document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2024-12-26 21:30:55 +08:00
Code Issues Packages Projects Releases Wiki Activity

20140417-2 选题

Browse Source
This commit is contained in:
DeadFire 2014-04-17 17:07:39 +08:00
parent 01e98672f7
commit 965e0952d5
3 changed files with 669 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

189
sources/talk/Raspberry Pi s Eben Upton--How We're Turning Everyone Into DIY Hackers.md Normal file
View File

@ -0,0 +1,189 @@
Raspberry Pi's Eben Upton: How We're Turning Everyone Into DIY Hackers
================================================================================
> Inside the mind that prototyped a $35 computer for tinkerers.
Ill never forget my first time seeing a Raspberry Pi. The tiny, credit-card sized computer is powerful enough to operate as a home PC, a media center, a gaming console, or anything you can dream up. At only $35, its a bargain for tinkerers of all ages who want to try out hardware and software experiments without worrying about bricking their pricier family computers.
[Eben Upton][1], cofounder of the Raspberry Pi Foundation, is generally credited as the magician behind this incredible machine. While working on his doctorate in philosophy at the University of Cambridge's computer laboratory, Upton painstakingly put together Raspberry Pi prototypes by hand.
Today, Upton is CEO of the Raspberry Pi Foundations trading company, where he oversees production and sales of the Raspberry Pi. The foundation has now sold more than 2.5 million units.
### Pi In The Sky ###
ReadWrite: What got you really interested in technology in the first place? How did that lead you eventually to the Raspberry Pi project?
**Eben Upton**: So I actually got started when I was a kid. I have a father who has a certain amount of interest in engineering. Hes not an engineer, hes an English academic. There were always piles of electrical stuff around the house that I used to play with before I understood what it did. Little things like making a light to have by your bed so you could read after “lights out” and stuff.
![](http://readwrite.com/files/raspberry%20pi%20black-and-white%20flickr%20johan%20larsson.jpg)
And then I got a computer. In the UK we have these machines called [BBC Microcomputers][2], which were 8-bit micros that were build for education. We had them at school, I got into programming at school, and I enjoyed it.
These things werent necessarily in school for programming, or at least they didnt tend to get used for programming. They would get used to run educational software. But I used to program on them. And then I bought one to program at home. I mean, the day I got my BBC micro, I went in my room, turned it on, and never came out again. [Laughs]
Programming is amazing for a kid. When youre a kid you dont have a lot of power. You dont have a lot of agency, a lot of control over the world around you. The great thing about programming is its a little world where you do whatever you want. And I certainly found that very compelling.
Id always been interested in science, math, kind of hard science subjects. Did a lot of computing, did a lot of programming on my BBC. I had a Commodore Amiga after that.
At university I did a mixture of physics, engineering, and computer science. And then that really kind of led me to the Pi. Because after Id been at university for a decade [while getting a doctorate], I realized that the kids who were arriving hadnt had the chance to have that set of experiences as a child. You could still get Legos but … that ladder.
Wed kind of pulled the ladder up after us. We built these very sophisticated and user-friendly computers for children to use now. Or not even computers—game consoles and phones and tablets, kind of appliances. But people were being denied that opportunity to tinker. So really Raspberry Pi is an attempt to get back—without kind of being too retro—some of what we kind of feel was lost from the evolution of computers over the last 25 years.
**RW:** What were some of the biggest hurdles you had to overcome?
**EU:** Well, we didnt have any investors, so that was one nice thing. Weve been trying to do this since 2006 so you can see it took us a long time to get from the idea of a Raspberry Pi to something you could sell. Finding something that had the right tradeoff between price and performance, or price and programmability was a big deal.
Getting the money together. Were a not-for-profit, so we had to go find some money, and there ended up being a few of us on the board of trustees just loaning money out of our own pockets. So we had about a quarter of a million dollars of startup funding which was entirely loans from me and a couple of other people. So having the guts to do that, I guess.
![](http://readwrite.com/files/raspberry%20pi%20flickr%20clive%20darra.jpg)
### From East To West ###
Finding a way to get it manufactured at the right price. We ended up taking an unusual route. Generally when people make more conventional products, what they do is make them locally, when theyre low volume. And they [manufacturers] charge a high price. Most people have thicker margins than Raspberry Pi.
So what people do is manufacture in the west. Later on, in search of a squeeze, they got the volume and are looking to improve their production costs, so they go to the far east.
The issue for us was that, because we didnt have enough margin to support that kind of order, we built our very first units in China. Which was of course, at first a slightly daunting prospect. I knew nothing about manufacturing in China, and we ended up sending $50,000 of chips and $50,000 to some guy in Hong Kong. And he sent us back 2,000 working Raspberry Pis.
It got to the point where there was a little bit of a delay and we were convinced that wed gotten shafted. And then one day, the first 2,000 of now 2.5 million Raspberry Pis turned up on the doorstep on a pallet.
This UPS guy comes out of his truck with a pallet and a pallet jack and jacks this pallet into the garage. Its got 2,000 Raspberry Pis on it and each one of those is massively more powerful than any computer I had when I was a kid. And we were just picking them out at random out of the pallet just to sample them and they all worked perfectly.
So getting lucky, I guess, with China, and then finally having got the volume, we went in the other direction from everyone else. I guess the other defining moment in the project was when we realized that, having got the volume, we could now build in the west for the same price we would have been able to build in China. So we were able to repatriate, to reshore all the manufacturing back to Wales, which is where I was born. Kind of a nice sort of circle.
