translated

6个开源工具制作自己的VPN

sources/tech/20180831 6 open source tools for making your own VPN.md

@@ -1,110 +0,0 @@
-heguangzhi Translating
-
-6 open source tools for making your own VPN
-======
-
-![](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/vpn_scrabble_networking.jpg?itok=pdsUHw5N)
-
-If you want to try your hand at building your own VPN but aren’t sure where to start, you’ve come to the right place. I’ll compare six of the best free and open source tools to set up and use a VPN on your own server. These VPNs work whether you want to set up a site-to-site VPN for your business or just create a remote access proxy to unblock websites and hide your internet traffic from ISPs.
-
-Which is best depends on your needs and limitations, so take into consideration your own technical expertise, environment, and what you want to achieve with your VPN. In particular, consider the following factors:
-
-  * VPN protocol
-  * Number of clients and types of devices
-  * Server distro compatibility
-  * Technical expertise required
-
-
-
-### Algo
-
-[Algo][1] was designed from the bottom up to create VPNs for corporate travelers who need a secure proxy to the internet. It “includes only the minimal software you need,” meaning you sacrifice extensibility for simplicity. Algo is based on StrongSwan but cuts out all the things that you don’t need, which has the added benefit of removing security holes that a novice might otherwise not notice.
-
-As an added bonus, it even blocks ads!
-
-Algo supports only the IKEv2 protocol and Wireguard. Because IKEv2 support is built into most devices these days, it doesn’t require a client app like OpenVPN. Algo can be deployed using Ansible on Ubuntu (the preferred option), Windows, RedHat, CentOS, and FreeBSD. Setup is automated using Ansible, which configures the server based on your answers to a short set of questions. It’s also very easy to tear down and re-deploy on demand.
-
-Algo is probably the easiest and fastest VPN to set up and deploy on this list. It’s extremely tidy and well thought out. If you don’t need any of the more advanced features offered by other tools and just need a secure proxy, it’s a great option. Note that Algo explicitly states it’s not meant for geo-unblocking or evading censorship, and was primarily designed for confidentiality.
-
-### Streisand
-
-[Streisand][2] can be installed on any Ubuntu 16.04 server using a single command; the process takes about 10 minutes. It supports L2TP, OpenConnect, OpenSSH, OpenVPN, Shadowsocks, Stunnel, Tor bridge, and WireGuard. Depending on which protocol you choose, you may need to install a client app.
-
-In many ways, Streisand is similar to Algo, but it offers more protocols and customization. This takes a bit more effort to manage and secure but is also more flexible. Note Streisand does not support IKEv2. I would say Streisand is more effective for bypassing censorship in places like China and Turkey due to its versatility, but Algo is easier and faster to set up.
-
-The setup is automated using Ansible, so there’s not much technical expertise required. You can easily add more users by sending them custom-generated connection instructions, which include an embedded copy of the server’s SSL certificate.
-
-Tearing down Streisand is a quick and painless process, and you can re-deploy on demand.
-
-### OpenVPN
-
-[OpenVPN][3] requires both client and server applications to set up VPN connections using the protocol of the same name. OpenVPN can be tweaked and customized to fit your needs, but it also requires the most technical expertise of the tools covered here. Both remote access and site-to-site configurations are supported; the former is what you’ll need if you plan on using your VPN as a proxy to the internet. Because client apps are required to use OpenVPN on most devices, the end user must keep them updated.
-
-Server-side, you can opt to deploy in the cloud or on your Linux server. Compatible distros include CentOS, Ubuntu, Debian, and openSUSE. Client apps are available for Windows, MacOS, iOS, and Android, and there are unofficial apps for other devices. Enterprises can opt to set up an OpenVPN Access Server, but that’s probably overkill for individuals, who will want the Community Edition.
-
-OpenVPN is relatively easy to configure with static key encryption, but it isn’t all that secure. Instead, I recommend setting it up with [easy-rsa][4], a key management package you can use to set up a public key infrastructure. This allows you to connect multiple devices at a time and protect them with perfect forward secrecy, among other benefits. OpenVPN uses SSL/TLS for encryption, and you can specify DNS servers in your configuration.
