||
|
||||
8) Finally, we’re going to implement OpenVPN’s build-in Denial of Service (DoS) attack protection. You might already know that a DoS attack is successful when a hacker finds out your server’s address, and generates such a large number of access requests that your server crashes.
|
||||
|
||||
OpenVPN has a way to prevent this kind of attack from occurring before it even starts by generating a static pre-shared [hash-based message authentication code][17] (HMAC) key. With this in place, the server won't even entertain the idea of authenticating an access request unless it detects this static key first. Thus, a hacker can’t just spam the server with random repeated requests.
|
||||
|
||||
Generate the static HMAC key with the following line:
|
||||
|
||||
openvpn –-genkey –-secret keys/ta.key
|
||||
|
||||
### Putting It All Together ###
|
||||
|
||||
9) We’ve generated keys and a Certificate Authority to sign them. What we’re still missing are the settings to tell OpenVPN how we want this server configured.
|
||||
|
||||
The OpenVPN program is already running. The problem is, it doesn’t know which keys to use, where you’re going to be connecting from, what kind of connection you’re building, or which IP address and port to use.
|
||||
|
||||
Since we’re using Linux on a Raspberry Pi, there’s no graphical user interface (GUI) for telling OpenVPN what it needs to know. That’s why we have to actually create a .conf (configuration) file in the nano editor off of the command line.
|
||||
|
||||
nano /etc/openvpn/server.conf
|
||||
|
||||
the reason we’re starting this address with /etc/openvpn is so it will end up in the openvpn folder. But for now, this file is completely blank. [Fill it in with this][18]. I commented in all caps where you absolutely need to change numbers and titles to your own IP address/names. Hit Control+X to save your changes.
|
||||
|
||||
10) Let’s quickly edit another configuration file. By default, Raspbian does not forward Internet traffic. We need to edit another file to allow the Pi to forward Internet traffic through our new network.
|
||||
|
||||
nano /etc/sysctl.conf
|
||||
|
||||
Near the top it says, “Uncomment the next line to enable packet forwarding for IPv4.” I've highlighted that part of the file in the screenshot below.
|
||||
|
||||
|
||||
To uncomment the line, remove the # immediately in front of it. This is setting up the configuration so it knows to forward to IPv4. Now that you’ve uncommented this line, the Pi has permission to act as a relay on the Internet instead of just a receiver, by both sending and receiving packets.
|
||||
|
||||
Hit Control+X to save your changes. Apply these changes by typing the following command:
|
||||
|
||||
sysctl -p
|
||||
|
||||
The sysctl command “[configures kernel parameters at runtime][19].” The -p tells it to reload the file with the changes you just made.
|
||||
|
||||
11) We just made a functioning server that can access the Internet. But we can’t use it yet because Raspbian has a built-in [firewall][20] that will block incoming connections.
|
||||
|
||||
Raspbian has a firewall to protect your Raspberry Pi from unknown and unexpected Internet sources. We still want the firewall to protect us from most incoming and outgoing network traffic, but we need to poke an OpenVPN-shaped hole in the firewall.
|
||||
|
||||
Additionally, Raspbian’s firewall configuration resets by default when you reboot the Pi. We want to make sure it remembers the OpenVPN connection is always permitted, so what we’re going to do is create a simple script which runs on boot:
|
||||
|
||||
nano /etc/firewall-openvpn-rules.sh
|
||||
|
||||
This is currently a blank shell executable file. Fill it with this:
|
||||
|
||||
#!/bin/sh
|
||||
|
||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.XX.X
|
||||
|
||||
Don’t forget to change the default IP address to your Pi’s IP address!
|
||||
|
||||
Let’s break this down: 10.8.0.0 is the default address for Raspberry Pi for clients that are connected to the VPN. "eth0" stands for ethernet port. Switch this to "wlan0" if you’re on a wireless connection, which is not recommended. Hit Control+X to save your changes.
|
||||
|
||||
As a safety measure, files you create are not executable by default, so we’ll need to change the permissions and ownership of **/etc/firewall-openvpn-rules.sh**. First we’ll change the mode to [700][21] (owner can read, write, and execute). Then, we’ll change the owner to root, in which “root” is Linux’s standard name for the superuser.
|
||||
|
||||
chmod 700 /etc/firewall-Openvpn-rules.sh
|
||||
|
||||
chown root /etc/firewall-Openvpn-rules.sh
|
||||
|
||||
12) We’ve created the script that punches an OpenVPN-shaped hole in the firewall. Now we just need to inject it into the interfaces setup code so it runs on boot.
|
||||
|
||||
nano /etc/network/interfaces
|
||||
|
||||
Find the line that goes: “iface eth0 inet dhcp.” We want to add a line below it at an indent. So this is what the two lines, existing and new, will look like when you’re done:
|
||||
|
||||
iface eth0 inet dhcp
|
||||
|
||||
pre-up /etc/firewall-openvpn-rules.sh
|
||||
|
||||
Hit Control+X to save your changes (as you should be doing whenever you use nano).
|
||||
|
||||
Finally, finally, finally: Reboot your Pi.
|
||||
|
||||
sudo reboot
|
||||
|
||||
Congratulations! That's the server! Again, it's no good if you don't have a client computer to connect with it, so remember the client names and keys you generated in step six, and then move onto [Part Two of this tutorial][22] to learn how to create an encrypted client side.
