document/TranslateProject
2
0
Fork 0
mirror of https://github.com/LCTT/TranslateProject.git synced 2025-01-13 22:30:37 +08:00
Code Issues Packages Projects Releases Wiki Activity

translated by ThomazL

Browse Source
This commit is contained in:
ThomazL 2014-04-25 16:21:55 +08:00
parent 96f46ab055
commit ebf4100c71
2 changed files with 150 additions and 328 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

328
sources/tech/Building A Raspberry Pi VPN Part One--How And Why To Build A Server.md
View File

@ -1,328 +0,0 @@
>Translating by ThomazL
Building A Raspberry Pi VPN Part One: How And Why To Build A Server
================================================================================
> Trust no one and build a server that encrypts your Web data from prying eyes.
Free, unencrypted wireless is everywhere, but you shouldn't be checking your bank account on it unless you dont mind somebody else snooping. The solution? A [virtual private network][1], or VPN.
A VPN extends your own private network into public places, so even if youre using Starbucks' Wi-Fi connection, your Internet browsing stays encrypted and secure.
There are plenty of ways to set up a VPN, both with [free and paid services][2], but each solution has its own pros and cons, determined by the way the VPN provider operates and charges and the kinds of VPN options it provides.
The easiest and cheapest solution to keep your data safe is to just abstain from public Wi-Fi completely. But that sounds a little extreme to me when its relatively simple and inexpensive to build your own VPN server at home, and run it off of a tiny, inexpensive ($35) Raspberry Pi.
My Raspberry Pi is about the size of a smartphone, but it runs a fully functional VPN server. That means no matter where I am, I can connect my computer to my home network and access shared files and media over a secure connection. It came in handy on a recent trip to Boston, where I was still able to watch videos stored on my network back home in DC.
This is the part where Id link you to a handy tutorial on how to set this up. The problem is one doesn't exist—or at least one that could satisfy this average computer user. And while there are plenty of tutorials about how to set up a VPN server on Raspberry Pi, there are very few that explain why.
I read several different tutorials and cobbled together the results into this semi-coherent tutorial for setting up a VPN on Raspberry Pi, which even I can understand, complete with the why behind the how. Most prominently, I relied on Eric Jodoin's VPN tutorial for experts, and dumbed it down for me.
So follow me down the cryptography rabbit hole and learn that no matter how paranoid you are, whoever came up with the methods to generate VPNs was even more so.
### Materials ###
#### Hardware ####
![](http://readwrite.com/files/Raspberry_Pi_Model_B_Rev._2.jpg)
**Raspberry Pi Model B**: Plus everything that comes with it—by that, I mean a regular power source and a case to put it in. A case can help prevent accidental short-circuits that could permanently damage the machine—the case can even be as simple as a cardboard box you fold yourself.
**SD card**: Im suggesting 8GB or more, just to make sure you have the space. As always for all Raspberry Pi projects, this should already have NOOBS installed.
**Cat5e cable**: This will connect the Pis ethernet port to the ethernet port on the router.
#### Software ####
[Open VPN][3]: This is the open source VPN service well be installing today.
### Pre-Project Requirements ###
1) You need to [set up NOOBS][4] and install [Raspbian][5]. I wrote a [step-by-step][6] for this in my quantified fish tank tutorial, so you can refer to it there.
2) You need a static IP address for the Raspberry Pi on your home network. This depends on the model of your router, so use the instructions provided by the routers manufacturer. If you dont already have this set up, [read ReadWrites tutorial][7].
3) You'll need SSH enabled. Well be connecting to the Raspberry Pi with [SSH][8], a connection tool that lets us access the Pi from another computer. This way, we dont need to set up the Pi to a monitor and wireless keyboard for this project. Once again, check ReadWrites [tutorial][9].
