Best practices for NFS over VPN?

How to customize and extend your OpenVPN installation.
Post Reply
VRR
OpenVpn Newbie
Posts: 1
Joined: Mon Apr 20, 2020 1:55 pm

Best practices for NFS over VPN?

Post by VRR » Mon Apr 20, 2020 2:11 pm

I have a NFS share I'd like to serve over the VPN. On my clients, I tried using an UP and a DOWN script to manage the NFS mount, but it's not working as I expect.

In my UP script, I have the mount command for the NFS share...the odd thing is that while the script runs as root (an "id" command in the script reveals UID 0, GID 0), I'm getting a "not permitted" error from the mount command. Running the same mount command outside the OpenVPN UP script works fine, as does running it inside the script with an "at now +1 minute" wrapper.

Same is true in my DOWN script. We check the mounted filesystems for any mounted on the VPN subnet, and try to automatically unmount them as OpenVPN stops. The "umount" command fails on the same "not permitted" error, even though the script seems to be running at root.

Also, we tried adding "/bin/mount" and "/bin/umount" to SUDO such that anyone can mount/unmount filesystems (yes, we know the risks). I can login with a user account having no special privileges and "sudo mount" or "sudo umount" work fine...but using these same commands in my OpenVPN UP and DOWN scripts still give me a "not permitted" error.

I'm thinking that mount/unmount must be doing some sort of network I/O that lands in OpenVPN code, and OpenVPN returns an EPERM error because my scripts are running. Does this sound likely?

Whatever the cause, is there another way to do what I want?

Running Ubuntu Linux 18.04 with OpenVPN 2.3.10.

User avatar
TinCanTech
OpenVPN Protagonist
Posts: 7145
Joined: Fri Jun 03, 2016 1:17 pm

Re: Best practices for NFS over VPN?

Post by TinCanTech » Mon Apr 20, 2020 2:22 pm

VRR wrote:
Mon Apr 20, 2020 2:11 pm
Running Ubuntu Linux 18.04 with OpenVPN 2.3.10.
2.3.10 is 4+ years old and openvpn is a very active project ..

As for your scripts:
  • Openvpn does not pass the normal environment to scripts
  • Scripts have a security setting parameter --script-security
It is probably best to follow our "Howto ask for help" guide:
viewtopic.php?f=30&t=22603#p68963

Post Reply