|
||||
|
||||
Raspberry Pi Model B photo by [Tors][23]. All other screenshots by Lauren Orsini. Illustration via ReadWrite.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing
|
||||
|
||||
译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
[1]:http://en.wikipedia.org/wiki/Virtual_private_network
|
||||
[2]:http://netforbeginners.about.com/od/readerpicks/tp/The-Best-VPN-Service-Providers.htm
|
||||
[3]:http://openvpn.net/
|
||||
[4]:http://learn.adafruit.com/setting-up-a-raspberry-pi-with-noobs/overview
|
||||
[5]:http://www.raspbian.org/
|
||||
[6]:http://readwrite.com/2014/03/04/raspberry-pi-quantified-fish-acquarium
|
||||
[7]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial?utm_content=readwrite3-orionautotweet&awesm=readwr.it_b1UN&utm_campaign=&utm_medium=readwr.it-twitter&utm_source=t.co#awesm=~oAXilI0BMOHsS3
|
||||
[8]:http://en.wikipedia.org/wiki/Secure_Shell
|
||||
[9]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial
|
||||
[10]:http://en.wikipedia.org/wiki/User_Datagram_Protocol
|
||||
[11]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial?utm_content=readwrite3-orionautotweet&awesm=readwr.it_b1UN&utm_campaign=&utm_medium=readwr.it-twitter&utm_source=t.co#awesm=~oAXilI0BMOHsS3
|
||||
[12]:http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password
|
||||
[13]:http://www.geotrust.com/
|
||||
[14]:http://readwrite.com/2014/04/08/heartbleed-openssl-bug-cryptography-web-security
|
||||
[15]:http://osxdaily.com/2012/01/30/encrypt-and-decrypt-files-with-openssl/#
|
||||
[16]:http://www.google.com/patents/US4200770
|
||||
[17]:http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
|
||||
[18]:https://gist.github.com/laurenorsini/9925434
|
||||
[19]:http://linux.about.com/library/cmd/blcmdl8_sysctl.htm
|
||||
[20]:http://en.wikipedia.org/wiki/Firewall_(computing)
|
||||
[21]:http://www.thinkplexx.com/learn/article/unix/command/chmod-permissions-flags-explained-600-0600-700-777-100-etc
|
||||
[22]:http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side#awesm=~oB89WBfWrt21bV
|
||||
[23]:http://commons.wikimedia.org/wiki/File:Raspberry_Pi_Model_B_Rev._2.jpg
|
||||
@ -1,156 +0,0 @@
|
||||
> Translating by ThomazL
|
||||
|
||||
Building A Raspberry Pi VPN Part Two: Creating An Encrypted Client Side
|
||||
================================================================================
|
||||
> You built a functional VPN server! Now what?
|
||||
|
||||
Welcome to Part Two of ReadWrite's Raspberry Pi VPN server tutorial!
|
||||
|
||||
By now, it's pretty apparent that turning your Raspberry Pi into a Virtual Private Network is an all-evening activity. But [as security flaws further compromise][1] our Internet lives, it feels increasingly worth it to have a secure server on your side. That way, you're free to write emails and transfer data without worrying about what or whom might be intercepting it as it travels from your computer to the Web.
|
||||
|
||||
[If you’ve followed the steps from Part One of this tutorial][2], you’ve got a fully functional VPN server on your Raspberry Pi. You can use this to connect securely to your home network wherever there’s an unencrypted wireless connection. You can also access shared files and media you keep stored on your home network.
|
||||
|
||||
Only, you can’t access those files just yet. We’ve created keys for clients (computers and devices) to use, but we haven’t told the clients where to find the server, how to connect, or which key to use.
|
||||
|
||||
If you remember, we created several different client keys for each of the devices we want to grant VPN access. We called them Client1, Client2 and Client3.
|
||||
|
||||
It'd be a lot of trouble to generate a new configuration file for each client from scratch, which is why we’ll use an ingenious script written by Eric Jodoin of the [SANS institute][3]. Instead of generating a file for each client on our own, this script will do it for us.
|
||||
|
||||
### Following The Script ###
|
||||
|
||||
The script will access our default settings to generate files for each client. The first thing we need to do, then, is create a blank text file in which those default settings can be read.
|
||||
|
||||
nano /etc/openvpn/easy-rsa/keys/Default.txt
|
||||
|
||||
Fill in the blank text file with the following:
|
||||
|
||||
client
|
||||
|
||||
dev tun
|
||||
|
||||
proto udp
|
||||
|
||||
remote <YOUR PUBLIC IP ADDRESS HERE> 1194
|
||||
|
||||
resolv-retry infinite
|
||||
|
||||
nobind
|
||||
|
||||
persist-key
|
||||
|
||||
persist-tun
|
||||
|
||||
mute-replay-warnings
|
||||
|
||||
ns-cert-type server
|
||||
|
||||
key-direction 1
|
||||
|
||||
cipher AES-128-CBC
|
||||
|
||||
comp-lzo
|
||||
|
||||
verb 1
|
||||
|
||||
mute 20
|
||||
|
||||
It should look like the screenshot below, except it should show your public IP address. You'll see that I deleted my own public IP address because that's private information you shouldn't be sharing around. On the other hand, local static IP addresses are very similar for everyone. They usually start with "192.168."
|
||||
|
||||
|
||||
|
||||
Now, if you don’t have a static public IP address, you need to use a dynamic domain name system (DDNS) service to give yourself a domain name to put in place of the IP address. I recommend using the free service [DNS Dynamic][4], which lets you pick a name of your choice. Then on your Pi, you need to run DDclient to update your DDNS registry automatically. I wrote a full tutorial for how to do this [here][5].
|
||||
|
||||
As always, press Control+X to save and exit the nano editor.
|
||||
|
||||
Next, we need to create the actual script file. The script will run from a shell file, which is an executable script that usually automates tasks on Linux—including in this case.
|
||||
|
||||
nano /etc/openvpn/easy-rsa/keys/MakeOPVN.sh
|
||||
|
||||
[Here’s the script][6] Jodoin wrote. Copy and paste it into your blank shell file. (Note: This script was slightly off, due to—you guessed it—a copy-paste error. It should work now.)
|
||||
|
||||
You still need to give this script permission to run. First, go to the folder it’s in:
|
||||
|
||||
cd /etc/openvpn/easy-rsa/keys/
|
||||
|
||||
And then give it root privileges. If you remember from Part One, permissions in Linux are governed by [different three-digit numbers][7]. Seven hundred means "owner can read, write, and execute."
|
||||
|
||||
chmod 700 MakeOPVN.sh
|
||||
|
||||
Finally, execute the script with:
|
||||
|
||||
./MakeOPVN.sh
|
||||
|
||||
As the script runs, it'll ask you to input the names of the existing clients for whom you generated CA keys earlier. Example: “Client1.” Be sure to name only clients that already exist.