-
-OpenVPN can traverse firewalls and NAT firewalls, which means you can use it to bypass gateways and firewalls that might otherwise block the connection. It supports both TCP and UDP transports.
-
-### StrongSwan
-
-You might have come across a few different VPN tools with “Swan” in the name. FreeS/WAN, OpenSwan, LibreSwan, and [strongSwan][5] are all forks of the same project, and the lattermost is my personal favorite. Server-side, strongSwan runs on Linux 2.6, 3.x, and 4x kernels, Android, FreeBSD, macOS, iOS, and Windows.
-
-StrongSwan uses the IKEv2 protocol and IPSec. Compared to OpenVPN, IKEv2 connects much faster while offering comparable speed and security. This is useful if you prefer a protocol that doesn’t require installing an additional app on the client, as most newer devices manufactured today natively support IKEv2, including Windows, MacOS, iOS, and Android.
-
-StrongSwan is not particularly easy to use, and despite decent documentation, it uses a different vocabulary than most other tools, which can be confusing. Its modular design makes it great for enterprises, but that also means it’s not the most streamlined. It’s certainly not as straightforward as Algo or Streisand.
-
-Access control can be based on group memberships using X.509 attribute certificates, a feature unique to strongSwan. It supports EAP authentication methods for integration into other environments like Windows Active Directory. StrongSwan can traverse NAT firewalls.
-
-### SoftEther
-
-[SoftEther][6] started out as a project by a graduate student at the University of Tsukuba in Japan. SoftEther VPN Server and VPN Bridge run on Windows, Linux, OSX, FreeBSD, and Solaris, while the client app works on Windows, Linux, and MacOS. VPN Bridge is mainly for enterprises that need to set up site-to-site VPNs, so individual users will just need the server and client programs to set up remote access.
-
-SoftEther supports the OpenVPN, L2TP, SSTP, and EtherIP protocols, but its own SoftEther protocol claims to be able to be immunized against deep packet inspection thanks to “Ethernet over HTTPS” camouflage. SoftEther also makes a few tweaks to reduce latency and increase throughput. Additionally, SoftEther includes a clone function that allows you to easily transition from OpenVPN to SoftEther.
-
-SoftEther can traverse NAT firewalls and bypass firewalls. On restricted networks that permit only ICMP and DNS packets, you can utilize SoftEther’s VPN over ICMP or VPN over DNS options to penetrate the firewall. SoftEther works with both IPv4 and IPv6.
-
-SoftEther is easier to set up than OpenVPN and strongSwan but is a bit more complicated than Streisand and Algo.
-
-### WireGuard
-
-[WireGuard][7] is the newest tool on this list; it's so new that it’s not even finished yet. That being said, it offers a fast and easy way to deploy a VPN. It aims to improve on IPSec by making it simpler and leaner like SSH.
-
-Like OpenVPN, WireGuard is both a protocol and a software tool used to deploy a VPN that uses said protocol. A key feature is “crypto key routing,” which associates public keys with a list of IP addresses allowed inside the tunnel.
-
-WireGuard is available for Ubuntu, Debian, Fedora, CentOS, MacOS, Windows, and Android. WireGuard works on both IPv4 and IPv6.
-
-WireGuard is much lighter than most other VPN protocols, and it transmits packets only when data needs to be sent.
-
-The developers say WireGuard should not yet be trusted because it hasn’t been fully audited yet, but you’re welcome to give it a spin. It could be the next big thing!
-
-### Homemade VPN vs. commercial VPN
-
-Making your own VPN adds a layer of privacy and security to your internet connection, but if you’re the only one using it, then it would be relatively easy for a well-equipped third party, such as a government agency, to trace activity back to you.
-
-Furthermore, if you plan to use your VPN to unblock geo-locked content, a homemade VPN may not be the best option. Since you’ll only be connecting from a single IP address, your VPN server is fairly easy to block.
