Turbocharge your network with Zeroshell
Zero to Hero
Zeroshell is a Linux distribution that will help you roll out useful network-related services. If you are responsible for a group of networked computers on a small local area network (LAN), you can use the Zeroshell distribution to transform an aging, unused computer into a multipurpose gateway server with more services and flexibility than you can wring out of most off-the-shelf routers.
The Zeroshell Linux distribution provides various essential network services ranging from DHCP and firewall to virtual private network (VPN) and load balancing. It has a RADIUS server for WPA2 authentication, as well as a captive portal instance to create public hotspots. You can also use Zeroshell to shape network traffic, act as an HTTP proxy server, and even deploy a VPN. The icing on the cake is that you can do all this and a lot more from the comfort of an easy graphical interface.
Zeroshell has modest hardware requirements and works nicely, even on an antiquated Celeron box with 1GB of RAM. It's available as a Live installable ISO image, as well as a USB image. Before anchoring the distribution to the computer, you can experience it in all its glory from the Live environment. In addition to x86, the project also hosts images for several ARM-based single-board computers, such as the Raspberry Pi and the Orange Pi.
Broadly speaking you can deploy Zeroshell in two ways: You can let Zeroshell replace your existing router, or you can supplement it with Zeroshell. If used it as a replacement for the existing network hardware, you'll need to equip the Zeroshell server with two network cards, one of which will plug in to the Internet modem, and the other to a network switch that connects to the other computers on the network.
If the Zeroshell server only needs to serve a small number of computers, you can turn the Zeroshell machine into a wireless access point that's connected to the existing Internet-enabled router via Ethernet. Using the two in tandem is a popular option, because you can leave the the task of doling out IP addresses to the router, which saves you the effort of configuring Zeroshell's routing and DHCP features and allows you to focus on more interesting tasks.
Break the Shell
To get started, boot Zeroshell from either the CD or the USB image. The distro boots up to a customised text-based interface (Figure 1). Before going any further, press P to change the default password (zeroshell ) for the admin user. Next up, make sure Zeroshell is on the same subnet as the rest of the network. By default, Zeroshell assigns itself to the 192.168.0.x subnet. If your existing router is on the same subnet, you're in luck. Press I and note the IP address shown at the top of the page: That's the address of Zeroshell's web-based interface, and it's usually 192.168.0.75. You'll still have to point it to your gateway, so press G and enter the IP address of your gateway server.
If you are on a different subnet (e.g., if your router is located at 192.168.1.1), then you'll need to change Zeroshell's default address and bring it on the same subnet as the rest of the network. For this, press I to bring up the IP Manager menu. Next, bring down the Ethernet interface by pressing S and following the wizard. Now press D and delete the default IP address before pressing G to set the default gateway address to your existing router's IP address. Now press A to enter a new static IP address for the Zeroshell server. To bring the changes into effect, press S to change the status of the Ethernet to up . The interface will now change to reflect the new IP addresses. Press Q to return to the main menu.
You can now access Zeroshell from a web browser on any computer within the network by pointing the browser at the IP address you've just set. When it prompts you for login credentials, use the admin
username, along with the password you defined earlier. Although the web interface (Figure 2) can handle the bulk of its configuration, you'll occasionally need to access Zeroshell's console interface as well. Instead of hopping over to the Zeroshell server, you can access it remotely via SSH. To enable SSH, head to the web interface and click on the SSH
tab in the Setup section. In the popup window, toggle the Enabled
checkbox; then, enter the subnet of your network (e.g., 192.168.0.1/24) in the IP address text box and click the (plus) +
button. Bring the changes into effect by clicking Save
. You can now ssh
into the Zeroshell server with
$ sudo ssh admin@192.168.0.75
from any computer on the subnet.
Reroute Traffic
The next step is to configure the wireless adapter on the Zeroshell server to act as a wireless access point. Although all network cards and adapters supported by the Linux kernel should work with Zeroshell, it is still advisable to scroll through the list of hardware that's known to work with the distribution [1].