|
||||
|
||||
If all goes well, you should see this line appear:
|
||||
|
||||
Done! Client1.opvn Successfully Created.
|
||||
|
||||
Repeat this step for each existing client.
|
||||
|
||||
The last thing to do is connect to your Raspberry Pi so you can download files from it. You need to use a SCP (Secure Copy Protocol) client in order to do this. For Windows, I recommend [WinSCP][8]. For Mac, I’ve been using [Fugu][9].
|
||||
|
||||
Note: if you cannot get permission to connect to your SCP client, you’ll need to grant yourself read/write access to the folder. Back on the Raspberry Pi, write:
|
||||
|
||||
chmod 777 -R /etc/openvpn
|
||||
|
||||
Be sure to undo this when you’re done copying files, so others can’t do it! Put the permission back to [600][10] when you’re done, so only the Pi user can read/write files:
|
||||
|
||||
chmod 600 -R /etc/openvpn
|
||||
|
||||
Put it into your client and you’re done.
|
||||
|
||||
### Working With Client Software ###
|
||||
|
||||
Okay, the hard part is over. From here, we need to input the scripts we generated earlier into a Graphical User Interface. For your PC, Android, or iOS mobile device, you can download [OpenVPN Connect][11]. There isn't one for your Mac computer, so I tried both [Tunnelblick][12] and [Viscosity][13].
|
||||
|
||||
Tunnelblick is free, while Viscosity costs $9 after a free 30-day trial. In either case, let's walk through how to set up a Mac computer as a client.
|
||||
|
||||
In my case, my Mac is my fifth device that I want to connect to the VPN server, so the file I generated with the above script is named client5.opvn.
|
||||
|
||||
Download the version of Tunnelblick that works for your version of OS X. I'm using Mavericks, so I downloaded the [beta][14]. The fact that it popped up in a bunch of languages looked funny to me, but that's the legitimate download.
|
||||
|
||||
|
||||
|
||||
Then, it'll ask if you already have a file you want to use. I did—my Client5.opvn file.
|
||||
|
||||
|
||||
|
||||
It will then ask if your configuration file is in .opvn format or .tblk. If you select .opvn, it'll walk you through changing the file type to Tunnelblick's native type. I did this by transferring Client5.opvn into a folder Tunnelblick provided, and then changing the name of the folder to Client5.tblk.
|
||||
|
||||
Now you're all set to connect. Click the Tunnelblick icon on the top right of your screen and select Client5.
|
||||
|
||||
|
||||
|
||||
It will ask you for a pass phrase. This is the same pass phrase we generated last tutorial, back when we were generating keys for each client.
|
||||
|
||||
|
||||
|
||||
If you get the password right, it'll look like this!
|
||||
|
||||
Try out your new connection at coffee shop, the local library, anywhere there's unencrypted Wi-Fi. You may still be using the public connection, but over VPN, your data is anything but out in the open.
|
||||
|
||||
Illustration and screenshots by ReadWrite
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side
|
||||
|
||||
译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
[1]:http://readwrite.com/2014/04/10/heartbleed-security-protect-yourself-data-passwords
|
||||
[2]:http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing
|
||||
[3]:http://www.sans.org/
|
||||
[4]:https://www.dnsdynamic.org/
|
||||
[5]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial
|
||||
[6]:https://gist.github.com/laurenorsini/10013430/revisions
|
||||
[7]:http://www.thinkplexx.com/learn/article/unix/command/chmod-permissions-flags-explained-600-0600-700-777-100-etc
|
||||
[8]:http://winscp.net/eng/index.php
|
||||
[9]:http://download.cnet.com/Fugu/3000-7240_4-26526.html
|
||||
[10]:http://linuxcommand.org/lts0070.php
|
||||
[11]:http://openvpn.net/
|
||||
[12]:https://code.google.com/p/tunnelblick/
|
||||
[13]:https://www.sparklabs.com/viscosity/
|
||||
[14]:https://code.google.com/p/tunnelblick/wiki/DownloadsEntry#Tunnelblick_Beta_Release
|
||||
@ -0,0 +1,324 @@
|
||||
在树莓派上建立VPN~第一部分~:如何以及为何建立一个服务器
|
||||
================================================================================
|
||||
> 不要相信任何人,自己建立为Web数据加密的服务器从而躲过他人的窥视
|
||||
|
||||
虽然免费,未加密的无线AP遍地都是,但是你不应该连接这些AP来登陆你的网银账户,除非你对他人的窥视毫不在意.那么对此的解决方案是什么呢?一个[虚拟专用网][1],也就是VPN(virtual private network).
|
||||
|
||||
一个VPN可以使你的私用网络拓展至公共场所,因此即使你连接着星巴克的 Wi-Fi,你对网络浏览仍然保持着安全的加密.
|
||||
|
||||
有很多方法来建立VPN,包括[免费以及付费的服务][2],但是每个解决方案都有其的优点以及缺点,取决于VPN服务商运作的方式和服务商提供的VPN选项.
|
||||
|
||||
最简单以及最方便的保证数据安全的方法就是完全抛弃公共Wi-Fi.但是这个解决方案对于我来说有点极端了,一部分原因是在家里建立一个VPN服务器相对容易以及划算,你只需要一个便宜(35刀)小型的树莓派.
|
||||
|
||||
我的树莓派与智能手机差不多大小,并且它拥有一个VPN服务器所有应有的功能.这意味着不管我在哪里,我可以通过安全的网络连接在家里的电脑和家里的内网来访问分享的文件以及媒体.这个服务器在我最近去波士顿的旅途中使生活变得十分美好,在旅途中我仍然可以观看储存在家里台式机上的视频.
|
||||
|
||||
在这部分文章中,说实话我喜欢直接带给你们一个设置树莓派VPN的教程.问题是这个优秀教程并不存在,至少目前没有一个适合大部分电脑用户的优秀教程.虽然有无数关于如何搭建树莓派VPN的教程,极少教程会解释这么做的目的.
