In the event that you find yourself in an absurd and odd situation that you need to mount a NFS share between 2 servers connected only through internet connection, you can add a security layer through running your nfs mount on top an ssh tunnel. Here are the things that we need to do:

Creating NFS share

First thing first, mounting nfs share through ssl tunnel is only supported by nfs version 4, which should be no issue if you’re running sort of new-ish version of your fave Linux distros. If you already have NFS shares configured, we can right away start with configuring the share. Otherwise, to start sharing directories with nfs, install the appropriate package, for ubuntu you can do:

tom@DM1:~$ sudo apt install nfs-kernel-server

And make sure that the service is running

tom@DM1:~$ sudo systemctl status nfs-kernel-server.service
● nfs-server.service - NFS server and services
   Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
   Active: active (exited) since Thu 2019-07-11 23:01:09 UTC; 1 months 26 days ago
 Main PID: 730 (code=exited, status=0/SUCCESS)
    Tasks: 0 (limit: 1109)
   CGroup: /system.slice/nfs-server.service

To configure the share, open /etc/exports

tom@DM1:~$ sudo nano /etc/exports

..and configure the directory that we’ll be sharing

/data/storage/ localhost(rw,sync,no_subtree_check,insecure,nohide,fsid=1)

As you can see, we’ll only be sharing the folder to “localhost”. The “insecure” option allows the nfs server to accept an attempt at mounting the share via ports larger than 1024.

Reload the nfs share by performing

tom@DM1:~$ sudo exportfs -ra

The next thing we need to do is to configure the ssh daemon to allow us to create a tunnel. Do

tom@DM1:~$ sudo nano /etc/ssh/sshd_config


#AllowTcpForwarding yes

Uncomment the line, so it’ll look like this

AllowTcpForwarding yes

You can also change the port used by the server to accept incoming connection from the default port 22 to something else. Still on sshd_config file, find

#Port 22

Uncomment the line, and change the port to whatever port is available for you to use, let say

Port 2234

Save it, and restart the ssh daemon

tom@DM1:~$ sudo systemctl restart sshd

..And we’re basically done on the server side.  Let’s move on to the client side

Tunneling and mounting

Establish ssh tunnel by doing:

tom@DM2:~$ sudo ssh -fNv -L 3049:localhost:2049 tom@nfs.server.ip.address -p 2234

Replace “nfs.server.ip.address” with the nfs server’s address. Congrats, we have just created a tunnel. What’s left to do is to mount the nfs share that we have created earlier. First, create the target directory:

tom@DM2:~$ sudo mkdir /mnt/remote

…and mount the share

tom@DM2:~$ sudo mount -t nfs4 -o port=3049,proto=tcp localhost:/data/storage/ /mnt/remote

You can check whether the share is properly mounted

tom@DM2:~$ df -h
Filesystem                 Size  Used Avail Use% Mounted on
udev                       1.9G     0  1.9G   0% /dev
tmpfs                      395M  2.2M  393M   1% /run
/dev/sda2                   12G  7.5G  3.7G  68% /
tmpfs                      2.0G     0  2.0G   0% /dev/shm
tmpfs                      5.0M     0  5.0M   0% /run/lock
tmpfs                      2.0G     0  2.0G   0% /sys/fs/cgroup
/dev/loop1                  89M   89M     0 100% /snap/core/7396
/dev/mapper/vgdata-lvdata   20G   16G  3.7G  81% /data
/dev/mapper/vglog-log      9.8G  6.0G  3.4G  65% /mnt/log
localhost:/data/storage    196G  815M  186G   1% /mnt/remote

We should now have the nfs share mounted on the client side. However, do not expect stellar performance out of this

By ikhsan

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.