Should a new Nethserver user start out with Nethserver 8?

A college student wants to install a system initially just for Mattermost for a student club. Of course, the slippery slope means they might want a firewall, backup, or maybe even OpenVPN. But no mail server, no professional certificates,

Should they go right to Nethserver 8?

Hi @ harry,

Nethserver 8 is Beta 1 and should not be used productively.



1 Like

Also it will never act as a firewall. OpenVPN, who knows.

My suggestion (without knowing your setup) is to think about using a small form factor PC that’s compatible with opnsense. This can serve as your firewall, with a Nethserver 7.9 neatly tucked behind it.

While opnsense might look a bit intricate (and overkill), it then takes care of the main infrastructure (i.e., firewall, DNS, DHCP, NTP, and OpenVPN). Meanwhile, Nethserver can handle the running of your web apps, like Mattermost, and oversee user organisation like ad or ldap.

If you’re thinking about using OpenVPN, the viscosity client can make the setup process a breeze. All it requires is sending a file from opnsense to the user (once the user has been setup in opnsense) they can just open the file in viscosity and, just like that, everything gets set up automatically. That’s how it worked out for me on the Mac platform.

1 Like

Should take the risk and learn :slight_smile:


@Laylow, I agree with you.

I am pretty close to installing NS8 for my home router.

But alas, he, for now, took the conservative way out, keying off the first comment that it shouldn’t be used for production. He’s plenty savvy, and was responsible for writing and debugging SW for the race car. (Spartan Racing - YouTube)

@Shane_Treweek, I have been using Nethserver (and before that, SME Server – going back to early 2000s). I am familiar with pfsense, but I have always used either SME Server or Nethserver as my router and VPN server. While at one point, I used a mail server, I haven’t for a long time. Up until recently, I had it hooked directly to a cable modem (through various homes, and service providers and ever faster. The past ~year I have Netserver configured as a router behind the Comcast (branded Xfinity) Technicolor router/cable modem. On Nethserver, I use the firewall, Threat Shield, and fail2ban. I have it installed on a small fanless machine with a finned case, an i7 mobile processor, 8GB, dual SSDs, 2 GbE ports I have bridged for the LAN, and a 2.5G Ethernet USB dongle connected to the WAN side, which connects to the Technicolor box, which supports 2.5G.

Thanks for the tip on OpenVPN. I will have to check out that client. I have used OpenVPN on both Windows PCs and an Android phone, so am pretty familiar with it.

Hi @LayLow

Just the fact that NethSecurity (The firewall component) isn’t really ready for prime time would be more than enough to not plan for this route at the moment.

As it’s still in beta stage, there could still be major issues cropping up. At that stage, your NS8 might work, but you won’t be able to use the Internet to help solve the issue.
There’s a very good reason a firewall should be a separate box.


Like you, I’ve been using SME Server since the 2000s, and after 2014/5 migrated to NethServer.
I moved away from direct installs on HW to complete using virtualization. From 2000 I used VMWare (Server, then ESXi), since 2015 moved all VMWare to Proxmox, a much better and complete solution with simple billing.

All my clients use virtualization, and a seperate box running OPNsense as dedicated hardware firewall.
PBS provides for incremental backups with dedulication, extremly fast and compact.
Disaster recovery isn’t an issue under virtualization, and even with complete different hardware, I can guarantee a complete disaster recovery within 2 hours, if replacement hardware is available…
Almost all my swiss clients anyway insist on a dedicated firewall (According to networking best practices), so why should I argue against my own better knowledge?

Besides which, DNS services on both SME and NethServer 7 are really crappy, NS7 only allows itself to use a CNAME from the cockpit. Other hosts have to use A records, and this results in random PTR records for hosts. Not really usable with monitoring in mind…

I’m really looking forward to moving my clients to NS8, and for more testing of NS8 until it’s really ready!

I also use Viscosity (Good, simple licensing, 14.- lifetime fee for as many Macs and Windows boxes as you have!) for all my clients, they’re very happy with it. Tunnelblick on Mac gives you just that: “tunnel vision”. Viscosity can use existing OVPN configuration files and even can directly import OpenVPN client configs.

My 2 cents


Don’t worry we’re working on a new project for your firewall :slight_smile: more news asap
I’m sure you will not need of pfsense or opnsense.

:100: agree!!

1 Like

That is AWSOME!

Following up on your suggestion about OpenVPN clients, on my Android phone, I have been using OpenVPN Client from the Google Play store. It is from in Milano. Performance seems fine, and other than having an AI that tells me what’s wrong with my config when I get bored and mess with a perfectly operating VPN, I can’t think of what improvements it needs.

On my PC I use the one from, and likewise, no complaints.

1 Like