|
||||
|
||||
我阅读了不少教程,并把好的部分整合入了这半篇教程中,来教授读者如何搭建树莓派VPN服务器.这个教程甚至连我都能理解,在如何搭建之后完成了为何搭建部分.最重要的是,我相信Eric Jodoin的VPN教程更适合那些专家,但它使我的大脑直接宕机了...
|
||||
|
||||
那么跟随我钻进加密法的兔子洞并且开始学习吧,无论你有多么多疑,提出了创造VPNs的那个人更正是如此.
|
||||
|
||||
### 材料 ###
|
||||
|
||||
#### 硬件 ####
|
||||
|
||||
|
||||
|
||||
**Raspberry Pi Model B**:以及使其工作所需要的所有硬件-一个常规电源供电器和一个放置的小盒子.小盒子可以避免意外的可以造成树莓派硬件损坏的短路-这个盒子甚至可以是一个自己折叠的纸板箱.
|
||||
|
||||
**SD card**:我建议8GB及以上的容量,只是来保证你有必要的储存空间.像所有树莓派项目一样,SD卡上应该要预装上NOOBS.
|
||||
|
||||
**CAT-5线**:这根线将连接树莓派的以太网接口至你的路由器的以太网接口.
|
||||
|
||||
#### 软件 ####
|
||||
|
||||
[Open VPN][3]:这是一个开源VPN服务,我们今天就要安装它.
|
||||
|
||||
### 开始项目之前的准备 ###
|
||||
|
||||
1) 你需要[准备好NOOBS][4]并且安装完[Raspbian][5].我在"鱼缸量化"项目中对此做过一个[一步步][6]的教程.因此你也可以在那里查看.
|
||||
|
||||
2) 你需要为树莓派设置一个在你家内网中的静态IP地址.这一步骤取决于你路由器的型号,因此你可能需要阅读你的路由器的说明书来完成这一步.如果你还没有完成这一步,你可以参照ReadWrite的[教程][7].
|
||||
|
||||
3) 你需要启用SSH.我们需要通过[SSH][8]与树莓派进行连接,一个使我们能够从另一台电脑连接树莓派的工具.通过这个方法,我们在这个项目中不需要再为树莓派单独设置一个显示屏以及无线键盘.再提一下,看看ReadWrite的[教程][9].
|
||||
|
||||
4) 你需要将1194端口映射至树莓派的内网IP地址[UDP traffic][10],完成这一步的方法也决定于你路由器的型号,所以阅读路由器说明书吧.如果你想用另一个端口,没问题,只要将此教程中提及"TCP","UDP"的1194端口改为你需要的端口就行了.想必你也猜到了,ReadWrite为此也写了一篇[教程][11].
|
||||
|
||||
你可以从上文看出,我们现在在建立一些树莓派的基础概念,这也是为什么在树莓派上搭建VPN对初学者来说不是一个适合的原因之一.
|
||||
|
||||
### 简单的一些警告 ###
|
||||
|
||||
我曾经喜欢直接拷贝网上教程中的代码,但是当我自己测试这篇教程时,我发现直接的复制粘贴代码会导致一些错误,原因是复制粘贴中出现的空行以及格式变化.如果你发现在此篇教程在实际操作时出现了一些问题,我的建议是先手动输入代码试试!
|
||||
|
||||
### First Steps ###
|
||||
|
||||
1) 启动并修改树莓派的密码.如果你还在使用树莓派的默认用户名(pi)和密码(respberry),那么接下来的安全教程就完全没有什么意义了.
|
||||
|
||||
打开一个terminal/PuTTY 窗口输入:
|
||||
|
||||
sudo passwd
|
||||
|
||||
将用户名以及密码修改地既好记并难猜([微软对此有一些建议][12]),不然的话为什么要自找麻烦搭建一个私人网络呢?
|
||||
|
||||
2) 为了树莓派的安全来进行软件包的升级.为此有两条命令:
|
||||
|
||||
sudo apt-get update
|
||||
|
||||
sudo apt-get upgrade
|
||||
|
||||
这应该不会花太多时间,而且为我们排除了之后可能会产生的问题.
|
||||
|
||||
3) 接下来我们需要这个开源软件(OpenVPN).输入:
|
||||
|
||||
sudo apt-get install openvpn
|
||||
|
||||
|
||||
|
||||
树莓派会寻求你的安装许可,因为这用掉一点点储存空间.但是由于我们已经准备了一张8GB及以上的SD卡,我们对此完全没问题.
|
||||
|
||||
### 生成密钥 ###
|
||||
|
||||
4) 你当然不想让任何发现你的VPN的人就可以连接,因此我们会为这个安全的地址准备一个来验证身份的密钥.这就像为你的家门准备一把锁一样.
|
||||
|
||||
OpenVPN自带了Easy_RSA,一个轻量并容易的使用RSA加密方法的包.发明于1977年,RSA是第一个沿用至今可用的加密系统.加密的密钥是公开的,解密的密钥是保密的.如果你听说过比特币的工作原理,这些对你来说应该十分熟悉.
|
||||
|
||||
通过使用Easy_RSA,你可以使用软件带有的算法来生成一个独一无二的密钥.
|
||||
|
||||
首先获得树莓派的系统权限,就是将命令提示符中的"pi@raspberrypi"转换成"root@raspberrypi".
|
||||
|
||||
sudo -s
|
||||
|
||||
这句命令在现有的终端中再次创建了一个拥有root权限的终端实例.我们需要获得root权限的原因是,如果我们没有root权限,树莓派将不会允许我们创建密钥.
|
||||
|
||||
接下来,输入:
|
||||
|
||||
cp –r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
|
||||
|
||||
在这句命令中,"cp"代表"复制","r"代表递归.这说明我们让电脑执行:复制这个目录以及此目录下的所有文件结构及文件.
|
||||
|
||||
在**/2.0**和**/etc**中间的空格表示我们将第一个目录地址的文件(一个实例文件)拷贝至第二个目录地址,就是你让OpenVPN寻找密钥的地址.
