ix2-dl offers many ways to connect to it, but none of them can provide such a seamless experience for Linux computers as NFS:
The problem with NFS is that without a Domain Controller that can provide Kerberos authentication somewhere on the LAN, NFS is horribly insecure. All you have to do to infiltrate the storage is somehow connect to the LAN. Once you are in, it is trivial to steal everything from un-authenticated NFS shares.
It is possible to set up Samba4 as a Domain Controller that will provide Active Directory and Kerberos services:
The set up procedure is not trivial unfortunately, and would result in a complication of my infrastructure that I was not willing to deal with.
Windows File Sharing (CIFS)
CIFS shares are attractive, b/c they have built in password authentication. I have tried using CIFS mounts, but quickly rejected the idea b/c the shares were much slower than NFS, did not allow symlinks and did not allow fine grained ownership control of files under one share.
This ended up being the best and simplest option that allows me to have complete and seamless integration of my shares and best possible security.
The idea is to completely turn off all security on the NFS share, including no_root_squash, and then export the shares exclusively over the VPN subnet. Here’s an example, with an additional read-only export for the local wired net:
Before you can follow these instructions, you must first enable SSH access to the NAS, connect to package repositories and tie into the boot process. All of this is described in my previous posts:
Install OpenVPN package and dependencies:
# ipkg install openvpn
- Comment out the tunnel driver and “return 0” line. It’s important to make sure that this script does not try to insert the module, b/c module tun is already compiled into the kernel on this distro
- Specify correct file name for --config (lan-server.conf)
Add the startup script to /etc/rc.local:
# Start OpenVPN echo 'Starting OpenVPN server...' /opt/etc/init.d/S20openvpn
Note: in order for this to work, you must first modify the distro’s boot process as described in the previous section.
OpenVPN Server Configuration
I will provide my config as an example.
# Configure server mode and supply a VPN subnet # for OpenVPN to draw client addresses from. # The server will take 192.168.129.1 for itself, # the rest will be made available to clients. # Each client will be able to reach the server # on 192.168.129.1 # server 192.168.129.0 255.255.255.224 daemon # Which TCP/UDP port should OpenVPN listen on? port 1194 # TCP or UDP server? ;proto tcp proto udp # By increasing the MTU size of the tun adapter and by disabling # OpenVPN's internal fragmentation routines the throughput can be # increased quite dramatically. The reason behind this is that by # feeding larger packets to the OpenSSL encryption and decryption # routines the performance will go up. The second advantage of not # internally fragmenting packets is that this is left to the operating # system and to the kernel network device drivers. tun-mtu 9000 fragment 0 mssfix 0 # "dev tun" will create a routed IP tunnel, dev tun0 # SSL/TLS root certificate (ca), certificate # (cert), and private key (key). Each client # and the server must have their own cert and # key file. The server and all clients will # use the same ca file. # # See the "easy-rsa" directory for a series # of scripts for generating RSA certificates # and private keys. Remember to use # a unique Common Name for the server # and each of the client certificates. # # Any X509 key management system can be used. # OpenVPN can also use a PKCS #12 formatted key file # (see "pkcs12" directive in man page). ca /etc/ssl/certs/VACE-LAN-CA-Chain.crt cert /etc/ssl/certs/nas-lan-server.crt key /etc/ssl/private/nas.key # Diffie hellman parameters. # Generate your own with: # openssl dhparam -out dh1024.pem 1024 dh /etc/ssl/private/dh1024.pem # Maintain a record of client virtual IP address # associations in this file. If OpenVPN goes down or # is restarted, reconnecting clients can be assigned # the same virtual IP address from the pool that was # previously assigned. ifconfig-pool-persist /opt/var/openvpn/lan-ipp.txt # The keepalive directive causes ping-like # messages to be sent back and forth over # the link so that each side knows when # the other side has gone down. # Ping every 10 seconds, assume that remote # peer is down if no ping received during # a 120 second time period. keepalive 10 120 # Enable compression on the VPN link. # If you enable it here, you must also # enable it in the client config file. comp-lzo # The maximum number of concurrently connected # clients we want to allow. max-clients 3 # It's a good idea to reduce the OpenVPN # daemon's privileges after initialization. # The persist options will try to avoid # accessing certain resources on restart # that may no longer be accessible because # of the privilege downgrade. persist-key persist-tun # Output a short status file showing # current connections, truncated # and rewritten every minute. status /opt/var/openvpn/lan-status.log # By default, log messages will go to the syslog (or # on Windows, if running as a service, they will go to # the "\Program Files\OpenVPN\log" directory). # Use log or log-append to override this default. # "log" will truncate the log file on OpenVPN startup, # while "log-append" will append to it. Use one # or the other (but not both). ;log openvpn.log log-append /opt/var/openvpn/lan-server.log writepid /opt/var/openvpn/lan-server.pid # Set the appropriate level of log # file verbosity. # # 0 is silent, except for fatal errors # 4 is reasonable for general usage # 5 and 6 can help to debug connection problems # 9 is extremely verbose verb 4 # Silence repeating messages. At most 20 # sequential messages of the same message # category will be output to the log. mute 20
Pay close attention to the comment on tun-mtu. These settings significantly speed up the tunnel.
OpenVPN Client Configuration
daemon client remote nas dev tun port 1194 proto udp # By increasing the MTU size of the tun adapter and by disabling # OpenVPN's internal fragmentation routines the throughput can be # increased quite dramatically. The reason behind this is that by # feeding larger packets to the OpenSSL encryption and decryption # routines the performance will go up. The second advantage of not # internally fragmenting packets is that this is left to the operating # system and to the kernel network device drivers. tun-mtu 9000 fragment 0 mssfix 0 log-append /var/log/openvpn/nas-client.log # Downgrade privileges after initialization (non-Windows only) user nobody group nogroup # Try to preserve some state across restarts. persist-key persist-tun # SSL/TLS parms. # See the server config file for more # description. It's best to use # a separate .crt/.key file pair # for each client. A single ca # file can be used for all clients. ca /etc/ssl/certs/VACE-LAN-CA-Chain.crt cert /etc/ssl/certs/boss-lan-client.crt key /etc/ssl/private/boss.key # Enable compression on the VPN link. # Don't enable this unless it is also # enabled in the server config file. comp-lzo # Set log file verbosity. verb 4 # Silence repeating messages mute 20
Mounting NFS shares
That’s pretty much it! Now you can mount the NFS shares from the client like so:
nas_tunnel:/nfs/music /mnt/nas/music nfs rw,auto 0 0 nas_tunnel:/nfs/video /mnt/nas/video nfs rw,auto 0 0 nas_tunnel:/nfs/programs /mnt/nas/programs nfs rw,auto 0 0 nas_tunnel:/nfs/work /mnt/nas/work nfs rw,auto 0 0 nas_tunnel:/nfs/pictures /mnt/nas/pictures nfs rw,auto 0 0
Where nas_tunnel = 192.168.129.1