**RW:** Were there any precursors to the Pi that didnt work out?
**EU:** Yeah, we built a number of different prototype devices. We were trying to build something that was programmable but interesting to kids. “Interesting to kids” means kind of … powerful in some respects. Able to play video and games and go on the Web.
We had a number of prototypes that met the price goal and the programmability goal, but it was only very late, post 2010 and 2011, that we were able to identify a path that allowed us to build something that was also powerful enough that kids were going to engage with it.
### Whence The Pi Was Baked ###
**RW:** Tell me about inventing the Raspberry Pi.
**EU:** We tried building some units based on what youd call microcontroller technology. I dont know if youve come across an [open source electronics prototyping] platform called Arduino? Sort of a similar level of performance to the Arduino. The nice thing about those chips is theyre very available, theyre commodity parts, theyre very cheap and easy to get ahold of.
![](http://readwrite.com/files/raspberry%20pi%20pibow%20flickr%20peet%20sneekes.jpg)
So we tried that. And we ended up with something which was technically a computer—you plug it into your television and stuff. But it was kind of primitive and it was clear that kids werent going to engage with it. So that was prototype one, and that prototype is coming to a museum in Ireland in an exhibition called “Fail.” [Laughs] Im going to go see it next month. Its in a glass cabinet as an example of a glorious failure.
The nice thing about that was that was hand built. You cant really build a modern Raspberry Pi by hand. But this one was primitive enough that you could actually solder it together and I soldered it together in a week. And it was a nice little toy.
After Id been at university for a decade of so, I went to work for a company called Broadcom, which is based in southern California but has a big office in Cambridge. They make cellphone chips. And we realized that cell phone chips are quite a good fit. Theyre quite a good platform for building a Pi-like device, since they have a lot of graphics performance.
I built a prototype based on that, based on a Broadcom dev kit. And that was much more powerful, much more capable, again at the same price point. But the challenge we had with that was that it was really a custom environment. It wasnt a standards based platform.
We were writing our own SD card drivers, our own file system, our own text editor. You find yourself doing a lot of basic work and although you end up with a platform which is powerful and programmable, it's completely nonstandard [and] completely unlike any other machine. You dont get to leverage any of the work thats already been done by people on desktop platforms. That was prototype two.
The real breakthrough for us was with prototype three. We got hold of another chip from Broadcom which had an ARM processor which was able to run standard Linux. That was really the point where we realized we had something that met all our goals. And that was the product we went to market with.
### Hacking The Next Generation Of Hackers ###
**RW:** Kids as young as eight have built projects using the Raspberry Pi. Did you intend that, or did it take you by surprise?
**EU:** Eight is a good age. I think everyone defines the right age as being the age when they started programming. I was eight when I started programming. To some extent, all a child needs is to be old enough to have the relevant suite of cognitive skills, kind of problem solving type skills. A little bit of math maybe, at school.
![](http://readwrite.com/files/raspberry%20pi%20lego%20flickr%20luca%20sbardella.jpg)
To be old enough to be able to plan activities—programming is the ultimate planned activity. You need to have the mental equipment to do that. By the age of eight, a lot of children are quite mature in their way of thinking. You also need mechanical dexterity; another challenge that younger children have is the lack of mechanical dexterity required to use a keyboard.
So eights a great age. Youve got the physical equipment, the mental equipment, and youre still at that point in your life where youre able to learn new things very easily. Your brains very plastic, youre able to learn languages....
I mean, if you want a child to learn French, start teaching them at eight, dont start teaching them at 16. One of the weaknesses we have historically in our formal teaching of computing is we start people incredibly late, and then are surprised when people have difficulty picking up the concepts. So I think the younger you can get them the better and eight is a fantastic age. Eight, 10, 12—12 is maybe a little bit late.
Our foundation CEO, [Lance][3] [Howarth], is particularly passionate about primary education. He really perceives a real opportunity there to do something quite special.
**RW:** So that was an intention of the Raspberry Pi, to get really young kids programming?
**EU:** I think weve always thought that young kids could do programming just by example. But the intention of the Raspberry Pi was to make this thing available and just see who buys it. We always believed that at least a subset of young children would find it exciting. Now we have the breadth and scale to get it to young kids with support.
Theres a big difference between [just] making a platform like Raspberry Pi available and offering support for it. I think if you just make it available, youll find one percent of eight-year-olds will be the one percent who love that sort of thing and will get into it, regardless of how much or how little support you give them.
I think the real opportunity for the foundation right now is that, since we can afford to pay for the development of educational material, we can afford to advocate for good training for teachers throughout this. Theres an opportunity to get more than one percent. Theres an opportunity to reach the bright kids who dont quite have the natural inclination to personally tackle complicated technical tasks. If you give them good teaching and compelling material thats relevant and interesting to them, you can reach ten percent, twenty percent, fifty percent, many more.
We look back to the 1980s as this golden era [of learning to program], and in practice, only a very few percent of people were learning to program to any great degree. Most people could probably write a couple of lines. But doing any significant programming was still rare.
I think the real opportunity for us now, because we can intervene on the material and teacher training levels, we can potentially blow past where we were in the 1980s. Theres much more participation, theres much more gender equality. Programming was largely a boys activity in the 1980s, and thats now reflected in the makeup of our engineering community. I think theres a real opportunity to get more girls programming computers. Thats the lowest of low hanging fruit. If we do that, we instantly double the number of people.