4) You'll need to forward port 1194 ([UDP traffic][10]) to your Raspberry Pis internal IP address, but the way you do this will vary depending on your router, so check with your router manufacturers information. If you want to use another port or TCP, thats fine, but just be sure to change 1194 in the tutorial to the correct number for you, and anywhere it says "UDP" to "TCP." You guessed it, there's a [ReadWrite tutorial][11] for this, too.
You can tell were building off of some more basic Raspberry Pi concepts, which is why building a VPN with Raspberry Pi isn't a good first project for most beginners.
### A Quick Word Of Caution ###
I've pasted the actual code I used to complete this project, but when going back through the tutorial myself, I noticed that copying and pasting the code from the article onto the command line often results in errors due to spacing and formatting. If you are having a problem with any step of this tutorial, my first troubleshooting suggestion is to rewrite the command manually!
### First Steps ###
1) Boot up and change your password. If youre still using the default username (pi) and password (raspberry), it makes the rest of this security project totally pointless!
Open up a terminal/PuTTY window and type:
sudo passwd
Change the username and password to something strong and memorable ([Microsoft offers some tips][12]), otherwise why bother building a private network?
2) Now lets be safe and update the Raspberry Pi. There are two commands you want to input:
sudo apt-get update
sudo apt-get upgrade
This shouldnt take long, and itll save us a troubleshooting step later on.
3) Next we need the open source software. Type:
sudo apt-get install openvpn
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%2010.22.19%20AM.png)
The Raspberry Pi is going to ask if youre sure, since it uses up a bit of space. But since we prepared by getting an 8GB or bigger SD card, were totally fine.
### Generating Keys ###
4) You dont want anyone who finds your VPN server address to be able to connect. So next, were going to make a key for the server address. Its just like keeping the door to your house locked.
OpenVPN comes with Easy_RSA, a light and easy package for using the RSA encryption method. Developed in 1977, RSA was one of the first usable cryptosystems that is still used today. The encryption key is public, while the decryption key is secret. If youve read anything about how Bitcoin works, this might sound a bit familiar.
With Easy_RSA, you run an algorithm that comes with the software to generate a new unique key.
So first, lets give ourselves superuser privileges. Youll know its working when the command line prompt switches from “pi@raspberrypi” to “root@raspberrypi.”
sudo -s
This command creates another instance of the window were working in, but with root privileges. The reason we need to do this is because if we dont, the Raspberry Pi will try and tell us we dont have permission to mess around with making keys.
So next, we type:
cp r /usr/share/doc/openvpn/examples/easy-rsa/2.0 /etc/openvpn/easy-rsa
Here, “cp” stands for copy and “-r” stands for recursive (having to do with smaller instances, too). That means were telling the computer, “Copy this directory and everything underneath it.”
The space between **/2.0** and **/etc** means were copying the first address (an example file) into the second folder, which is where youll tell OpenVPN to find your keys.
cd /etc/openvpn/easy-rsa
5) Next, we need to cd, or change directory, to the place we just moved the Easy_RSA file. Once there, we need to open the file **/etc/openvpn/easy-rsa/vars** for editing. We could do that by writing nano **/etc/openvpn/easy-rsa/vars**, but since were in the folder, theres a shortcut:
nano vars
Nano is a built-in editing tool on Raspbian, and while there are others out there for more tech-savvy people, were just going to use nano for all our text editing in this tutorial.
Now, find and change EASY_RSA variable to:
export EASY_RSA=”/etc/openvpn/easy-rsa”
For me, it was on line 13.
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%2010.26.48%20AM.png)
Why make this change? Basically, youre answering the computers question, “Where do you want the file to go to?” We want it to export to the same folder where we will keep our keys—in this case, the top level of the easy-rsa file tree.
Theres one extra thing you can do in vars if youre paranoid about the Illuminati reading your email—change the encryption method from 1024-bit to 2048-bit. The document literally says, “increase this to 2048 if you are paranoid.”
