Linux - NetworkingThis forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Is it just me, or is encrypting NFS a real PITA? Tutorials to secure NFS ... long, arduous, confusing reads. Doesn't seem to matter if it's over SSH or TLS/STunnel. Why, in this age, isn't this simpler to implement?
If the client and server trust each other already, and all that is needed is protection of the NFS traffic as it flows over an untrusted network then easiest way is probably to use a VPN. I use OpenVPN for this (and other things) and it works quite well. I've heard good things about WireGuard too.
If the client and server trust each other already, and all that is needed is protection of the NFS traffic as it flows over an untrusted network then easiest way is probably to use a VPN. I use OpenVPN for this (and other things) and it works quite well. I've heard good things about WireGuard too.
Or have I misunderstood your question?
Does VPNing mean all network traffic between client/server would have to tunnel through VPN, or can I just encrypt NFS?
I recommend that you secure the communications channel, which means that you do not need to encrypt the NFS material unless you are seriously worried that the underlying stored data might be stolen.
OpenVPN, when properly configured using digital certificates instead of "PSKs = simple passwords," provides a very strong and reliable secure channel in which the identity of every agent can be reliably identified ... and access rights can be individually revoked without affecting the others. Simply use firewalls to ensure that NFS traffic can only pass through the tunnel.
The tunnel will "blanket secure" not only the NFS traffic, but everything else that passes through it, without drawing attention to itself. None of the clients need to know nor care ... "to them, it's just a router."
The other routine VPN alternative, "IPsec," is also equally secure and transparent, although a bit more difficult (IMHO ...) to manage.
Last edited by sundialsvcs; 05-18-2022 at 12:24 PM.
Does VPNing mean all network traffic between client/server would have to tunnel through VPN, or can I just encrypt NFS?
Not 100% on the specifics, but I think if you were to add a second NIC to your server then that second NIC could run on it's own subnet and the traffic could be separated between NFS and non-NFS at the router.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.