|
||||
|
||||
cd /etc/openvpn/easy-rsa
|
||||
|
||||
5) 接下来,我们需要"cd",改变所在目录(change directory),来放置我们生成的Easy_RSA文件.一旦完成这步,我们需要打开文件**/etc/openvpn/easy-rsa/vars**来编辑.我们可以使用nano: **nano /etc/openvpn/easy-rsa/vars**,由于我们以及在此目录下了,我们可以使用简写:
|
||||
|
||||
nano vars
|
||||
|
||||
Nano在Raspbian中内建的文件编辑工具,当然也有其他工具提供给"科技通"们,不过我们将在此教程中只使用nano.
|
||||
|
||||
现在,将你的 EASY_RSA 变量改为:
|
||||
|
||||
export EASY_RSA="/etc/openvpn/easy-rsa"
|
||||
|
||||
对我来说,这是在第13行.
|
||||
|
||||
|
||||
|
||||
为什么要修改这个变量呢?其实这是你在回答计算机的问题"你想让文件生成在哪里?".在这个情况下,我们想要将其生成在我们保存的同一个目录,easy-rsa文件树的顶层.
|
||||
|
||||
在vars文件中我们还可以做一件事,如果你对Innuminati阅读你的邮箱这件事十分偏执的话,你可以将加密方法从1024-bit改至2048-bit.在vars文件中,它明显的指出,"偏执狂请将此改为2048"("increase this to 2048 if you are paranoid").
|
||||
|
||||
但是因为这个方法大大增长了生成密钥的时间,我们不会在这个教程中使用它.保持下面这个样子:
|
||||
|
||||
export KEY_SIZE=1024
|
||||
|
||||
按下**Control+X**来保存修改并推出nano.
|
||||
|
||||
### 获取加密手段 ###
|
||||
|
||||
6) 现在该搭建CA证书和Root CA证书了.
|
||||
|
||||
在加密学中,一个授权机构(certificate authority (CA))是一个颁布电子证书的存在.电子证书证明公钥的所有者.
|
||||
|
||||
你可能一直在使用它只是你自己不知道而已.举个例子,当我登陆我的网银账户时,我可以在网页地址前看到HTTPS字符.当我点击HTTPS前的锁时,我会看到一个叫做[GeoTrust][13]的公司验证了我网银页面的合法性,因此我知道这不是一个钓鱼欺诈网站.(当然最近的[Heartbleed漏洞][14]指出HTTPS并不是我们想得那么安全).
|
||||
|
||||
在树莓派这个例子中,我作为我自己的授权机构,自己为OpenVPN签字,而不是通过一个第三方公司.
|
||||
|
||||
cd /etc/openvon/easy-rsa
|
||||
|
||||
现在我们又改变了所在目录,将下面命令一行接一行输入终端:
|
||||
|
||||
**source ./vars** → 这个"source"加载你之前修改的文件(vars).
|
||||
|
||||
**./clean-all** → 这会删除之前所有的密钥文件,如果有的话.如果在这个文件目录下有你不想删除的密钥文件(比如这是你第二次尝试这篇教程),跳过这条命令.
|
||||
|
||||
**./build-ca** → 最后一条来生成你的授权机构.
|
||||
|
||||
再输入第三条命令之后,树莓派会弹出一堆选项,你可以填写这些选项如果你愿意的话--国家名字,州名或省名,位置名,机构名,机构单位和电子邮件地址.如果你不想填写,只要在每个选项出现时按"enter"就行了,树莓派会使用默认值.下面的截屏展现了这些选项的长相:
|
||||
|
||||
|
||||
|
||||
现在你可以为你的服务器命名了.我很创新地将其命名为"Server"...你可以取任意的名字,不过别忘记输入:
|
||||
|
||||
./build-key-server [Server_Name]
|
||||
|
||||
再次,树莓派会给出一系列的选项,请随便输入,但注意以下几个选项:
|
||||
|
||||
**Commom Name ** 必须是你为服务器取得名字.
|
||||
|
||||
**A challenge password?** 必须留空.
|
||||
|
||||
**Sign the certificate? [y/n]** 废话,你必须输入"y".
|
||||
|
||||
你接下来会获得说明你的证书会在接下来的3650天中有效的信息.因此,如果你打算长期使用这个VPN的话,你必须在十年后重新走这个流程.
|
||||
|
||||
**1 out of 1 certificate requests certified, commit? [y/n]** 明显,输入"y".
|
||||
|
||||
|
||||
|
||||
6) 服务器端就这么设置好了.现在该为各位用户生成密钥了,或者说"客户".我为家里的计算机,平板,手机各生成了一个密钥,总共有5个.不要以为在所有客户端使用同样的密钥就可以节省时间,这样的话,一次只能有一个设备能访问VPN.
|
||||
|
||||
./build-key-pass UserName
|
||||
|
||||
我发现采用用户名 Client1, Client2, Client3...十分方便
|
||||
|
||||
|
||||
|
||||
在这之后,更多信息会弹出!
|
||||
|
||||
**Enter PEM pass phrase** 设置其为你记得住的密码!他会让你输入两次,不会有几率输入错误.
|
||||
|
||||
**A challenge password?** 必须留空!
|
||||
|
||||
**Sign the certificate? [y/n]** 同样签十年.
|
||||
|
||||
cd keys
|
||||
|
||||
openssl rsa -in Client1.key -des3 -out Client1.3des.key
|
||||
|
||||
留意我们使用des3加密生成的字符串文件,des3是一个复杂[加密算法][15]会在每一个数据块上运行3次,来防止骇客的暴力破解.OpenSSL 代表开源的加密套接字实现,是一个建立安全连接的标准方法.你需要为你生成的每一个客户端运行这一步.
|
||||
|
||||
有人会说这一步完全没有必要,你可以跳过这一步.但是如果你通过Android或者iOS设备连接OpenVPN,那么你必须要做这一步,不然的话目前版本在解析你的密钥时会有一些困难产生.
|
||||
|
||||
Enter pass phrase for Client1.key
|
||||
|
||||
说实话,我用了和以前一样的密码.再输入一遍,就想说的那样.