But since that method makes keys take way longer to generate, were not doing it here. Well keep it looking like the text below:
export KEY_SIZE=1024
Type **Control+X** to save your changes and exit the nano editor.
### Getting Cryptographic ###
6) Its time to build the CA Certificate and Root CA certificate.
In cryptography, a certificate authority (CA) is an entity that issues digital certificates. The digital certificate certifies the ownership of a public key.
You probably use this all the time and dont even know it. For example, when I log into my bank account, I see an HTTPS in front of the address. If I click on the lock, I see that a company called [GeoTrust][13] verified my bank websites legitimacy, so I know it's not a phishing scam. (Of course, the recent [Heartbleed bug][14] revealed that HTTPS isn't the security measure we all used to think it was.)
In the case of Raspberry Pi, Im acting as my own certificate authority and signing off on the OpenVPN keys myself, instead of trusting it to a third party company.
cd /etc/openvpn/easy-rsa
Now that weve changed directories, type each of these lines one after another:
**source ./vars** → This “sources” or loads the vars document you edited earlier.
**./clean-all** → This will remove any previous keys, if there are any. If you have keys you dont want to remove in this folder (like youre doing this tutorial a second time), skip this command.
**./build-ca** → This final line builds your certificate authority.
After the third command, the Raspberry Pi is going to shoot back with a bunch of optional fields for you to fill out if you want to—Country Name, State or Province Name, Locality Name, Organization Name, Organizational Unit, Common Name, Name, and Email Address. If you don't care to fill out these fields, just hit “enter” each instance to have the Pi fill in the default value. The screenshot below shows what that looks like:
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.32.35%20PM.png)
Now you can name the server. I creatively named mine “Server.” Call it whatever you want, but dont forget it:
./build-key-server [Server_Name]
Once again, the Pi is going to spit out some optional fields. Press enter or whatever you want, but pay attention to these three fields:
**Common Name** MUST be the server name you picked. It should default to this.
**A challenge password?** MUST be left blank.
**Sign the certificate? [y/n]** Obviously, you must type “y.”
Youll get a message that says the certificate will be certified for 3,650 more days. So basically if you use your VPN long enough, youll have to do this process again in 10 years.
**1 out of 1 certificate requests certified, commit? [y/n]** Obviously, type “y.”
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.35.28%20PM.png)
6) Thats the server side setup. Now its time to build keys for each user, or "client." I have five keys at home—one for each computer, tablet, and cell phone in the house. Its possible to be lazy and create just one client key for all of them, but in that case, only one device would be able to access the VPN at a time.
./build-key-pass UserName
I found it simplest to make the usernames Client1, Client2, Client3…
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.37.00%20PM.png)
And after that, more prompts!
**Enter PEM pass phrase** Make it a password you will remember! It asks you to input this twice, so theres no danger of ruining it.
**A challenge password?** MUST be left blank.
**Sign the certificate? [y/n]** Signing certifies it for 10 more years.
cd keys
openssl rsa -in Client1.key -des3 -out Client1.3des.key
The important takeaway from this string of text is that were using des3 encryption, in which a complex [encryptionalgorithm][15] that's applied three times to each data block to keep hackers from breaking through it with brute force. OpenSSL stands for an open source implementation of Secure Socket Layer, a standard method of setting up a secure connection. You need to perform this step for every client you set up.
Some argue this step is unnecessary, and that you could simply skip this line. But if youre running OpenVPN Connect clients on Android or iOS, this needs to be done. Otherwise, current versions could have difficulty parsing the keys you just generated.
Enter pass phrase for Client1.key
Honestly, I just used the same passphrase as before. And then two more times, as shown.
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.40.04%20PM.png)
Now that weve created a server certificate and (at least one) client certificate, type the following:
cd /etc/openvpn/easy-rsa/
OR
cd ..
Either way, the computer will take you up one directory, back to /easy-rsa/.