There are a lot of opportunities and I think the most satisfying thing for Pi is were kind of at the scale where we can start to attack some of them.
### Pi For Everyone ###
**RW:** What does that say to you about the potential demand for DIY projects like the Pi? Are we all going to be DIY hackers one day?
**EU:** Yeah, I mean, thats the thing. There is an enormous demand for it. And I think that there is a tie to the maker community. The maker community is much more developed in American than it is in the UK. We do have maker fairs and hackerspaces now, but its probably five years behind where it is in the U.S.
So one thing we found when we started talking about Raspberry Pi, when it started getting international attention, we found we were launching into this very well established community of people who like doing all sorts of DIY activity: knitting, or, you know, woodworking.
So thats one of the things that led to that surprise increase in volume for the Pi. Makers who see it as a component they can use to build their projects. Which is great!
**RW:** What do you think about the emergence of mainstream hardware-hacking culture?
**EU:** I mean, its fantastic, right? Its something we would never have predicted on the software engineering front. Ive come to this stuff from a software background, so the fact that most of the cool stuff people do with the Raspberry Pi is hardware related is surprising to me. Its not surprising to me anymore, but it was surprising to me originally.
![](http://readwrite.com/files/raspberry%20pi%20robot%20flickr%20ashley%20basil.jpg)
I think its a very positive trend, for all sorts of reasons. Its positive because it provides children with relevant experiences. In my mind, moving pixels around on the screen is still cool, but in reality, its much less cool than it was in the 1980s. I think moving objects around in the world, like robots, is whats cool for kids now.
When you get more relevance, you attract more girls. Theres a really insidious tendency to try and design activities for girls around tech, and it actually isnt about girls. Its about appealing to a broader audience.
There is this tiny segment—Ive talked about the one percent, the kids who find the abstract computer programming exciting. “Lets learn about variables!” And I was one of those kids. But thats only a small number of people, and it seems to be boys, more often. I dont know whether thats a cultural thing or what but it just seems to be the way the world is.
Quite often when people are talking about pursuing relevance in order to attract girls, its not about attracting girls at all. Its about attracting anyone other than that tiny little sliver of boys. Youre not just attracting girls, youre attracting all the other boys as well.
One of the wonderful things from an education standpoint is that part of actually doing stuff in the real world with a computer is automatically more relevant than just doing things on the computer itself. So it gives you a route to attract girls into the subject, it gives you a route to track more than one percent of boys into the subject.
Its great not to be alone. Its fantastic to be launching into this tidal wave of interest, of people doing stuff in the real world. I know a guy in southern California whose two hobbies are Pi hacking and making his own chainmail. Its just a wonderful thing that people are doing that sort of stuff.
### Sharing The Pi ###
**RW:** Can you give me an example of the sort of “relevant” projects that attract more than the one percent?
**EU:** The whole broad area of robotics is one. There are just vast numbers of people using the Pi as a base to make little robots that run around and do stuff, particularly now that we have the camera module, which acts as kind of computer vision.
I think other camera-based projects as well tend to get a lot of play. People doing wildlife photography type things, people doing time lapse photography, a wide range of stuff because we have this $25 camera module, and an infrared version so you can do nighttime animal photography—writing scripts to take pictures at night and save away the ones that have some motion in them. So those ones are nice.
Im particularly fond of anything that has to do with high altitude ballooning. Environmental monitoring—there are some high school kids in the UK who did an IndieGoGo called [AirPi][4], which is a pollution monitoring shield that would sit on top of the Pi. So lots of those things that let you do physics or chemistry or biology using the Pi—those are the things that I think have relevance. Those are the things that are much easier to justify to the bulk of kids as a thing thats worth paying attention to.
**RW:** When will we be seeing a Raspberry Pi Model C?
**EU:** We have no plans at the moment. We are mostly doing software work at the moment. I think weve discovered that there is a large amount of performance gain available by nickel and diming the software, buffing it a little bit.
If we go and make a Model C, we orphan 2.5 million people who are committed to the current platform. So I think we are, at least for now, pretty committed to trying to do software work because that helps all of those people who are in the field. We feel there is still significant performance gain available through software optimization.
Obviously, well have to do something [about hardware] at some point. I dont really known when. If were still shipping the Pi Model B in 2017, 2018, that would be bad. But I think were probably a year away from giving any serious consideration to what to do next.
**RW:** Lots of people are building projects using both the Pi and Arduino, the DIY electronics-hacking kit. Did you design Pi with kits like Arduino in mind?
**EU:** Not really, but we realized very early on there could sometimes be a tendency in the press to see us as a competitor to the Arduino. We were always skeptical, I think, as to whether that was really the case because I think the Pi and Arduino do different things and do them well.
We didnt design it to work with the Arduino, but the Arduino is designed to work with a house PC. We make a great low power house PC for the Arduino. So yeah, it was just lucky, I guess.
**RW:** What do you use Raspberry Pi for at home? At work?
**EU:** At home, I use it as a media center; thats a fairly common use of the Pi. Its an interesting thing that you have people doing actual consumer electronics, using it as a piece of consumer electronics. And Im certainly one of those.
I dont have anywhere near as much time to play with it at work as I would like. Usually when I get a Pi at work its because Im testing some new piece of software that Ive commissioned. Mostly Im just using it to check that the contractors Ive paid to do work have done a good job.