|
||||
|
||||
|
||||
|
||||
现在我们已经创建了服务器证书以及至少一个客户端证书,输入以下命令:
|
||||
|
||||
cd /etc/openvpn/easy-rsa/
|
||||
|
||||
或者
|
||||
|
||||
cd ..
|
||||
|
||||
两种方法都会将你的所在目录带会/easy-rsa/.
|
||||
|
||||
7) 现在该生成[Diffie-Hellman key exange][16]了.这是使你的VPN工作的关键代码,一个使两个没有准备的实例通过服务器交换密钥的协议.像RSA一样,这是现有的最早发明的加密系统.
|
||||
|
||||
./build-dh
|
||||
|
||||
这一步会花一些时间,甚至比2048-bit加密还要慢.而且没有任何方法可以预测它运行的时间,因为这个算法使用的是随机数并寻找一些特定的关系.事实上,在我写这篇教程时,1024-bit加密只花了我5分钟.
|
||||
|
||||
|
||||
|
||||
8) 最后,我们要实现OpenVPN内建的服务阻断攻击(Denial of Service -- DoS)防护.你可能已经知道服务阻断攻击是骇客找到你的服务器地址后很有效的攻击手段,这种攻击通过生成大量的访问请求来使你的服务器崩溃.
|
||||
|
||||
输入以下代码来生成静态的HMAC([hash-based message authentication code][17])密钥:
|
||||
|
||||
openvpn --genkey --secret keys/ta.key
|
||||
|
||||
## 最后收尾 ##
|
||||
|
||||
9) 我们已经生成了密钥以及来签名的授权机构.剩下的只是如何告诉OpenVPN如何配置这个服务器了.
|
||||
|
||||
因为我们在树莓派上使用在没有图形用户界面的Linux操作系统,我们需要生成一个.conf (configuration) 文件来告诉OpenVPN如何配置服务器,而不是通过图形界面的选择.用nano打开.conf文件:
|
||||
|
||||
nano /etc/openvpn/server.conf
|
||||
|
||||
我们在这个目录下打开.conf文件的理由是,编辑完此文件会直接生成在/etc/openvpn的目录中.但是你刚刚打开的这个文件是空的.[将此地址中的配置复制入编辑器][18].在配置中我用大写字符注释了你必须要更改的地方,具体可以看注释.按下 Control+X 来保存文件.
|
||||
|
||||
10) 让我们快速地编辑一下另一个配置文件.在默认配置下树莓派并不会映射网络流量,我们需要另一个配置文件来使树莓派启用对我们新建网络中的网络流量的映射.
|
||||
|
||||
nano /etc/sysctl.conf
|
||||
|
||||
在文档开头处有注释:"反注释下一行来启用IPv4中的数据包映射."("Uncomment the next line to enable packet forwarding for IPv4.").我在下面的截图中高亮了这部分.
|
||||
|
||||
|
||||
|
||||
删除那一行前面的 # 来反注释这一行.这告诉树莓派要对IPv4的数据包进行映射.当你反注释了这一行,树莓派就拥有了作为互联网的中介而不是单单的接受者的权限,可以既接受并传输数据包.
|
||||
|
||||
按下 Control+X 来保存修改.通过以下命令启用此配置:
|
||||
|
||||
sysctl -p
|
||||
|
||||
sysctl命令表示"[在运行中改变内核配置参数][19]".-p 告诉计算机重新加载你刚刚修改的配置文件.
|
||||
|
||||
11) 到这一步我们以及配置完了一个拥有互联网访问权限的工作中的服务器.但是我们还不能用它,用为树莓派有内置的[防火墙][20]来限制传输入的网络连接.
|
||||
|
||||
Raspbian的防火墙会在来路不明的互联网源头中保护你的树莓派.我们仍然需要防火墙来保护我们,但是我们要在防火墙中挖一个OpenVPN样子的洞,使OpenVPN的连接可以顺利通过.
|
||||
|
||||
此外,Raspbian的防火墙会在重启后默认进行重置.我们需要创建一个简单的脚本使树莓派记住每次重启时对OpenVPN的连接进行允许.
|
||||
|
||||
nano /etc/firewall-openvpn-rules.sh
|
||||
|
||||
这是一个空文件,输入以下内容:
|
||||
|
||||
#!/bin/sh
|
||||
|
||||
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.XX.X
|
||||
|
||||
不要忘记将默认IP地址改为你树莓派的IP地址!
|
||||
|
||||
分解下这条命令: 10.8.0.0 是客户端连接树莓派VPN后树莓派的默认地址. "eth0"代表以太网接口. 将其改为"wlan0"如果你使树莓派用无线连接互联网, 当然我不建议你这么做. 按下 Control+X 保存编辑.
|
||||
|
||||
为了安全考虑, 我们要改变**/etc/firewall-openvpn-rules.sh**的所有者,使此文件默认不可被运行. 首先将权限设定为[700][21] (所有者可以读,写,执行). 然后,我们会将此脚本的所有者改为root, 在Linux标准系统中, root代表系统管理员.
|
||||
|
||||
chmod 700 /etc/firewall-OpenVPN-rules.sh
|
||||
|
||||
chown root /etc/firewall-OpenVPN-ruels.sh
|
||||
|
||||
12) 我们已经创建了一个在防火墙中开出OpenVPN形状的洞, 我们现在只需要将这个脚本注射入网络interface初始化的代码中, 然后它就会在每次开机时运行了.
|
||||
|
||||
nano /etc/network/interfaces
|
||||
|
||||
找到带有"iface eth0 inet dchp"的那一行. 我们需要在这行之后的缩进中加上一行. 下面是这两行, 一行新加入, 一行原来就存在, 在完成之后它应该差不多像这样:
|
||||
|
||||
iface eth0 inet dhcp
|
||||
|
||||
pre-up /etc/firewall-openvpn-rules.sh
|
||||
|
||||
按下 Control+X 保存更改 (当你在使用nano的时候都应该这么做).