7) Now lets generate the [Diffie-Hellman key exchange][16]. This is the central code that makes your VPN server tick, an exchange that lets two entities with no prior knowledge of one another share secret keys over a public server. Like RSA, its one of the earliest cryptosystems out there.
./build-dh
This could take a while, longer if youre on 2048-bit encryption. Theres no way really to predict how long it will take because it is using random numbers and looking for some specific relationships. In fact, while I was making this tutorial, it only took 5 minutes with 1024-bit encryption.
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.41.40%20PM.png)
8) Finally, were going to implement OpenVPNs build-in Denial of Service (DoS) attack protection. You might already know that a DoS attack is successful when a hacker finds out your servers address, and generates such a large number of access requests that your server crashes.
OpenVPN has a way to prevent this kind of attack from occurring before it even starts by generating a static pre-shared [hash-based message authentication code][17] (HMAC) key. With this in place, the server won't even entertain the idea of authenticating an access request unless it detects this static key first. Thus, a hacker cant just spam the server with random repeated requests.
Generate the static HMAC key with the following line:
openvpn -genkey -secret keys/ta.key
### Putting It All Together ###
9) Weve generated keys and a Certificate Authority to sign them. What were still missing are the settings to tell OpenVPN how we want this server configured.
The OpenVPN program is already running. The problem is, it doesnt know which keys to use, where youre going to be connecting from, what kind of connection youre building, or which IP address and port to use.
Since were using Linux on a Raspberry Pi, theres no graphical user interface (GUI) for telling OpenVPN what it needs to know. Thats why we have to actually create a .conf (configuration) file in the nano editor off of the command line.
nano /etc/openvpn/server.conf
the reason were starting this address with /etc/openvpn is so it will end up in the openvpn folder. But for now, this file is completely blank. [Fill it in with this][18]. I commented in all caps where you absolutely need to change numbers and titles to your own IP address/names. Hit Control+X to save your changes.
10) Lets quickly edit another configuration file. By default, Raspbian does not forward Internet traffic. We need to edit another file to allow the Pi to forward Internet traffic through our new network.
nano /etc/sysctl.conf
Near the top it says, “Uncomment the next line to enable packet forwarding for IPv4.” I've highlighted that part of the file in the screenshot below.
![](http://readwrite.com/files/Screen%20Shot%202014-04-09%20at%207.46.38%20PM.png)
To uncomment the line, remove the # immediately in front of it. This is setting up the configuration so it knows to forward to IPv4. Now that youve uncommented this line, the Pi has permission to act as a relay on the Internet instead of just a receiver, by both sending and receiving packets.
Hit Control+X to save your changes. Apply these changes by typing the following command:
sysctl -p
The sysctl command “[configures kernel parameters at runtime][19].” The -p tells it to reload the file with the changes you just made.
11) We just made a functioning server that can access the Internet. But we cant use it yet because Raspbian has a built-in [firewall][20] that will block incoming connections.
Raspbian has a firewall to protect your Raspberry Pi from unknown and unexpected Internet sources. We still want the firewall to protect us from most incoming and outgoing network traffic, but we need to poke an OpenVPN-shaped hole in the firewall.
Additionally, Raspbians firewall configuration resets by default when you reboot the Pi. We want to make sure it remembers the OpenVPN connection is always permitted, so what were going to do is create a simple script which runs on boot:
nano /etc/firewall-openvpn-rules.sh
This is currently a blank shell executable file. Fill it with this:
#!/bin/sh
iptables -t nat -A POSTROUTING -s 10.8.0.0/24 -o eth0 -j SNAT --to-source 192.168.XX.X
Dont forget to change the default IP address to your Pis IP address!
Lets break this down: 10.8.0.0 is the default address for Raspberry Pi for clients that are connected to the VPN. "eth0" stands for ethernet port. Switch this to "wlan0" if youre on a wireless connection, which is not recommended. Hit Control+X to save your changes.
