If you are responsible for a bunch of networked computers on a small LAN, you can use the Zeroshell distro to rollout various useful network-related services. The Zeroshell distro will transform any computer into a multi- purpose server that offers a lot more services and flexibility than you can wring out of most off-the-shelf routers. Zeroshell is a small Linux distro that provides various essential network services from DHCP and firewall to VPN and load-balancing.
The distro includes a RADIUS server for WPA2 authentication, a Captive Portal instance to create public hotspots and can also be used to shape network traffic and QoS. The distro has modest hardware requirements and chugs along quite nicely even on an antiquated Celeron box with 1GB of RAM. You can download Zeroshell as an ISO image that you can transfer onto to a CD and install onto the machine’s hard disk .Or, you can grab a USB image which will save its configuration locally.
Once you’ve figured out the hardware you’ll use to run Zeroshell, you’ll need to decide whether you wish to use Zeroshell to replace your existing router or to supplement it. In case of the former, you’ll need to equip the Zeroshell machine with two network cards – one that’ll plug into the Internet modem, and the other into a network switch that connects to the other computers on the network. If the Zeroshell server only needs to serve a small number of computers, you can replace the switch with a wireless adapter and turn the Zeroshell machine into a wireless access point. This is how we’ll configure Zeroshell in his tutorial.
We’ll also keep the router in the equation and connect our Zeroshell server with the router via an Ethernet cable. We can defer the task of doling out IP addresses to the router, which saves us the effort of configuring the routing and DHCP features of Zeroshell and instead allows us to focus on more interesting tasks.
To get started, boot Zeroshell either from the CD or the USB image. The distro boots up to a customised text-based interface. Before going any further, press [P] to change the default password (zeroshell) for the admin user. Next up we need to make sure Zeroshell is on the same subnet as the rest of the network. By default Zeroshell assigns itself to the 192.168.0.x subnet. If your existing router is on the same subnet you’re in luck. Press [I] and note the IP address shown at the top of the page. That’s the address of Zeroshell’s web-based interface.
Break the shell
If however you are on a different subnet – let’s say your router is located at 192.168.3.1 – then you’ll need to change Zeroshell’s default address and bring it on the same subnet as the rest of the network. For this, press [I] to bring up the IP Manager menu. Then bring down the ethernet interface by pressing [S] and following the wizard. Now press [D] and delete the default IP address before pressing [G] to set the default gateway address to your existing router’s IP address. In our case, this is 192.168.3.1, and many routers like to sit at x.x.x.1, but yours may be different. Now press [A] to enter a new static IP address for the Zeroshell server, say 192.168.3.151.
To bring the changes into effect press [S] to change the status of the ethernet to up. The interface will now change to reflect the new IP addresses. Press [Q] to return to the main menu. You can now access Zeroshell using a web browser on any computer within the network by pointing that browser at the IP address that you’ve just set. When it prompts you for login credentials, use the admin username along with the password you defined at the start. Although the web interface can handle the bulk of its configuration, you’ll occasionally need to access Zeroshell’s console interface as well. Instead of hopping over to the Zeroshell server, you can remotely access it via SSH. To enable SSH, head to the web interface and click on the SSH tab under the Setup section. In the popup window, toggle the Enabled checkbox. Then enter the subnet of your network (such as 192.168.3.0/24) in the IP address text box and press the + button. Bring the changes into effect with the Save button. You can now ssh into the Zeroshell server from any computer on the subnet with, for example,
Next up, let’s configure the wireless adapter on the Zeroshell server to act as a wireless access point. For this you’ll first need to head to the console-based menu – remember that you can now access this via SSH. In the menu press [W] to bring up the WiFi Manager menu. Once inside press [N] which will kick off a wizard that helps define the settings for the new access point. Zeroshell will prompt you for the SSID of the new access point as well as the encryption mechanism you’d like it to use.
While the default options will work in most cases, review each carefully – especially the encryption mechanism. Once you’re through with the wizard your wireless access point should be visible to the devices in the vicinity. However, to hand out IP address to these devices and allow them to browse the Internet, you’ll need to create a bridge interface between the wireless adapter and the router that’s connected to the Ethernet card. For this, log in into the web-based interface and head to the Network tab under the Setup section.
Then click the button labelled Gateway to make sure the default gateway is set to your router’s IP address – 192.168.3.1 in our case. Close the window and click on the New BRIDGE button. This pops open a window which lists both the ethernet (eth0) and wireless adapter (wlan0) interfaces under the Available Interfaces list. Select each and click the button with the three right arrows to move the selected interface into the Bridged Components list. Do this for both the interfaces, then click Save to activate the new bridged interface.
That’s it. You can now connect devices to the new wireless access point which will hand out an IP address the same way it takes them to the Internet – via the router. Furthermore, you can also shield the devices connected to Zeroshell’s access point from nasties on the Internet by enabling the Transparent Antivirus Proxy feature. Scroll down to the Security section in the left-hand column and click the HTTP Proxy link. Here, toggle the Enabled checkbox and click the Save button to bring the proxy online.
This can take several minutes, since Zeroshell will fetch the latest antivirus definition from ClamAV’s website. The Update Log button will help you keep track of the progress. Once the proxy is active, click on the + icon in the HTTP Capturing Rules section and add two separate Capture Request rules for all traffic passing through the wireless and ethernet adapters. Unless your users are known to frequent the darkest corners of the Internet, you can go easy on ClamAV’s server and tune down the number of times Zeroshell checks it for new definitions and updates from the default 12 to, if you’re confident, 2. Also make sure you change the default mirror to one that’s closer home.
The final feature we’re going to enable is VPN access. Configuring an OpenVPN server is quite an involved process which includes pulling in and configuring various pieces of software and generating the appropriate secure certificates. However, Zeroshell ships with OpenVPN, which means all you need to do to use it is to enable it and export the certificates for your clients. Zeroshell supports different mechanisms for VPN authentication.
You can use simple usernames and passwords, X.509 secure certificates, or both – which is what we’ll be using. To grab the certificates, click on the Users links under the User section on the left. By default this will list only the admin user. You can use the Add link in the top bar to add more users and repeat the process for each. For now, select the admin user and click on the tab labelled X509 in the top-bar. From here you can review, revoke and generate a new certificate for the selected user. For the moment though, we’ll just save the certificate.
Use the pull-down menu to select PEM certificate format and then press the Export button and save the admin.pem file to your local machine. We’ll now grab the certificate for the Trusted Certificate Authority, which in our case is the Zeroshell server itself. Scroll down to the Security section in the left-hand column and click the X.509 CA link. Now switch to the Trusted CAs tab from the top bar, which pops open a window with a list of trusted CAs. Select the only listed entry for our local Zeroshell server and click on the Export button to save the TrustedCA.pem file. Finally, click the VPN link under the Network section in the left-hand column and toggle the Enabled checkbox. Click on the Save button to bring the server online.
That’s all there’s to it. Now follow the detailed instructions on Zeroshell’s website (http://www.zeroshell.org/openvpn-client/) to configure your Linux, Windows and Mac OS X clients to connect to your Zeroshell OpenVPN server. There’s a lot more you can do with Zeroshell. Just like OpenVPN, the server ships with a Captive Portal and a RADIUS server installation. All you need to do is enable it and tweak it as per your network.