Im really hoping that I will get some more downtime over the next year. Sometimes it feels like, aside from the media center, Ive been involved with making this fantastic toy, and because its been so successful I dont get much time to play with it.
But its really gratifying to see how many people are having fun with it, to see it show up in different places. I understand we got mentioned on The Big Bang Theory, I need to track down the episode. It shows up in all these unusual places. Its really nice to see how many people have taken it to heart and started doing stuff with it.
Eben Upton image courtesy of the Raspberry Pi Foundation; Raspberry Pi images by Flickr users [Johan Larsson][5], [Clive Darra][6], [Pete Sneekes][7], [Luca Sbardella][8] and [Ashley Basil][9]
--------------------------------------------------------------------------------
via: http://readwrite.com/2014/04/08/raspberry-pi-eben-upton-builders#awesm=~oBGnazhOCOfaUd
译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:https://twitter.com/EbenUpton
[2]:http://en.wikipedia.org/wiki/BBC_Micro
[3]:http://www.raspberrypi.org/welcome-lance/
[4]:http://airpi.es/
[5]:https://www.flickr.com/photos/johanl/8384790662
[6]:https://www.flickr.com/photos/osde-info/8626662243
[7]:https://www.flickr.com/photos/p8/7950485168
[8]:https://www.flickr.com/photos/sbardella/7473604878
[9]:https://www.flickr.com/photos/28438417@N08/8006786385/in/photolist-dcwSD8-d8PKa3-bmosVm-bmosWG-bz3YJF-e8NRQD-btyqN1-dorXrE-hTF7id-hTF7jL-hTF4mJ-hTF4jj-hTF4q1-hTF7jA-hTF7gj-gKRLrn-ftALdo-c7Qnjs-c7Qnyh-c7QmZj-c7QnY1-c7QmNY-cu8zs3-cu8BWm-cu8u5S-cu8yC3-cu8DBN-cu8wRq-cu8xNL-cu8CJj-cu8tss-cu8BcG-cu8uVL-cu8AoW-hTF7dU-hTEzCr-hTFBCp-hTFBvR-hTFBBH-hTF4hA-hTF7c1-hTEzza-hTFBM2-cdtf1b-bz7n87-gKQSJ7-gKQUko-ds8x8q-dqweVP-cVwvJq

326
sources/tech/Building A Raspberry Pi VPN Part One--How And Why To Build A Server.md Normal file
View File

@ -0,0 +1,326 @@
Building A Raspberry Pi VPN Part One: How And Why To Build A Server
================================================================================
> Trust no one and build a server that encrypts your Web data from prying eyes.
Free, unencrypted wireless is everywhere, but you shouldn't be checking your bank account on it unless you dont mind somebody else snooping. The solution? A [virtual private network][1], or VPN.
A VPN extends your own private network into public places, so even if youre using Starbucks' Wi-Fi connection, your Internet browsing stays encrypted and secure.
There are plenty of ways to set up a VPN, both with [free and paid services][2], but each solution has its own pros and cons, determined by the way the VPN provider operates and charges and the kinds of VPN options it provides.
The easiest and cheapest solution to keep your data safe is to just abstain from public Wi-Fi completely. But that sounds a little extreme to me when its relatively simple and inexpensive to build your own VPN server at home, and run it off of a tiny, inexpensive ($35) Raspberry Pi.
My Raspberry Pi is about the size of a smartphone, but it runs a fully functional VPN server. That means no matter where I am, I can connect my computer to my home network and access shared files and media over a secure connection. It came in handy on a recent trip to Boston, where I was still able to watch videos stored on my network back home in DC.
This is the part where Id link you to a handy tutorial on how to set this up. The problem is one doesn't exist—or at least one that could satisfy this average computer user. And while there are plenty of tutorials about how to set up a VPN server on Raspberry Pi, there are very few that explain why.
I read several different tutorials and cobbled together the results into this semi-coherent tutorial for setting up a VPN on Raspberry Pi, which even I can understand, complete with the why behind the how. Most prominently, I relied on Eric Jodoin's VPN tutorial for experts, and dumbed it down for me.
So follow me down the cryptography rabbit hole and learn that no matter how paranoid you are, whoever came up with the methods to generate VPNs was even more so.
### Materials ###
#### Hardware ####
![](http://readwrite.com/files/Raspberry_Pi_Model_B_Rev._2.jpg)
**Raspberry Pi Model B**: Plus everything that comes with it—by that, I mean a regular power source and a case to put it in. A case can help prevent accidental short-circuits that could permanently damage the machine—the case can even be as simple as a cardboard box you fold yourself.
**SD card**: Im suggesting 8GB or more, just to make sure you have the space. As always for all Raspberry Pi projects, this should already have NOOBS installed.
**Cat5e cable**: This will connect the Pis ethernet port to the ethernet port on the router.
#### Software ####
[Open VPN][3]: This is the open source VPN service well be installing today.
### Pre-Project Requirements ###
1) You need to [set up NOOBS][4] and install [Raspbian][5]. I wrote a [step-by-step][6] for this in my quantified fish tank tutorial, so you can refer to it there.
2) You need a static IP address for the Raspberry Pi on your home network. This depends on the model of your router, so use the instructions provided by the routers manufacturer. If you dont already have this set up, [read ReadWrites tutorial][7].
3) You'll need SSH enabled. Well be connecting to the Raspberry Pi with [SSH][8], a connection tool that lets us access the Pi from another computer. This way, we dont need to set up the Pi to a monitor and wireless keyboard for this project. Once again, check ReadWrites [tutorial][9].