-
-Good commercial VPNs don’t have these issues. With a provider like [ExpressVPN][8], you share the server’s IP address with dozens or even hundreds of other users, making it nigh-impossible to track a single user’s activity. You also get a huge range of hundreds or thousands of servers to choose from, so if one has been blacklisted, you can just switch to another.
-
-The tradeoff of a commercial VPN, however, is that you must trust the provider not to snoop on your internet traffic. Be sure to choose a reputable provider with a clear no-logs policy.
-
---------------------------------------------------------------------------------
-
-via: https://opensource.com/article/18/8/open-source-tools-vpn
-
-作者：[Paul Bischoff][a]
-选题：[lujun9972](https://github.com/lujun9972)
-译者：[译者ID](https://github.com/译者ID)
-校对：[校对者ID](https://github.com/校对者ID)
-
-本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
-
-[a]: 
-[1]: https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
-[2]: https://github.com/StreisandEffect/streisand
-[3]: https://openvpn.net/
-[4]: https://github.com/OpenVPN/easy-rsa
-[5]: https://www.strongswan.org/
-[6]: https://www.softether.org/
-[7]: https://www.wireguard.com/
-[8]: https://www.comparitech.com/vpn/reviews/expressvpn/

translated/tech/20180831 6 open source tools for making your own VPN.md

@@ -0,0 +1,137 @@
+heguangzhi Translating
+
+6个开源工具制作自己的VPN
+======
+
+
+
+
+![](https://opensource.com/sites/default/files/styles/image-full-size/public/lead-images/vpn_scrabble_networking.jpg?itok=pdsUHw5N)
+
+如果您想尝试建立您自己的 VPN，但是不确定从哪里开始，那么您来对地方了。我将挑选6个最好的免费和开源工具在您自己的服务器上搭建和使用 VPN。这些 VPN 软件不管您是想为您的企业建立站点到站点的，还是仅创建远程代理访问以解除访问限制，并隐藏来自ISP的互联网流量都可以得到解决。
+
+根据您的需求和条件，并参考您自己的技术特长，环境以及您想要通过 VPN 实现的目标。需要考虑以下因素：
+
+  * VPN 协议
+  * 客户端的数量和设备类型
+  * 服务端的兼容性
+  * 技术专业的能力
+
+### Algo
+
+
+[Algo][1] 是从下往上的设计的，为需要互联网安全代理的企业创建 VPN 专用网。它“只包括您需要的最小化的软件”，这意味着您为了简单而牺牲了可扩展性。Algo 是基于 StrongSwan 的，但是删除了所有您不需要的东西，这有另外一个好处，那就是删除了新手可能不会注意到的安全漏洞。
+
+
+作为额外的奖励，它甚至屏蔽了广告！ 
+
+Algo supports only the IKEv2 protocol and Wireguard. Because IKEv2 support is built into most devices these days, it doesn’t require a client app like OpenVPN. Algo can be deployed using Ansible on Ubuntu (the preferred option), Windows, RedHat, CentOS, and FreeBSD. Setup is automated using Ansible, which configures the server based on your answers to a short set of questions. It’s also very easy to tear down and re-deploy on demand.