To verify that the distribution can work with your wireless adapter, head to the console-based menu and press W to bring up the WiFi Manager menu. You'll get an error if the card isn't recognized. If everything's good, press N to kick off a wizard that helps define the settings for the new access point. Zeroshell will prompt you for the SSID of the new access point, as well as the encryption mechanism you'd like it to use. Although the default options will work in most cases, review each carefully, especially the encryption mechanism.
Once you're through with the wizard, your wireless access point should be visible to the devices in the vicinity. However, to hand out IP addresses to these devices and allow them to browse the Internet, you'll need to create a bridge interface between the wireless adapter and the router that's connected to the Ethernet card.
Log in to the web-based interface and head to the Network tab in the Setup section; then, click the button labeled Gateway to make sure the default gateway is set to your router's IP address (192.168.0.1 in this case). Close the window and click the New BRIDGE button, which pops open a window that lists both the Ethernet (ETH00) and wireless adaptor (WLAN00) interfaces under Available Interfaces. Select each and click the button with the three right arrows to move the selected interface into the Bridge Components list (Figure 3). Do this for both the interfaces, then click Save to activate the new bridged interface. That's it. You can now connect devices to the new wireless access point.
You can also shield the devices connected to Zeroshell's access point from malicious code floating around on the Internet by enabling the Transparent Antivirus Proxy feature. Scroll down to the Security section in the left-hand column and click the HTTP Proxy link. Tick the Enabled box and click the Save button to bring the proxy online. This can take several minutes as Zeroshell fetches the latest antivirus definition from ClamAV's website. The Update Log button will help you keep track of the progress.
Once the proxy is active, click the +
icon in the HTTP Capturing Rules section and add two separate Capture Request
rules for all traffic passing through the wireless and Ethernet adaptors. Unless your users are known to frequent the darkest corners of the Internet, you can go easy on ClamAV's server and tune down the number of times Zeroshell checks it for new definitions and updates from the default 12
to a more reasonable value, say 2
. Also, make sure you change the default mirror to one that's closer to where you are located.
Open Sesame
Once you have the wireless access point up and running, you can configure other services, such as Captive Portal . Head to the Captive Portal link under the Users section and toggle the GW checkbox. Before you activate the service, use the Interface pulldown menu to select WLAN00 , and click the Save button to bring it online (Figure 4). It really is that simple.
When the other devices in your network now connect to the access point you've created using Zeroshell, they'll be asked first to authenticate before they are allowed to browse the web. By default, the server only has the default admin user. To add more users, click the Users link under the Users section on the left. You'll get a list all the configured users. Use the Add link in the top bar to add more users.
Another common network service that is quite a chore to roll out is OpenVPN. Configuration includes pulling in and configuring various pieces of software and generating the appropriate secure certificates. However, Zeroshell reduces the process down to a couple of steps. All you need to do to use OpenVPN is to enable the service and export the certificates to your clients.
Zeroshell supports different mechanisms for VPN authentication. You can use simple usernames and passwords, X.509 secure certificates, or both, which is what I'll be doing. To grab the certificates, click on the Users
links under the User section on the left. Select any user and click the X509
tab in the top bar. From here you can review, revoke, and generate a new certificate for the selected user (Figure 5). For the moment, though, just save the certificate. Select the PEM
certificate format in the pull-down menu, then click the Export
button and save the admin.pem
file to your local machine.
Now grab the certificate for the Trusted Certificate Authority, which, in this case, is the Zeroshell server itself. Scroll down to the Security section in the left-hand column and click the X.509 CA
link. Switch to the Trusted CAs
tab in the top bar, which pops open a window with a list of trusted CAs. Select the only listed entry for the local Zeroshell server, and click the Export
button to save the TrustedCA.pem
file.
Next, click the VPN link under the Network section in the left-hand column and toggle the Enabled checkbox. Finally, use the Save button to apply the settings and bring the server online. That's all there is to it. Now follow the detailed instructions on the Zeroshell website [3] to configure your Linux, Windows, and Mac OS X clients to connect to the Zeroshell OpenVPN server.
Buy this article as PDF
(incl. VAT)