4) You'll need to forward port 1194 ([UDP traffic][10]) to your Raspberry Pis internal IP address, but the way you do this will vary depending on your router, so check with your router manufacturers information. If you want to use another port or TCP, thats fine, but just be sure to change 1194 in the tutorial to the correct number for you, and anywhere it says "UDP" to "TCP." You guessed it, there's a [ReadWrite tutorial][11] for this, too.
You can tell were building off of some more basic Raspberry Pi concepts, which is why building a VPN with Raspberry Pi isn't a good first project for most beginners.
### A Quick Word Of Caution ###
I've pasted the actual code I used to complete this project, but when going back through the tutorial myself, I noticed that copying and pasting the code from the article onto the command line often results in errors due to spacing and formatting. If you are having a problem with any step of this tutorial, my first troubleshooting suggestion is to rewrite the command manually!
### First Steps ###
1) Boot up and change your password. If youre still using the default username (pi) and password (raspberry), it makes the rest of this security project totally pointless!
Open up a terminal/PuTTY window and type:
sudo passwd
Change the username and password to something strong and memorable ([Microsoft offers some tips][12]), otherwise why bother building a private network?
2) Now lets be safe and update the Raspberry Pi. There are two commands you want to input:
sudo apt-get update
sudo apt-get upgrade
This shouldnt take long, and itll save us a troubleshooting step later on.
3) Next we need the open source software. Type:
sudo apt-get install openvpn
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%2010.22.19%20AM.png)
The Raspberry Pi is going to ask if youre sure, since it uses up a bit of space. But since we prepared by getting an 8GB or bigger SD card, were totally fine.
### Generating Keys ###
4) You dont want anyone who finds your VPN server address to be able to connect. So next, were going to make a key for the server address. Its just like keeping the door to your house locked.
OpenVPN comes with Easy_RSA, a light and easy package for using the RSA encryption method. Developed in 1977, RSA was one of the first usable cryptosystems that is still used today. The encryption key is public, while the decryption key is secret. If youve read anything about how Bitcoin works, this might sound a bit familiar.
With Easy_RSA, you run an algorithm that comes with the software to generate a new unique key.
So first, lets give ourselves superuser privileges. Youll know its working when the command line prompt switches from “pi@raspberrypi” to “root@raspberrypi.”
sudo -s
This command creates another instance of the window were working in, but with root privileges. The reason we need to do this is because if we dont, the Raspberry Pi will try and tell us we dont have permission to mess around with making keys.
So next, we type:
cp r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Here, “cp” stands for copy and “-r” stands for recursive (having to do with smaller instances, too). That means were telling the computer, “Copy this directory and everything underneath it.”
The space between **/2.0** and **/etc** means were copying the first address (an example file) into the second folder, which is where youll tell OpenVPN to find your keys.
cd /etc/openvpn/easy-rsa
5) Next, we need to cd, or change directory, to the place we just moved the Easy_RSA file. Once there, we need to open the file **/etc/openvpn/easy-rsa/vars** for editing. We could do that by writing nano **/etc/openvpn/easy-rsa/vars**, but since were in the folder, theres a shortcut:
nano vars
Nano is a built-in editing tool on Raspbian, and while there are others out there for more tech-savvy people, were just going to use nano for all our text editing in this tutorial.
Now, find and change EASY_RSA variable to:
export EASY_RSA=”/etc/openvpn/easy-rsa”
For me, it was on line 13.
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%2010.26.48%20AM.png)
Why make this change? Basically, youre answering the computers question, “Where do you want the file to go to?” We want it to export to the same folder where we will keep our keys—in this case, the top level of the easy-rsa file tree.
Theres one extra thing you can do in vars if youre paranoid about the Illuminati reading your email—change the encryption method from 1024-bit to 2048-bit. The document literally says, “increase this to 2048 if you are paranoid.”
But since that method makes keys take way longer to generate, were not doing it here. Well keep it looking like the text below:
export KEY_SIZE=1024
Type **Control+X** to save your changes and exit the nano editor.
### Getting Cryptographic ###
6) Its time to build the CA Certificate and Root CA certificate.
In cryptography, a certificate authority (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key.
You probably use this all the time and dont even know it. For example, when I log into my bank account, I see an HTTPS in front of the address. If I click on the lock, I see that a company called [GeoTrust][13] verified my bank websites legitimacy, so I know it's not a phishing scam. (Of course, the recent [Heartbleed bug][14] revealed that HTTPS isn't the security measure we all used to think it was.)
In the case of Raspberry Pi, Im acting as my own certificate authority and signing off on the OpenVPN keys myself, instead of trusting it to a third party company.
cd /etc/openvpn/easy-rsa
Now that weve changed directories, type each of these lines one after another:
**source ./vars** → This “sources” or loads the vars document you edited earlier.
**./clean-all** → This will remove any previous keys, if there are any. If you have keys you dont want to remove in this folder (like youre doing this tutorial a second time), skip this command.