+
+
+Algo 只支持 IKEv2 协议和 Wireguard 。因为 IKEv2 支持现在已经内置在大多数设备中，所以它不需要像 OpenVPN 这样的客户端应用程序。Algo 可以使用 Ansible 在 Ubuntu (首选选项)、Windows、RedHat、CentOS 和 FreeBSD 上部署。自动化的安装 Ansible，它根据您对一组简短问题的回答来配置服务。终止和重新部署也非常容易。
+
+
+Algo 可能是在本篇文章中安装和部署的最简单和最快的VPN。它非常简洁，考虑周全。如果您不需要其他工具提供的任何更高级的功能，只需要一个安全的代理，这是一个很好的选择。请注意，Algo 明确表示，它不是为了解除地理封锁或逃避审查，主要是为了加密。
+
+### Streisand
+
+
+
+[Streisand][2] 可以使用一个命令安装在任何 Ubuntu 16.04 服务器上；这个过程大约需要10分钟。它支持 L2TP、OpenConnect、OpenSSH、OpenVPN、Shadowsocks、Stunnel、Tor bridge 和 WireGuard。根据您选择的协议，您可能需要安装客户端应用程序。
+
+
+在很多方面，Streisand 与 Algo 相似，但是它提供了更多的协议和定制。这需要更多的工作来管理和维护，但也更加灵活。注意 Streisand 不支持 IKEv2 。我认为 Streisand 在中国和土耳其这样的地方绕过审查制度更有效，因为它的多功能性，但是 Algo 更容易和更快地安装。
+
+
+使用 Ansible 可以自动化安装，所以不需要太多的专业技术知识。通过向用户发送自定义生成的连接指令，包括服务器 SSL 证书的嵌入副本，可以轻松添加更多用户。
+
+
+卸载 Streisand 是一个快速无痛的过程，您可以按需重新部署。
+
+### OpenVPN
+
+
+[OpenVPN][3] 要求客户端和服务器应用程序使用同名协议建立 VPN 连接。OpenVPN 可以根据您的需求进行调整和定制，但它也需要更多专业技术知识。支持远程访问和站点到站点配置；如果您计划使 VPN 作为互联网的代理，前者是您需要的。因为客户端应用程序需要在大多数设备上使用 OpenVPN ，最终用户必须保持更新。
+
+
+在服务器端，您可以选择部署在云中或 Linux 服务器上。兼容的发行版包括 CentOS 、Ubuntu 、Debian 和 openSUSE。Windows 、MacOS 、iOS 和 Android 都有客户端应用程序，其他设备也有非官方应用程序。企业可以选择设置一个 OpenVPN 接入服务器，但是对于想要社区版的个人来说，这可能太过分了。
+
+
+OpenVPN 相对容易配置静态密钥加密，但并不完全安全。相反，我建议使用 [easy-rsa][4] 来设置它，这是一个密钥管理包，可以用来设置公钥基础设施。这允许您一次连接多个设备，并以完美的前向保密和其他好处来保护它们。OpenVPN 使用 SSL/TLS 进行加密，您可以在配置中指定 DNS 服务器。
+
+
+OpenVPN 可以穿越防火墙和 NAT 防火墙，这意味着您可以使用它绕过网关和防火墙，否则它们可能会阻止连接。它同时支持 TCP 和 UDP 传输。
+
+### StrongSwan
+
+您可能会遇到一些不同的 VPN 工具，名称中有“Swan”。FreeS/WAN, 、OpenSwan、LibreSwan和[strongSwan][5] 都是同一个项目的分叉，后者是我个人最喜欢的。服务器端，strongSwan 运行在 Linux 2.6、3.x和4x内核、Android、FreeBSD、macOS、iOS 和 Windows上。
+
+
+StrongSwan 使用 IKEv2 协议和 IPSec 。与 OpenVPN 相比，IKEv2 连接速度更快，同时提供了很好的速度和安全性。如果您更喜欢不需要在客户端安装额外应用程序的协议，这将非常有用，因为现在生产的大多数新设备都支持 IKEv2,，包括 Windows、MacOS、iOS和Android。 
+
+StrongSwan 并不特别容易使用，尽管文档不错，但它使用的词汇与大多数其他工具不同，这可能会让人比较困惑。它的模块化设计让它对企业来说很棒，但这也意味着它不是最精简。这当然不像 Algo 或Streisand 那么简单。
+
+
+访问控制可以基于使用X.509 属性证书的组成员身份，这是 strongSwan 独有的功能。它支持用于集成到其他环境(如Windows Active Directory )中的EAP身份验证方法。strongSwan可以穿越NAT 网络防火墙。 
+
+### SoftEther
+
+