|
||||
|
||||
最后, 在最后, 在最最后: 重启树莓派.
|
||||
|
||||
sudo reboot
|
||||
|
||||
恭喜你!! vpn服务器就这么搭建完成了, 当然如果没有客户端连接服务器的话, 服务器也没什么用, 因此你应该牢记你在第6步创建, 生成的用户名及密钥. 接下来你可以继续阅读这篇教程的[第二部分][22]来学习如何创建加密的客户端.
|
||||
|
||||
树莓派的照片来自 [Tors][23]. 其他所有的截屏来自Lauren Ordini. 教程展示于ReadWrite.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing
|
||||
|
||||
译者:[ThomazL](https://github.com/ThomazL) 校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
[1]:http://en.wikipedia.org/wiki/Virtual_private_network
|
||||
[2]:http://netforbeginners.about.com/od/readerpicks/tp/The-Best-VPN-Service-Providers.htm
|
||||
[3]:http://openvpn.net/
|
||||
[4]:http://learn.adafruit.com/setting-up-a-raspberry-pi-with-noobs/overview
|
||||
[5]:http://www.raspbian.org/
|
||||
[6]:http://readwrite.com/2014/03/04/raspberry-pi-quantified-fish-acquarium
|
||||
[7]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial?utm_content=readwrite3-orionautotweet&awesm=readwr.it_b1UN&utm_campaign=&utm_medium=readwr.it-twitter&utm_source=t.co#awesm=~oAXilI0BMOHsS3
|
||||
[8]:http://en.wikipedia.org/wiki/Secure_Shell
|
||||
[9]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial
|
||||
[10]:http://en.wikipedia.org/wiki/User_Datagram_Protocol
|
||||
[11]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial?utm_content=readwrite3-orionautotweet&awesm=readwr.it_b1UN&utm_campaign=&utm_medium=readwr.it-twitter&utm_source=t.co#awesm=~oAXilI0BMOHsS3
|
||||
[12]:http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password
|
||||
[13]:http://www.geotrust.com/
|
||||
[14]:http://readwrite.com/2014/04/08/heartbleed-openssl-bug-cryptography-web-security
|
||||
[15]:http://osxdaily.com/2012/01/30/encrypt-and-decrypt-files-with-openssl/#
|
||||
[16]:http://www.google.com/patents/US4200770
|
||||
[17]:http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
|
||||
[18]:https://gist.github.com/laurenorsini/9925434
|
||||
[19]:http://linux.about.com/library/cmd/blcmdl8_sysctl.htm
|
||||
[20]:http://en.wikipedia.org/wiki/Firewall_(computing)
|
||||
[21]:http://www.thinkplexx.com/learn/article/unix/command/chmod-permissions-flags-explained-600-0600-700-777-100-etc
|
||||
[22]:http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side#awesm=~oB89WBfWrt21bV
|
||||
[23]:http://commons.wikimedia.org/wiki/File:Raspberry_Pi_Model_B_Rev._2.jpg
|
||||
|
||||
@ -0,0 +1,150 @@
|
||||
在树莓派上建立VPN~第二部分~:建立加密客户端
|
||||
================================================================================
|
||||
> 你已经成功搭建了一个工作中的VPN服务器! 现在该干什么了?
|
||||
|
||||
欢迎来到ReadWrite的树莓派VPN搭建教程的第二部分!
|
||||
|
||||
到现在为止, 我们已经很清楚地摆平了将你的树莓派变成了一个虚拟私人网络这个工作. 但是随着[未来安全漏洞对互联网生活的妥协][1], 让我们感觉拥有一个安全的服务器在你的身边越来越重要了. 通过这样, 你就可以不用担心有人在信息传输于你的电脑和互联网时拦截信息, 自由地写邮件以及传输数据了.
|
||||
|
||||
[如果你看了此教程的第一部分][2], 你应该在你的树莓派上已经配置完一个拥有完全功能的VPN服务器了. 你可以在有免费WiFi时用这个服务器来传输加密信息了. 你也可以访问保存于你家里网络中已分享的文件以及媒体.
|
||||
|
||||
只是, 你现在还无法访问. 我们现在已经为客户端(计算机和移动设备)创建了访问的密钥, 但是我们还没有告诉客户端服务器的访问地址, 如何连接, 以及用什么密钥访问.
|
||||
|
||||
你应该记得, 我们已经为需要连接VPN的不同客户端创建了不同的密钥. 我们将客户端命名为 Client1, Client2 和 Client3.
|
||||
|
||||
但是为每个客户端从零单独生成一个配置文件会造成很多不必要的麻烦, 这就是为什么我们需要使用[SANS institute][3]的Eric Jodoin写的巧妙的脚本. 这个脚本会帮助我们生成配置文件.
|
||||
|
||||
### 跟随脚本 ###
|
||||
|
||||
这个脚本会访问我们的默认设置, 从而为每一个客户端生成各自的配置文件. 我们需要做的第一件事是, 创建一个空的刻度文本文档并写入我们的默认配置.
|
||||
|
||||
nano /etc/openvpn/easy-rsa/keys/Default.txt
|
||||
|
||||
写入下面的文本:
|
||||
|
||||
client
|
||||
|
||||
dev tun
|
||||
|
||||
proto udp
|
||||
|
||||
remote <你的公网ip地址> 1194
|
||||
|
||||
resolv-retry infinite
|
||||
|
||||
nobind
|
||||
|
||||
persist-key
|
||||
|
||||
persist-tun
|
||||
|
||||
mute-replay-warnings
|
||||
|
||||
ns-cert-type server
|
||||
|
||||
key-direction 1
|
||||
|
||||
cipher AES-128-CBC
|
||||
|
||||
comp-lzo
|
||||
|
||||
verb 1
|
||||
|
||||
mute 20
|
||||
|
||||
这个文档应该长的和下面的截屏差不多, 除了你应该填入你自己的公网ip地址之外. 你注意到了我已经把我的公网ip删除了, 当然这是为了保护我的隐私. 换句话说, 每个人的本地静态ip都差不多. 他们都以 "192.268." 起头.
