In the event that you find yourself in an absurd and odd situation that you need to mount a NFS share between 2 servers connected only through internet connection, you can add a security layer through running your nfs mount on top an ssh tunnel. Here are the things that we need to do:
Creating NFS share
First thing first, mounting nfs share through ssl tunnel is only supported by nfs version 4, which should be no issue if you’re running sort of new-ish version of your fave Linux distros. If you already have NFS shares configured, we can right away start with configuring the share. Otherwise, to start sharing directories with nfs, install the appropriate package, for ubuntu you can do:
tom@DM1:~$ sudo apt install nfs-kernel-server
And make sure that the service is running
tom@DM1:~$ sudo systemctl status nfs-kernel-server.service
● nfs-server.service - NFS server and services
Loaded: loaded (/lib/systemd/system/nfs-server.service; enabled; vendor preset: enabled)
Active: active (exited) since Thu 2019-07-11 23:01:09 UTC; 1 months 26 days ago
Main PID: 730 (code=exited, status=0/SUCCESS)
Tasks: 0 (limit: 1109)
CGroup: /system.slice/nfs-server.service
To configure the share, open /etc/exports
tom@DM1:~$ sudo nano /etc/exports
..and configure the directory that we’ll be sharing
/data/storage/ localhost(rw,sync,no_subtree_check,insecure,nohide,fsid=1)
As you can see, we’ll only be sharing the folder to “localhost”. The “insecure” option allows the nfs server to accept an attempt at mounting the share via ports larger than 1024.
Reload the nfs share by performing
tom@DM1:~$ sudo exportfs -ra
The next thing we need to do is to configure the ssh daemon to allow us to create a tunnel. Do
tom@DM1:~$ sudo nano /etc/ssh/sshd_config
Find:
#AllowTcpForwarding yes
Uncomment the line, so it’ll look like this
AllowTcpForwarding yes
You can also change the port used by the server to accept incoming connection from the default port 22 to something else. Still on sshd_config file, find
#Port 22
Uncomment the line, and change the port to whatever port is available for you to use, let say
Port 2234
Save it, and restart the ssh daemon
tom@DM1:~$ sudo systemctl restart sshd
..And we’re basically done on the server side. Let’s move on to the client side
Tunneling and mounting
Establish ssh tunnel by doing:
tom@DM2:~$ sudo ssh -fNv -L 3049:localhost:2049 tom@nfs.server.ip.address -p 2234
Replace “nfs.server.ip.address” with the nfs server’s address. Congrats, we have just created a tunnel. What’s left to do is to mount the nfs share that we have created earlier. First, create the target directory:
tom@DM2:~$ sudo mkdir /mnt/remote
…and mount the share
tom@DM2:~$ sudo mount -t nfs4 -o port=3049,proto=tcp localhost:/data/storage/ /mnt/remote
You can check whether the share is properly mounted
tom@DM2:~$ df -h Filesystem Size Used Avail Use% Mounted on udev 1.9G 0 1.9G 0% /dev tmpfs 395M 2.2M 393M 1% /run /dev/sda2 12G 7.5G 3.7G 68% / tmpfs 2.0G 0 2.0G 0% /dev/shm tmpfs 5.0M 0 5.0M 0% /run/lock tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup /dev/loop1 89M 89M 0 100% /snap/core/7396 /dev/mapper/vgdata-lvdata 20G 16G 3.7G 81% /data /dev/mapper/vglog-log 9.8G 6.0G 3.4G 65% /mnt/log localhost:/data/storage 196G 815M 186G 1% /mnt/remote
We should now have the nfs share mounted on the client side. However, do not expect stellar performance out of this