May 23, 2005

NFS over CIPE-VPN tunnels

Author: Rohit Girhotra

The Network File System (NFS) is a standard protocol for sharing file services with Linux and Unix computers. It is a distributed file system that enables local access to remote disks and file systems and is based on the client\server architecture. Although easy to configure, it is typically used only to transfer data over an intranet or LAN because of its transparency and security potholes when exposed to the risks of the Internet. However, it still can be employed -- without compromising security -- to share files over the Internet by configuring it to run on a Virtual Private Network (VPN) connection. This article will show you how to set up NFS to run over a CIPE-VPN connection between two Linux systems.

A VPN provides a way to set up a secure communication over an otherwise insecure network -- the Internet, for instance. A VPN usually offers authentication and encryption of the data being transferred. Crypto IP Encapsulation (CIPE) is one such VPN, which runs on the UDP protocol. CIPE uses a link key to authenticate the connection and provides a low-level encrypted tunnel from one machine to another, much like an IPSEC VPN.

Let's assume that both of the Linux systems have an Internet connection. Each also have the CIPE and the nfs-utils packages installed on them, which are required for the connection to work. The latest CIPE package can be obtained easily in tarball form from: this site. The nfs-utils package comes bundled with almost all distros and can be installed from the installation CDs.

From here on, we will refer the two Linux boxes as source and destination, where source machine will function as a NFS server and destination machine will act as a client.

Setting up CIPE

To set up a CIPE interface on the source machine you will have to create a configuration file called /etc/cipe/options.source for it. A sample configuration file is shown below:

#vi /etc/cipe/options.source


   maxerr -1
   key fcc5cf56e6ec762d52ac5e0b4b1c73bb

Here's what the various options used in the above CIPE configuration file mean:

ipaddr: Virtual IP address of the CIPE device on the source machine. This can be any private IP address that you have not used for your other local networks.

ptpaddr: Virtual IP address of the peer device (the CIPE device on the destination machine).

me: Real IP address of the source machine plus a colon separated port number. The port number can be any unused port on the source machine.

peer: Real IP address and port number of the peer (the destination machine).

maxerr: Number of maximum transmission errors after which the virtual link goes down. Setting it to -1 ensures that it always stays up.

key: The link key. This key is used to encrypt all the data transmitted over the tunnel. You can use anything here, but try to make it hard by using the output of the ps -auxw | md5sum command.

For the destination machine, a similar CIPE configuration file /etc/cipe/options.destination will look like this:

#vi /etc/cipe/options.destination


   maxerr -1
   key fcc5cf56e6ec762d52ac5e0b4b1c73bb

As you can see, the various options used in the above two CIPE configuration files are just flip-flopped. However, the key used must be same on both machines.

Once the CIPE configuration files have been created, you must change the permissions associated with these files otherwise CIPE will refuse to start. Therefore, run this command on the source machine:

#chmod 600 /etc/cipe/options.source

Similarly, on the destination machine do this:

#chmod 600 /etc/cipe/options.destination

Voila! Your CIPE tunnel is now ready for action. You can start the tunnel by issuing the following command on the source machine:

#ciped-cb -o /etc/cipe/options.source

And run this on the destination machine:

#ciped-cb -o /etc/cipe/options.destination

If your connections to the Internet are up on both the sides, the CIPE tunnel should start and connect across your internet interfaces. To bring down the CIPE tunnel, type in ifconfig cipcb0 down on both the machines.

Setting Up the NFS server

To setup an NFS server on the source machine you will need to edit the /etc/exports file. This file keeps a list of entries indicating what directories are shared and how they are shared. The format of the /etc/exports file is:

Directory Host(Options)

Where Directory is the directory/file that you wish to share. It may be an entire volume. If you share a directory, then all directories under it within the same file system will be shared as well. Host is the client machine or machines that will have access to the shared directories. The machines may be listed by their DNS address or their IP address (for example, or

Options define what kind of access the client machine will have on the shared directory. For a complete description of all the setup options for the file, check its man page (man exports). A few important options are given below:

secure: Requires client requests to originate from a secure port (one numbered less than 1024).

insecure: Permits client requests to originate from unprivileged ports (those numbered 1024 and higher).

ro/rw: Exports the file system as read-only/read-write.

async: Allows the server to cache disk writes to improve performance.

sync: Forces the server to perform a disk write before the request is considered complete, the default behaviour.

root_squash: Prevents the root user on an NFS client from having root privileges on an NFS mount. It remaps the root UID and GID (0) to that of an anonymous user (-2). This is the default behaviour.

all_squash: Maps all requests from all UIDs or GIDs to the UID or GID, respectively, of the anonymous user.

no_all_squash: Disables all_squash, the default behaviour.

If you wish to share the /usr and /home directories on the source machine with the destination machine, open the /etc/exports file in any text editor and make the following entries:

# vi /etc/exports

This is where the trick is. Here, in place of the host address we have used the remote virtual address of the CIPE client i.e. the destination machine. In this way you can add as many filesystems as you wish to share.

After you have added entries to your /etc/exports file, start the NFS daemon and export the filesystems. Bring up both your Internet connection and your CIPE interface on the source machine and issue the following commands as root:

# /etc/init.d/portmap start
# /etc/init.d/nfslock start
# /etc/init.d/nfs start

Setting up the NFS client

Once the server has exported the filesystem, it must be mounted on the client before it becomes available for access. In order to mount the /usr and /home (exported by the source machine) on the destination machine, bring up both the network interfaces -- the Internet connection and the CIPE interface -- on the destination machine and issue the following commands as root:

#mkdir /mnt/myimports1
#mkdir /mnt/myimports2
#mount -t nfs /mnt/myimports1 -o ro
#mount -t nfs /mnt/myimports2 -o rw

Here too, in place of the host address we have used the address, which for the destination machine is the remote virtual address of the source machine, to mount the exported filesystems. Moreover, you can make the mounts permanent by adding the following entries in the /etc/fstab file of the destination machine:

#vi /etc/fstab /mnt/myimports1 nfs ro 0 0 /mnt/myimports2 nfs rw 0 0

In addition to the above specified NFS mount options, you can add several other mount options to the /etc/fstab file to customize how the filesystem is mounted:

rw|ro: Sets the filesystem read/write (default), or read-only.

soft: Allows an NFS file operation to fail and terminate (disable with nosoft).

hard: Enables failed NFS file operations to continue retrying after reporting "server not responding" on the system. This is the default behaviour (disable with nohard).

Now after a whole lot of configuring and setting up, the only real problem you may find is the firewall. Make sure that you open your firewall for the UDP ports used by CIPE (port 6120 on the source machine and 8213 on the destination machine) and also for the port used by NFS (2049).

Another thing to verify is that the specifications in the /etc/exports file on the source machine are correct and the destination machine is mounting the exports in the same way as it was exported. For instance, a client cannot mount an exported directory as read-write (rw-mount option), if that directory has been exported as read-only (ro-export option) from the server.

Rohit Girhotra is a 22-year-old B.Engg. student at NSIT, New Delhi.

Click Here!