+[SoftEther][6] 是由日本筑波大学的一名研究生发起的一个项目。SoftEther VPN 服务器和 VPN网桥在 Windows、Linux、OSX、FreeBSD 和 Solaris 上运行，而客户端应用程序在Windows、Linux和 MacOS 上运行。VPN 网桥主要用于需要设置站点到站点VPN的企业，因此单个用户只需要服务器和客户端程序来设置远程访问。
+
+
+SoftEther 支持 OpenVPN、L2TP、SSTP 和 EtherIP 协议，由于“基于HTTPS的以太网”伪装，它自己的 SoftEther 协议声称能够免疫深度数据包检测。SoftEther 还做了一些调整，以减少延迟并增加吞吐量。此外，SoftEther 还包括一个克隆功能，允许您轻松地从 OpenVPN 过渡到SoftEther。
+
+SoftEther 可以穿透 NAT 防火墙并绕过防火墙。在只允许 ICMP 和 DNS 数据包的受限网络上，您可以通过 ICMP 利用SoftEther的VPN 或者通过 DNS 利用 VPN 选项来穿透防火墙。SoftEther 可与IPv4 和IPv6 一起工作。
+
+
+SoftEther 比 OpenVPN 和strongSwan更容易设置，但比 Streisand 和 Algo 更复杂。
+
+### WireGuard
+
+
+[WireGuard][7] 是这个名单上最新的工具；它太新了，甚至还没有完成。也就是说，它为部署VPN提供了一种快速简便的方法。它旨在通过使 IPSec 更简单、更精简来改进它，就像SSH一样。
+
+与OpenVPN一样，WireGuard 既是一种协议，也是一种软件工具，用于部署使用所述协议的VPN。一个关键特性是“加密密钥路由”，它将公钥与隧道内允许的 IP 地址列表相关联。
+
+
+WireGuard可用于 Ubuntu、Debian、Fedora、CentOS、MacOS、Windows 和安卓系统。WireGuard可在 IPv4和 IPv6 上工作。
+
+WireGuard比大多数其他VPN协议轻得多，它只在需要发送数据时才发送数据包。
+
+
+开发人员说，WireGuard还不应该被信任，因为它还没有被完全审计过，但是欢迎你给它一个机会。这可能是下一件大事！
+
+### 自制 VPN vs. 商业 VPN
+
+制作您自己的 VPN 为您的互联网连接增加了一层隐私和安全，但是如果您是唯一一个使用它的人，那么装备精良的第三方，比如政府机构，将很容易追踪到你的活动。
+
+此外，如果您计划使用您的 VPN 来解锁地理锁定的内容，自制的VPN可能不是最好的选择。因为您只能从一个IP地址连接，所以你的 VPN 服务器很容易被阻止。
+
+
+好的商业 VPN 不存在这些问题。有了像[ExpressVPN][8]这样的提供商，您可以与数十甚至数百个其他用户共享服务器的IP地址，这使得跟踪一个用户的活动几乎变得不可能。您也可以从成百上千的服务器中选择，所以如果其中一台被列入黑名单，你可以切换到另一台。
+
+
+然而，商业VPN的权衡是，您必须相信提供商不会窥探您的互联网流量。一定要选择一个有明确的无日志政策的信誉良好的供应商。
+
+
+--------------------------------------------------------------------------------
+
+via: https://opensource.com/article/18/8/open-source-tools-vpn
+
+作者：[Paul Bischoff][a]
+选题：[lujun9972](https://github.com/lujun9972)
+译者：[译者ID](https://github.com/译者ID)
+校对：[校对者ID](https://github.com/校对者ID)
+
+本文由 [LCTT](https://github.com/LCTT/TranslateProject) 原创编译，[Linux中国](https://linux.cn/) 荣誉推出
+
+[a]: 
+[1]: https://blog.trailofbits.com/2016/12/12/meet-algo-the-vpn-that-works/
+[2]: https://github.com/StreisandEffect/streisand
+[3]: https://openvpn.net/
+[4]: https://github.com/OpenVPN/easy-rsa
+[5]: https://www.strongswan.org/
+[6]: https://www.softether.org/
+[7]: https://www.wireguard.com/
+[8]: https://www.comparitech.com/vpn/reviews/expressvpn/