Is it just me, or is encrypting NFS a real PITA? Tutorials to secure NFS ... long, arduous, confusing reads. Doesn't seem to matter if it's over SSH or TLS/STunnel. Why, in this age, isn't this simpler to implement?

If the client and server trust each other already, and all that is needed is protection of the NFS traffic as it flows over an untrusted network then easiest way is probably to use a VPN. I use OpenVPN for this (and other things) and it works quite well. I've heard good things about WireGuard too.

Or have I misunderstood your question?

Does VPNing mean all network traffic between client/server would have to tunnel through VPN, or can I just encrypt NFS?

I recommend that you secure the communications channel, which means that you do not need to encrypt the NFS material unless you are seriously worried that the underlying stored data might be stolen.

OpenVPN, when properly configured using digital certificates instead of "PSKs = simple passwords," provides a very strong and reliable secure channel in which the identity of every agent can be reliably identified ... and access rights can be individually revoked without affecting the others. Simply use firewalls to ensure that NFS traffic can only pass through the tunnel.

The tunnel will "blanket secure" not only the NFS traffic, but everything else that passes through it, without drawing attention to itself. None of the clients need to know nor care ... "to them, it's just a router."

The other routine VPN alternative, "IPsec," is also equally secure and transparent, although a bit more difficult (IMHO ...) to manage.

1 members found this post helpful.

Not 100% on the specifics, but I think if you were to add a second NIC to your server then that second NIC could run on it's own subnet and the traffic could be separated between NFS and non-NFS at the router.