As a safety measure, files you create are not executable by default, so well need to change the permissions and ownership of **/etc/firewall-openvpn-rules.sh**. First well change the mode to [700][21] (owner can read, write, and execute). Then, well change the owner to root, in which “root” is Linuxs standard name for the superuser.
chmod 700 /etc/firewall-Openvpn-rules.sh
chown root /etc/firewall-Openvpn-rules.sh
12) Weve created the script that punches an OpenVPN-shaped hole in the firewall. Now we just need to inject it into the interfaces setup code so it runs on boot.
nano /etc/network/interfaces
Find the line that goes: “iface eth0 inet dhcp.” We want to add a line below it at an indent. So this is what the two lines, existing and new, will look like when youre done:
iface eth0 inet dhcp
pre-up /etc/firewall-openvpn-rules.sh
Hit Control+X to save your changes (as you should be doing whenever you use nano).
Finally, finally, finally: Reboot your Pi.
sudo reboot
Congratulations! That's the server! Again, it's no good if you don't have a client computer to connect with it, so remember the client names and keys you generated in step six, and then move onto [Part Two of this tutorial][22] to learn how to create an encrypted client side.
Raspberry Pi Model B photo by [Tors][23]. All other screenshots by Lauren Orsini. Illustration via ReadWrite.
--------------------------------------------------------------------------------
via: http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing
译者:[译者ID](https://github.com/译者ID) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:http://en.wikipedia.org/wiki/Virtual_private_network
[2]:http://netforbeginners.about.com/od/readerpicks/tp/The-Best-VPN-Service-Providers.htm
[3]:http://openvpn.net/
[4]:http://learn.adafruit.com/setting-up-a-raspberry-pi-with-noobs/overview
[5]:http://www.raspbian.org/
[6]:http://readwrite.com/2014/03/04/raspberry-pi-quantified-fish-acquarium
[7]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial?utm_content=readwrite3-orionautotweet&awesm=readwr.it_b1UN&utm_campaign=&utm_medium=readwr.it-twitter&utm_source=t.co#awesm=~oAXilI0BMOHsS3
[8]:http://en.wikipedia.org/wiki/Secure_Shell
[9]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial
[10]:http://en.wikipedia.org/wiki/User_Datagram_Protocol
[11]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial?utm_content=readwrite3-orionautotweet&awesm=readwr.it_b1UN&utm_campaign=&utm_medium=readwr.it-twitter&utm_source=t.co#awesm=~oAXilI0BMOHsS3
[12]:http://windows.microsoft.com/en-us/windows-vista/tips-for-creating-a-strong-password
[13]:http://www.geotrust.com/
[14]:http://readwrite.com/2014/04/08/heartbleed-openssl-bug-cryptography-web-security
[15]:http://osxdaily.com/2012/01/30/encrypt-and-decrypt-files-with-openssl/#
[16]:http://www.google.com/patents/US4200770
[17]:http://en.wikipedia.org/wiki/Hash-based_message_authentication_code
[18]:https://gist.github.com/laurenorsini/9925434
[19]:http://linux.about.com/library/cmd/blcmdl8_sysctl.htm
[20]:http://en.wikipedia.org/wiki/Firewall_(computing)
[21]:http://www.thinkplexx.com/learn/article/unix/command/chmod-permissions-flags-explained-600-0600-700-777-100-etc
[22]:http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side#awesm=~oB89WBfWrt21bV
[23]:http://commons.wikimedia.org/wiki/File:Raspberry_Pi_Model_B_Rev._2.jpg

150
translated/tech/Building A Raspberry Pi VPN Part Two--Creating An Encrypted Client Side.md Normal file
View File

@ -0,0 +1,150 @@
在树莓派上建立VPN~第二部分~:建立加密客户端
================================================================================
> 你已经成功搭建了一个工作中的VPN服务器! 现在该干什么了?
欢迎来到ReadWrite的树莓派VPN搭建教程的第二部分!
