Installation#
To begin the installation process, start by downloading the latest image. Once the download is complete, you have two methods to install NethSecurity:
Direct disk installation: write the downloaded image directly to your computer’s disk. This method allows for a straightforward installation process directly onto your system’s storage.
USB boot installation: alternatively, you can create a bootable USB stick using the downloaded image. Boot the system from the USB stick and type a command to initiate the installation process.
Choose the method that best suits your needs and proceed with the installation process for NethSecurity.
Install on bare metal#
NethSecurity can be run from a USB stick or installed directly to any bootable device like hard disks or SD cards.
attach the target disk/stick/card to a desktop Linux machine
find the disk/stick/card device name, in this example the device is named
/dev/sddas
rootuser, write the downloaded image to the device:zcat nethsecurity-8.7.2-x86-64-generic-squashfs-combined-efi.img.gz | dd of=/dev/sdd bs=1M iflag=fullblock status=progress oflag=direct
unplug the disk/stick/card from the desktop and plug it into the server
boot the server, select the correct device (USB, SD card or hard disk) from boot menu
the server is installed and ready to be used
Writing the image on Windows
Note
Writing the image on a Windows machine is not recommended because it may mess up the disk partitioning.
If you’re running a desktop Windows machine, you will need extra software for point 2. First, make sure to format the USB drive then unmount it. Use one of the following tools to write the USB stick:
Install from USB to disk#
The recommended installation method for NethSecurity is on internal storage, for reasons of robustness and performance. For this purpose, NethSecurity provides a specific command to install its contents from the USB stick onto the internal disk:
connect to the server using VGA, serial console or SSH
login with default credentials
execute
ns-installand follow the instructions
The firewall will be halted at the end of the installation. Once the firewall has been shutdown, you can safely remove the USB stick and boot the server again.
Note
The USB stick should be used only for the initial installation of NethSecurity; any other use is strongly discouraged. To update NethSecurity or perform a factory reset, there are already documented options available via the web UI and the command-line console. In case the firewall access password is lost and you need to perform a factory reset, we recommend booting into failsafe mode and performing the reset from there, as described in the documentation (:ref:failsafe mode <failsafe-section>).
Install on virtual machines#
You can use the downloaded image as a virtual machine disk:
extract the downloaded image:
gunzip nethsecurity-8.7.2-x86-64-generic-squashfs-combined-efi.img.gz
create a new virtual machine and select the uncompressed image as disk
boot the virtual machine
Note
If you wish to save the logs locally, it is recommended to attach an additional virtual hard drive to the virtual machine and select it as the destination for logs in the Storage page under the System section.
Install on Proxmox#
The image can be imported inside Proxmox.
First, make sure to have 2 different network bridges. In this example we are going to use vmbr0 and vmbr1.
The described procedure can be also done using the Proxmox UI.
Create the virtual machine, in this example the machine will have id 401:
qm create 401 --name "NethSecurity" --ostype l26 --cores 1 --memory 1024 --net0 virtio,bridge=vmbr0,firewall=0 --net1 virtio,bridge=vmbr1,firewall=0 --scsihw virtio-scsi-pci
Download the image:
wget 'https://updates.nethsecurity.nethserver.org/stable/8.7.2/targets/x86/64/nethsecurity-8.7.2-x86-64-generic-squashfs-combined-efi.img.gz'
Extract the image:
gunzip nethsecurity-8.7.2-x86-64-generic-squashfs-combined-efi.img.gz
Import the extracted images a virtual machine disk:
qm importdisk 401 nethsecurity-8.7.2-x86-64-generic-squashfs-combined-efi.img local-lvm
Attach the disk to the virtual machine:
qm set 401 --scsi0 "local-lvm:vm-401-disk-0"
Setup the boot order:
qm set 401 --boot order=scsi0
Finally, start the virtual machine.
QEMU guest agent#
QEMU guest agent is not part of the NethSecurity image but can be installed from the command line. The agent can work when the virtual machine is running on KVM, Proxmox, or other QEMU-based hypervisors.
First, make sure the virtual machine is running, then connect to the machine using SSH or the Proxmox console and execute the following commands:
opkg update
opkg install qemu-ga
After the installation, start the service:
/etc/init.d/qemu-ga start
The QEMU guest agent will be available on the virtual machine and automatically started at boot.
Note
Starting from version 8.7.2, extra packages are automatically reinstalled after system upgrade. For earlier versions and for additional information, refer to this documentation: Restore extra packages.
Install on VMWare#
VMWare may encounter issues when importing raw disk images directly.
To ensure a smooth import, first decompress the image file, then convert the raw image to the VMWare native .vmdk format before proceeding.
On Windows, you can use a software like V2V Converter.
On Linux you can use the qemu-img command. Example:
qemu-img convert -f raw -O vmdk <source_image.raw> <destination_image.vmdk>
Replace:
<source_image.raw>with the actual path to your raw disk image<destination_image.vmdk>with your desired .vmdk filename
The following virtual machine settings are known to work well with NethSecurity:
Guest OS: Other 5.x or later Linux
SCSI Controller: VMWare Paravirtual
Network Adapters: E1000
Firmware: BIOS (not UEFI)
VMware open-vm-tools#
VMware open-vm-tools are not part of the NethSecurity image but can be installed from the command line. The tools can work only when the virtual machine is running on VMWare hypervisors.
First make sure the virtual machine is running, then connect to the machine using SSH or the VMWare console and execute the following commands:
opkg update
opkg install open-vm-tools
After the installation, start the service:
/etc/init.d/vmtoolsd start
The VMware open-vm-tools will be available on the virtual machine and automatically started at boot.
Please note that after an image upgrade the VMware open-vm-tools will be removed and you will need to reinstall it. See Restore extra packages for more info.
Install on Hyper-V#
To ensure a smooth import on HYper-V, first decompress the image file, then convert the raw image to the Hyper-V native .vhdx format before proceeding.
On Windows, you can use a software like V2V Converter.
On Linux you can use the qemu-img command. Example:
qemu-img convert -f raw -O vhdx <source_image.raw> <destination_image.vhdx>
Replace:
<source_image.raw>with the actual path to your raw disk image<destination_image.vhdx>with your desired .vhdx filename
Install on VirtualBox#
VirtualBox may encounter issues when importing raw disk images directly.
To ensure a smooth import, first decompress the image file, then convert the raw image to the VirtualBox native .vdi format before proceeding.
On Windows, Linux and macOS you can use the built-in VBoxManage tool. Example:
VBoxManage convertfromraw <source_image.raw> <destination_image.vdi>
Replace:
<source_image.raw>with the actual path to your raw disk image<destination_image.vdi>with your desired .vdi filename
Default network configuration#
When you first boot NethSecurity, the system will try to configure the network interfaces.
By default, the network configuration will be as follows:
The LAN interface will be configured with a static IP address of 192.168.1.1.
The WAN interface will be configured to use DHCP to obtain an IP address from your ISP.
An exception to this default network configuration is virtual machines running on KVM and on Digital Ocean cloud provider (droplet). In this case, the network configuration will be as follows:
The LAN interface will be configured to use DHCP to obtain an IP address from the virtualization platform.
The WAN interface will be configured to use DHCP to obtain an IP address from your ISP.
Note: If you are using NethSecurity in a production environment, you may need to modify the default network configuration to meet your specific needs. For example, you may need to configure the LAN interface with a different IP address or configure the WAN interface to use a static IP address.