# Tunnel nfs trough ssh



## bbzz (Mar 13, 2012)

Is it possible, on FreeBSD, to tunnel nfs over ssh using multiple tunnels, and how? I would prefer to keep only ssh port open to Internet, and using vpn is not currently possible.


----------



## SirDice (Mar 14, 2012)

There's a solution here (about half way down, section 6.4): http://nfs.sourceforge.net/nfs-howto/ar01s06.html

(The NFS options in /etc/fstab might need a little 'translation' to FreeBSD)


----------



## bbzz (Mar 14, 2012)

Thanks. I tried that before but it fails; this is what I did:

Make server mountd listen on 32767. Then on client:

[CMD=""]ssh bbzz@A.B.C.D -v -p8022 -N -L 5000:localhost:2049 sleep 60m[/CMD]
[CMD=""]ssh bbzz@A.B.C.D -v -p8022 -N -L 5001:localhost:32767 sleep 60m[/CMD]

Then add entry in fstab:

```
localhost:/storage/data /media nfs ro,hard,intr,port=5000,mountport=5001 0 0
```

and then mount.

Also tried:
[CMD=""]sudo mount_nfs -o port=5000,mountport=5001,tcp localhost:/storage/data /media[/CMD]

In any case end result is:

```
[tcp] localhost:/storage/data: RPCMNT: clnt_create: RPC: Port mapper failure - RPC: Timed out
```


----------



## bbzz (Mar 15, 2012)

Any other suggestions? Is this possible at all? I understand there could be some issue due to RPC dynamic bindings.


----------



## SirDice (Mar 15, 2012)

To be honest I've tried to do the same thing some time ago. Never got it to work and ended up using something else.

It should be possible but I think the dynamic nature of NFS (regarding network ports) make it rather difficult to pull off.


----------



## bbzz (May 11, 2012)

I guess nobody remembered we could use *nfsv4* and make this easy.


----------



## wblock@ (May 16, 2012)

How?  Incidentally, security/openvpn could be another option with some advantages over SSH tunnels.


----------



## bbzz (May 16, 2012)

Well, NFSv4 now combines features into single RPC, so you only need one port.

With older NFS versions, you needed another tunnel to make it really work. I never got it to work with older versions (which is not to say it's impossible).

But, with NFSv4 you just need one, something like:
`% ssh -2 -f -N -L 3049:127.0.0.1:2049 bbzz@a.b.c.d`

Now I could mount the package directory of my building server with say:
`# mount -o nfsv4 -o port=3049 localhost:/usr/ports/packages /mnt`

Couple of nice things, first, since the user created the tunnel this could ease some administration which now doesn't need direct root (obvious, but nice). 

Also, since ssh initiates its own connection sourced from a tunnel endpoint, server security can be tightened even more to accept connections from say, only 127.0.0.1.


----------



## Rastko (Feb 4, 2018)

old thread, but a new (?) idea

how about doing this?


```
MOUNTDPORT = `[file]ssh[/file] [i] (execute command and exit) user@server[/i] [b] rpcinfo -p | awk '/.* 1 .*tcp.*mountd/ {print $4}'[/b]`
[file]ssh[/file] [i](background tunneling optons) user@server[/i] [b]localport:server:${MOUNTDPORT}[/b]
```


----------