到现在为止, 我们已经很清楚地摆平了将你的树莓派变成了一个虚拟私人网络这个工作. 但是随着[未来安全漏洞对互联网生活的妥协][1], 让我们感觉拥有一个安全的服务器在你的身边越来越重要了. 通过这样, 你就可以不用担心有人在信息传输于你的电脑和互联网时拦截信息, 自由地写邮件以及传输数据了.
[如果你看了此教程的第一部分][2], 你应该在你的树莓派上已经配置完一个拥有完全功能的VPN服务器了. 你可以在有免费WiFi时用这个服务器来传输加密信息了. 你也可以访问保存于你家里网络中已分享的文件以及媒体.
只是, 你现在还无法访问. 我们现在已经为客户端(计算机和移动设备)创建了访问的密钥, 但是我们还没有告诉客户端服务器的访问地址, 如何连接, 以及用什么密钥访问.
你应该记得, 我们已经为需要连接VPN的不同客户端创建了不同的密钥. 我们将客户端命名为 Client1, Client2 和 Client3.
但是为每个客户端从零单独生成一个配置文件会造成很多不必要的麻烦, 这就是为什么我们需要使用[SANS institute][3]的Eric Jodoin写的巧妙的脚本. 这个脚本会帮助我们生成配置文件.
### 跟随脚本 ###
这个脚本会访问我们的默认设置, 从而为每一个客户端生成各自的配置文件. 我们需要做的第一件事是, 创建一个空的刻度文本文档并写入我们的默认配置.
nano /etc/openvpn/easy-rsa/keys/Default.txt
写入下面的文本:
client
dev tun
proto udp
remote <你的公网ip地址> 1194
resolv-retry infinite
nobind
persist-key
persist-tun
mute-replay-warnings
ns-cert-type server
key-direction 1
cipher AES-128-CBC
comp-lzo
verb 1
mute 20
这个文档应该长的和下面的截屏差不多, 除了你应该填入你自己的公网ip地址之外. 你注意到了我已经把我的公网ip删除了, 当然这是为了保护我的隐私. 换句话说, 每个人的本地静态ip都差不多. 他们都以 "192.268." 起头.
![](http://readwrite.com/files/Screen%20Shot%202014-04-10%20at%2011.14.04%20AM.png)
如果你没有一个公网ip的话, 你需要使用动态DNS服务来给你自己一个域名来代替公网ip. 我建议你使用免费服务[DNS Dynamic][4], 它允许你取自己选择的名字. 然后在你的树莓派上, 你需要运行DDclient来自动更新你的DDNS登记. 我在[这里][5]写过一篇完整的教程.
同样, 按 Control+X 来保存文件并推出nano.
接下来, 我们需要创建一个实际的脚本. 一个可执行脚本通常从shell启动, 可以自动化一些我们需要做的工作.
nano /etc/openvpn/easy-rsa/keys/MakeOPVN.sh
[这里][6]是脚本文件, 由Jodoin编写. 将内容复制粘贴至编辑器(注意一下复制粘贴中产生的问题).
你需要将执行权限赋予给这个脚本. 首先改变所在目录:
cd /etc/openvpn/easy-rsa/keys/
然后给予其root权限. 如果你还记得第一部分教程的内容的话, Linux中的权限管理由[不同的3位数字][7]实现. 700表示"所有者可以读,写,执行".
chmod 700 MakeOPVN.sh
最后, 执行文件:
./MakeOPVN.sh
在脚本运行途中, 他会要求你输入现有的客户端名称. 实例: "Client1". 注意只输入已经存在的客户端名称.
如果一切运行良好的话, 你应该会看到下面这行字弹出:
Done! Client1.opvn Successfully Created.
为剩下的客户端都执行这一步.
最后要做的事是将客户端连上树莓派, 然后你就可以从客户端下载文件了. 你需要使用一个SCP (Secure Copy Protocol)客户端来实现它. 在Windows中, 我推荐[WinSCP][8]. 我一直在mac中使用[Fugu][9].