**./build-ca** → This final line builds your certificate authority.
After the third command, the Raspberry Pi is going to shoot back with a bunch of optional fields for you to fill out if you want to—Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit, Common Name, Name, and Email Address. If you don't care to fill out these fields, just hit “enter” each instance to have the Pi fill in the default value. The screenshot below shows what that looks like:
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.32.35%20PM.png)
Now you can name the server. I creatively named mine “Server.” Call it whatever you want, but dont forget it:
./build-key-server [Server_Name]
Once again, the Pi is going to spit out some optional fields. Press enter or whatever you want, but pay attention to these three fields:
**Common Name** MUST be the server name you picked. It should default to this.
**A challenge password?** MUST be left blank.
**Sign the certificate? [y/n]** Obviously, you must type “y.”
Youll get a message that says the certificate will be certified for 3,650 more days. So basically if you use your VPN long enough, youll have to do this process again in 10 years.
**1 out of 1 certificate requests certified, commit? [y/n]** Obviously, type “y.”
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.35.28%20PM.png)
6) Thats the server side setup. Now its time to build keys for each user, or "client." I have five keys at home—one for each computer, tablet, and cell phone in the house. Its possible to be lazy and create just one client key for all of them, but in that case, only one device would be able to access the VPN at a time.
./build-key-pass UserName
I found it simplest to make the usernames Client1, Client2, Client3…
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.37.00%20PM.png)
And after that, more prompts!
**Enter PEM pass phrase** Make it a password you will remember! It asks you to input this twice, so theres no danger of ruining it.
**A challenge password?** MUST be left blank.
**Sign the certificate? [y/n]** Signing certifies it for 10 more years.
cd keys
openssl rsa -in Client1.key -des3 -out Client1.3des.key
The important takeaway from this string of text is that were using des3 encryption, in which a complex [encryptionalgorithm][15] that's applied three times to each data block to keep hackers from breaking through it with brute force. OpenSSL stands for an open source implementation of Secure Socket Layer, a standard method of setting up a secure connection. You need to perform this step for every client you set up.
Some argue this step is unnecessary, and that you could simply skip this line. But if youre running OpenVPN Connect clients on Android or iOS, this needs to be done. Otherwise, current versions could have difficulty parsing the keys you just generated.
Enter pass phrase for Client1.key
Honestly, I just used the same passphrase as before. And then two more times, as shown.
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.40.04%20PM.png)
Now that weve created a server certificate and (at least one) client certificate, type the following:
cd /etc/openvpn/easy-rsa/
OR
cd ..
Either way, the computer will take you up one directory, back to /easy-rsa/.
7) Now lets generate the [Diffie-Hellman key exchange][16]. This is the central code that makes your VPN server tick, an exchange that lets two entities with no prior knowledge of one another share secret keys over a public server. Like RSA, its one of the earliest cryptosystems out there.
./build-dh
This could take a while, longer if youre on 2048-bit encryption. Theres no way really to predict how long it will take because it is using random numbers and looking for some specific relationships. In fact, while I was making this tutorial, it only took 5 minutes with 1024-bit encryption.
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.41.40%20PM.png)
8) Finally, were going to implement OpenVPNs build-in Denial of Service (DoS) attack protection. You might already know that a DoS attack is successful when a hacker finds out your servers address, and generates such a large number of access requests that your server crashes.
OpenVPN has a way to prevent this kind of attack from occurring before it even starts by generating a static pre-shared [hash-based message authentication code][17] (HMAC) key. With this in place, the server won't even entertain the idea of authenticating an access request unless it detects this static key first. Thus, a hacker cant just spam the server with random repeated requests.
Generate the static HMAC key with the following line:
openvpn -genkey -secret keys/ta.key
### Putting It All Together ###
9) Weve generated keys and a Certificate Authority to sign them. What were still missing are the settings to tell OpenVPN how we want this server configured.
The OpenVPN program is already running. The problem is, it doesnt know which keys to use, where youre going to be connecting from, what kind of connection youre building, or which IP address and port to use.
Since were using Linux on a Raspberry Pi, theres no graphical user interface (GUI) for telling OpenVPN what it needs to know. Thats why we have to actually create a .conf (configuration) file in the nano editor off of the command line.
nano /etc/openvpn/server.conf
the reason were starting this address with /etc/openvpn is so it will end up in the openvpn folder. But for now, this file is completely blank. [Fill it in with this][18]. I commented in all caps where you absolutely need to change numbers and titles to your own IP address/names. Hit Control+X to save your changes.
10) Lets quickly edit another configuration file. By default, Raspbian does not forward Internet traffic. We need to edit another file to allow the Pi to forward Internet traffic through our new network.
nano /etc/sysctl.conf
Near the top it says, “Uncomment the next line to enable packet forwarding for IPv4.” I've highlighted that part of the file in the screenshot below.
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.46.38%20PM.png)
To uncomment the line, remove the # immediately in front of it. This is setting up the configuration so it knows to forward to IPv4. Now that youve uncommented this line, the Pi has permission to act as a relay on the Internet instead of just a receiver, by both sending and receiving packets.
Hit Control+X to save your changes. Apply these changes by typing the following command:
sysctl -p
The sysctl command “[configures kernel parameters at runtime][19].” The -p tells it to reload the file with the changes you just made.
11) We just made a functioning server that can access the Internet. But we cant use it yet because Raspbian has a built-in [firewall][20] that will block incoming connections.
Raspbian has a firewall to protect your Raspberry Pi from unknown and unexpected Internet sources. We still want the firewall to protect us from most incoming and outgoing network traffic, but we need to poke an OpenVPN-shaped hole in the firewall.