|
||||
|
||||
|
||||
|
||||
如果你没有一个公网ip的话, 你需要使用动态DNS服务来给你自己一个域名来代替公网ip. 我建议你使用免费服务[DNS Dynamic][4], 它允许你取自己选择的名字. 然后在你的树莓派上, 你需要运行DDclient来自动更新你的DDNS登记. 我在[这里][5]写过一篇完整的教程.
|
||||
|
||||
同样, 按 Control+X 来保存文件并推出nano.
|
||||
|
||||
接下来, 我们需要创建一个实际的脚本. 一个可执行脚本通常从shell启动, 可以自动化一些我们需要做的工作.
|
||||
|
||||
nano /etc/openvpn/easy-rsa/keys/MakeOPVN.sh
|
||||
|
||||
[这里][6]是脚本文件, 由Jodoin编写. 将内容复制粘贴至编辑器(注意一下复制粘贴中产生的问题).
|
||||
|
||||
你需要将执行权限赋予给这个脚本. 首先改变所在目录:
|
||||
|
||||
cd /etc/openvpn/easy-rsa/keys/
|
||||
|
||||
然后给予其root权限. 如果你还记得第一部分教程的内容的话, Linux中的权限管理由[不同的3位数字][7]实现. 700表示"所有者可以读,写,执行".
|
||||
|
||||
chmod 700 MakeOPVN.sh
|
||||
|
||||
最后, 执行文件:
|
||||
|
||||
./MakeOPVN.sh
|
||||
|
||||
在脚本运行途中, 他会要求你输入现有的客户端名称. 实例: "Client1". 注意只输入已经存在的客户端名称.
|
||||
|
||||
如果一切运行良好的话, 你应该会看到下面这行字弹出:
|
||||
|
||||
Done! Client1.opvn Successfully Created.
|
||||
|
||||
为剩下的客户端都执行这一步.
|
||||
|
||||
最后要做的事是将客户端连上树莓派, 然后你就可以从客户端下载文件了. 你需要使用一个SCP (Secure Copy Protocol)客户端来实现它. 在Windows中, 我推荐[WinSCP][8]. 我一直在mac中使用[Fugu][9].
|
||||
|
||||
注意: 如果你没有连接SCP客户端的权限, 你需要为自己授权在此文件夹的读/写权限. 回到树莓派中输入:
|
||||
|
||||
chmod 777 -R /etc/openvpn
|
||||
|
||||
注意在你复制完文件后取消这一步, 从而其他人不能从这里下载文件! 完成之后将权限改为[600][10], 使树莓派的用户能读/写文件:
|
||||
|
||||
chmod 600 -R /etc/openvpn
|
||||
|
||||
完成后回到客户端.
|
||||
|
||||
### 使用客户端软件 ###
|
||||
|
||||
好了,困难的部分都结束了. 从这里开始我们需要将之前生成的脚本输入图形用户界面. 对PC, Android或者iOS手机来说, 你可以下载[OpenVPN Connect][11]. 但是这个软件没有mac版, 所以我尝试了[Tunnelblick][12]和[Viscosity][13].
|
||||
|
||||
Tunnelblick 是免费的, 但是Viscosity在免费30天尝试之后需要9美刀来购买. 不管怎么样, 我们来尝试下将mac连入我们的服务器吧.
|
||||
|
||||
在我的情况下, mac是我第5个连接VPN的客户端, 所以我生成的文件名叫做client5.opvn.
|
||||
|
||||
下载可以在你的OS X版本下运行的Tunnelblick. 我在使用Mavericks, 所以我下载了[beta][14]版. 虽然这个软件有很多我看起来很好笑的语言弹出, 但这真的是一个合法的下载.
|
||||
|
||||
|
||||
|
||||
然后它会问你, 你的配置文件是.opvn或.tblk. 如果你选择了.opvn它会带你将文件格式转换成Tunnelblick本地格式. 我把Client.opvn传送至Tunnelblick提供的文件夹, 然后把文件夹的名字改为了Client5.tblk.
|
||||
|
||||
好啦, 你已经可以连接了. 点击屏幕右上方Tunnelblick的标志然后选择Client5.
|
||||
|
||||
|
||||
|
||||
它会问你是否传输密码文本, 这个密码和上篇中我们生成各个客户端时使用的密码是同样的.
|
||||
|
||||
|
||||
|
||||
如果你密码输入正确, 你会获得像上面这样的情况.
|
||||
|
||||
尝试在咖啡厅, 图书馆或任何有免费WiFi的地方连接VPN. 通过使用VPN, 即使你连接的是公共网络, 你的数据仍然是安全的.
|
||||
|
||||
教程展示于ReadWrite.
|
||||
|
||||
--------------------------------------------------------------------------------
|
||||
|
||||
via: http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side
|
||||
|
||||
译者:[ThomazL](https://github.com/ThomazL) 校对:[校对者ID](https://github.com/校对者ID)
|
||||
|
||||
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
|
||||
|
||||
[1]:http://readwrite.com/2014/04/10/heartbleed-security-protect-yourself-data-passwords
|
||||
[2]:http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing
|
||||
[3]:http://www.sans.org/
|
||||
[4]:https://www.dnsdynamic.org/
|
||||
[5]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial
|
||||
[6]:https://gist.github.com/laurenorsini/10013430/revisions
|
||||
[7]:http://www.thinkplexx.com/learn/article/unix/command/chmod-permissions-flags-explained-600-0600-700-777-100-etc
|
||||
[8]:http://winscp.net/eng/index.php
|
||||
[9]:http://download.cnet.com/Fugu/3000-7240_4-26526.html
|
||||
[10]:http://linuxcommand.org/lts0070.php
|
||||
[11]:http://openvpn.net/
|
||||
[12]:https://code.google.com/p/tunnelblick/
|
||||
[13]:https://www.sparklabs.com/viscosity/
|
||||
[14]:https://code.google.com/p/tunnelblick/wiki/DownloadsEntry#Tunnelblick_Beta_Release
|
||||
Loading…
Reference in New Issue
Block a user