注意: 如果你没有连接SCP客户端的权限, 你需要为自己授权在此文件夹的读/写权限. 回到树莓派中输入:
chmod 777 -R /etc/openvpn
注意在你复制完文件后取消这一步, 从而其他人不能从这里下载文件! 完成之后将权限改为[600][10], 使树莓派的用户能读/写文件:
chmod 600 -R /etc/openvpn
完成后回到客户端.
### 使用客户端软件 ###
好了,困难的部分都结束了. 从这里开始我们需要将之前生成的脚本输入图形用户界面. 对PC, Android或者iOS手机来说, 你可以下载[OpenVPN Connect][11]. 但是这个软件没有mac版, 所以我尝试了[Tunnelblick][12]和[Viscosity][13].
Tunnelblick 是免费的, 但是Viscosity在免费30天尝试之后需要9美刀来购买. 不管怎么样, 我们来尝试下将mac连入我们的服务器吧.
在我的情况下, mac是我第5个连接VPN的客户端, 所以我生成的文件名叫做client5.opvn.
下载可以在你的OS X版本下运行的Tunnelblick. 我在使用Mavericks, 所以我下载了[beta][14]版. 虽然这个软件有很多我看起来很好笑的语言弹出, 但这真的是一个合法的下载.
![](http://readwrite.com/files/Screen%20Shot%202014-04-10%20at%2011.37.36%20AM.png)
然后它会问你, 你的配置文件是.opvn或.tblk. 如果你选择了.opvn它会带你将文件格式转换成Tunnelblick本地格式. 我把Client.opvn传送至Tunnelblick提供的文件夹, 然后把文件夹的名字改为了Client5.tblk.
好啦, 你已经可以连接了. 点击屏幕右上方Tunnelblick的标志然后选择Client5.
![](http://readwrite.com/files/Screen%20Shot%202014-04-10%20at%2011.40.04%20AM.png)
它会问你是否传输密码文本, 这个密码和上篇中我们生成各个客户端时使用的密码是同样的.
![](http://readwrite.com/files/Screen%20Shot%202014-04-10%20at%2011.42.33%20AM.png)
如果你密码输入正确, 你会获得像上面这样的情况.
尝试在咖啡厅, 图书馆或任何有免费WiFi的地方连接VPN. 通过使用VPN, 即使你连接的是公共网络, 你的数据仍然是安全的.
教程展示于ReadWrite.
--------------------------------------------------------------------------------
via: http://readwrite.com/2014/04/11/building-a-raspberry-pi-vpn-part-two-creating-an-encrypted-client-side
译者:[ThomazL](https://github.com/ThomazL) 校对:[校对者ID](https://github.com/校对者ID)
本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创翻译,[Linux中国](http://linux.cn/) 荣誉推出
[1]:http://readwrite.com/2014/04/10/heartbleed-security-protect-yourself-data-passwords
[2]:http://readwrite.com/2014/04/10/raspberry-pi-vpn-tutorial-server-secure-web-browsing
[3]:http://www.sans.org/
[4]:https://www.dnsdynamic.org/
[5]:http://readwrite.com/2014/04/09/raspberry-pi-projects-ssh-remote-desktop-static-ip-tutorial
[6]:https://gist.github.com/laurenorsini/10013430/revisions
[7]:http://www.thinkplexx.com/learn/article/unix/command/chmod-permissions-flags-explained-600-0600-700-777-100-etc
[8]:http://winscp.net/eng/index.php
[9]:http://download.cnet.com/Fugu/3000-7240_4-26526.html
[10]:http://linuxcommand.org/lts0070.php
[11]:http://openvpn.net/
[12]:https://code.google.com/p/tunnelblick/
[13]:https://www.sparklabs.com/viscosity/
[14]:https://code.google.com/p/tunnelblick/wiki/DownloadsEntry#Tunnelblick_Beta_Release