Additionally, Raspbians firewall configuration resets by default when you reboot the Pi. We want to make sure it remembers the OpenVPN connection is always permitted, so what were going to do is create a simple script which runs on boot:
nano /etc/firewall-openvpn-rules.sh
This is currently a blank shell executable file. Fill it with this:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.XX.X
Dont forget to change the default IP address to your Pis IP address!
Lets break this down: 10.8.0.0 is the default address for Raspberry Pi for clients that are connected to the VPN. "eth0" stands for ethernet port. Switch this to "wlan0" if youre on a wireless connection, which is not recommended. Hit Control+X to save your changes.
As a safety measure, files you create are not executable by default, so well need to change the permissions and ownership of **/etc/firewall-openvpn-rules.sh**. First well change the mode to [700][21] (owner can read, write, and execute). Then, well change the owner to root, in which “root” is Linuxs standard name for the superuser.
chmod 700 /etc/firewall-Openvpn-rules.sh
chown root /etc/firewall-Openvpn-rules.sh
12) Weve created the script that punches an OpenVPN-shaped hole in the firewall. Now we just need to inject it into the interfaces setup code so it runs on boot.
nano /etc/network/interfaces
Find the line that goes: “iface eth0 inet dhcp.” We want to add a line below it at an indent. So this is what the two lines, existing and new, will look like when youre done:
iface eth0 inet dhcp
pre-up /etc/firewall-openvpn-rules.sh
Hit Control+X to save your changes (as you should be doing whenever you use nano).
Finally, finally, finally: Reboot your Pi.
sudo reboot
Congratulations! That's the server! Again, it's no good if you don't have a client computer to connect with it, so remember the client names and keys you generated in step six, and then move onto [Part Two of this tutorial][22] to learn how to create an encrypted client side.
Raspberry Pi Model B photo by [Tors][23]. All other screenshots by Lauren Orsini. Illustration via ReadWrite.
--------------------------------------------------------------------------------
via: http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing
译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:http://en.wikipedia.org/wiki/Virtual_private_network
[2]:http://netforbeginners.about.com/od/readerpicks/tp/The-Best-VPN-Service-Providers.htm
[3]:http://openvpn.net/
[4]:http://learn.adafruit.com/setting-up-a-raspberry-pi-with-noobs/overview
[5]:http://www.raspbian.org/
[6]:http://readwrite.com/2014/03/04/raspberry-pi-quantified-fish-acquarium
[7]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial?utm_content=readwrite3-orionautotweet&awesm=readwr.it_b1UN&utm_campaign=&utm_medium=readwr.it-twitter&utm_source=t.co#awesm=~oAXilI0BMOHsS3
[8]:http://en.wikipedia.org/wiki/Secure_Shell
[9]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial
[10]:http://en.wikipedia.org/wiki/User_Datagram_Protocol
[11]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial?utm_content=readwrite3-orionautotweet&awesm=readwr.it_b1UN&utm_campaign=&utm_medium=readwr.it-twitter&utm_source=t.co#awesm=~oAXilI0BMOHsS3
[12]:http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password
[13]:http://www.geotrust.com/
[14]:http://readwrite.com/2014/04/08/heartbleed-openssl-bug-cryptography-web-security
[15]:http://osxdaily.com/2012/01/30/encrypt-and-decrypt-files-with-openssl/#
[16]:http://www.google.com/patents/US4200770
[17]:http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
[18]:https://gist.github.com/laurenorsini/9925434
[19]:http://linux.about.com/library/cmd/blcmdl8_sysctl.htm
[20]:http://en.wikipedia.org/wiki/Firewall_(computing)
[21]:http://www.thinkplexx.com/learn/article/unix/command/chmod-permissions-flags-explained-600-0600-700-777-100-etc
[22]:http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side#awesm=~oB89WBfWrt21bV
[23]:http://commons.wikimedia.org/wiki/File:Raspberry_Pi_Model_B_Rev._2.jpg

154
sources/tech/Building A Raspberry Pi VPN Part Two--Creating An Encrypted Client Side.md Normal file
View File

@ -0,0 +1,154 @@
Building A Raspberry Pi VPN Part Two: Creating An Encrypted Client Side
================================================================================
> You built a functional VPN server! Now what?
Welcome to Part Two of ReadWrite's Raspberry Pi VPN server tutorial!
By now, it's pretty apparent that turning your Raspberry Pi into a Virtual Private Network is an all-evening activity. But [as security flaws further compromise][1] our Internet lives, it feels increasingly worth it to have a secure server on your side. That way, you're free to write emails and transfer data without worrying about what or whom might be intercepting it as it travels from your computer to the Web.
[If youve followed the steps from Part One of this tutorial][2], youve got a fully functional VPN server on your Raspberry Pi. You can use this to connect securely to your home network wherever theres an unencrypted wireless connection. You can also access shared files and media you keep stored on your home network.
Only, you cant access those files just yet. Weve created keys for clients (computers and devices) to use, but we havent told the clients where to find the server, how to connect, or which key to use.
If you remember, we created several different client keys for each of the devices we want to grant VPN access. We called them Client1, Client2 and Client3.
It'd be a lot of trouble to generate a new configuration file for each client from scratch, which is why well use an ingenious script written by Eric Jodoin of the [SANS institute][3]. Instead of generating a file for each client on our own, this script will do it for us.
### Following The Script ###
The script will access our default settings to generate files for each client. The first thing we need to do, then, is create a blank text file in which those default settings can be read.
nano /etc/openvpn/easy-rsa/keys/Default.txt
Fill in the blank text file with the following:
client
dev tun
proto udp
remote <YOUR PUBLIC IP ADDRESS HERE> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
It should look like the screenshot below, except it should show your public IP address. You'll see that I deleted my own public IP address because that's private information you shouldn't be sharing around. On the other hand, local static IP addresses are very similar for everyone. They usually start with "192.168."
![](http://readwrite.com/files/Screen%20Shot%202014-04-10%20at%2011.14.04%20AM.png)
Now, if you dont have a static public IP address, you need to use a dynamic domain name system (DDNS) service to give yourself a domain name to put in place of the IP address. I recommend using the free service [DNS Dynamic][4], which lets you pick a name of your choice. Then on your Pi, you need to run DDclient to update your DDNS registry automatically. I wrote a full tutorial for how to do this [here][5].
As always, press Control+X to save and exit the nano editor.
Next, we need to create the actual script file. The script will run from a shell file, which is an executable script that usually automates tasks on Linux—including in this case.
nano /etc/openvpn/easy-rsa/keys/MakeOPVN.sh
[Heres the script][6] Jodoin wrote. Copy and paste it into your blank shell file. (Note: This script was slightly off, due to—you guessed it—a copy-paste error. It should work now.)
You still need to give this script permission to run. First, go to the folder its in:
cd /etc/openvpn/easy-rsa/keys/
And then give it root privileges. If you remember from Part One, permissions in Linux are governed by [different three-digit numbers][7]. Seven hundred means "owner can read, write, and execute."
chmod 700 MakeOPVN.sh
Finally, execute the script with:
./MakeOPVN.sh
As the script runs, it'll ask you to input the names of the existing clients for whom you generated CA keys earlier. Example: “Client1.” Be sure to name only clients that already exist.
If all goes well, you should see this line appear:
Done! Client1.opvn Successfully Created.
Repeat this step for each existing client.
The last thing to do is connect to your Raspberry Pi so you can download files from it. You need to use a SCP (Secure Copy Protocol) client in order to do this. For Windows, I recommend [WinSCP][8]. For Mac, Ive been using [Fugu][9].
Note: if you cannot get permission to connect to your SCP client, youll need to grant yourself read/write access to the folder. Back on the Raspberry Pi, write:
chmod 777 -R /etc/openvpn
Be sure to undo this when youre done copying files, so others cant do it! Put the permission back to [600][10] when youre done, so only the Pi user can read/write files:
chmod 600 -R /etc/openvpn
Put it into your client and youre done.
### Working With Client Software ###
Okay, the hard part is over. From here, we need to input the scripts we generated earlier into a Graphical User Interface. For your PC, Android, or iOS mobile device, you can download [OpenVPN Connect][11]. There isn't one for your Mac computer, so I tried both [Tunnelblick][12] and [Viscosity][13].
Tunnelblick is free, while Viscosity costs $9 after a free 30-day trial. In either case, let's walk through how to set up a Mac computer as a client.
In my case, my Mac is my fifth device that I want to connect to the VPN server, so the file I generated with the above script is named client5.opvn.
Download the version of Tunnelblick that works for your version of OS X. I'm using Mavericks, so I downloaded the [beta][14]. The fact that it popped up in a bunch of languages looked funny to me, but that's the legitimate download.
![](http://readwrite.com/files/Screen%20Shot%202014-04-10%20at%2011.37.36%20AM.png)
Then, it'll ask if you already have a file you want to use. I did—my Client5.opvn file.
![](http://readwrite.com/files/Screen%20Shot%202014-04-10%20at%2011.37.58%20AM.png)
It will then ask if your configuration file is in .opvn format or .tblk. If you select .opvn, it'll walk you through changing the file type to Tunnelblick's native type. I did this by transferring Client5.opvn into a folder Tunnelblick provided, and then changing the name of the folder to Client5.tblk.
Now you're all set to connect. Click the Tunnelblick icon on the top right of your screen and select Client5.
![](http://readwrite.com/files/Screen%20Shot%202014-04-10%20at%2011.40.04%20AM.png)
It will ask you for a pass phrase. This is the same pass phrase we generated last tutorial, back when we were generating keys for each client.
![](http://readwrite.com/files/Screen%20Shot%202014-04-10%20at%2011.42.33%20AM.png)
If you get the password right, it'll look like this!
Try out your new connection at coffee shop, the local library, anywhere there's unencrypted Wi-Fi. You may still be using the public connection, but over VPN, your data is anything but out in the open.
Illustration and screenshots by ReadWrite
--------------------------------------------------------------------------------
via: http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side
译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:http://readwrite.com/2014/04/10/heartbleed-security-protect-yourself-data-passwords
[2]:http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing
[3]:http://www.sans.org/
[4]:https://www.dnsdynamic.org/
[5]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial
[6]:https://gist.github.com/laurenorsini/10013430/revisions
[7]:http://www.thinkplexx.com/learn/article/unix/command/chmod-permissions-flags-explained-600-0600-700-777-100-etc
[8]:http://winscp.net/eng/index.php
[9]:http://download.cnet.com/Fugu/3000-7240_4-26526.html
[10]:http://linuxcommand.org/lts0070.php
[11]:http://openvpn.net/
[12]:https://code.google.com/p/tunnelblick/
[13]:https://www.sparklabs.com/viscosity/
[14]:https://code.google.com/p/tunnelblick/wiki/DownloadsEntry#Tunnelblick_Beta_Release