Make NFS server listen only on a specific interface

I am trying to run a NFS server (nfs-kernel-server package) on a Ubuntu 20.04 machine and want to make it only acessible via VPN.

I have set the appropriate IP address in the /etc/exports file and my firewall. Nevertheless, the rpc.mountd daemon is still listening on all interfaces (0.0.0.0 and ::). As a defense-in-depth measurement, I would like to restrict it further to only listen to connections on the VPN-network device.

How can I configure that?

In Ubuntu 22.04 (and possibly earlier), the way to do this is by dropping a configuration file in /etc/nfs.conf.d/:

# /etc/nfs.conf.d/interfaces.conf
[nfsd]
host=hostname-or-ip-to-listen-on

The nfs.conf(5) man page documents this.

Ubuntu and Debian have the configuration in

/etc/default/nfs-kernel-server

You can restrict it using

RPCNFSDOPTS="-H 10.0.40.72"

Quoting nfsd(8):

OPTIONS
       -d  or  --debug
              enable logging of debugging messages

       -H  or  --host hostname
              specify a particular hostname (or address) that NFS requests will be accepted on. By default, rpc.nfsd will accept NFS requests on all known network addresses.  Note that lockd (which performs file locking services for NFS) may still accept request on all known network addresses.  This may change
              in future releases of the Linux Kernel. This option can be used multiple time to listen to more than one interface.

       -p  or  --port port
              specify a different port to listen on for NFS requests. By default, rpc.nfsd will listen on port 2049.

Neither the configuration in /etc/nfs.conf / /etc/nfs.conf.d/* nor the RPCNFSDOPTS specified in /etc/default/nfs-kernel-server affect the interfaces, on which rpc.mountd will listen on. So none of the other answers here actually answer the original question, which was about restricting access to rpc.mountd to a specific interface.

The man page of rpc.mountd does NOT list an option, that performs the required restriction. Instead, it recommends to use either the tcp_wrapper library or the kernel firewall iptables for that purpose.

However, with most systems having migrated already to NFS protocol version 4, there is an easier solution: NFSv4 does not need rpc.mountd anymore. An explanation how to do that can be found towards the bottom of this page: https://wiki.debian.org/NFSServerSetup

So, to restrict to NFS access to NFSv4 on a local interface, do the following on recent Ubuntu / Debian servers:

systemctl stop nfs-kernel-server.service
systemctl stop rpcbind.service
systemctl mask rpcbind.service
systemctl mask rpcbind.socket

vi /etc/default/nfs-common
    NEED_STATD="no"
    NEED_IDMAPD="yes"

vi /etc/default/nfs-kernel-server
    RPCNFSDOPTS="-H YOUR-LOCAL-IP-YOU-WANT-TO-BIND-TO -N 2 -N 3"
    RPCMOUNTDOPTS="--manage-gids -N 2 -N 3"

systemctl start nfs-kernel-server.service 

Of the four configuration options listed here (NEED_STATD, NEED_IDMAPD, RPCNFSDOPTS and RPCMOUNTDOPTS) you will find only the last one already defined in the default versions of those files as shipped with Debian or Ubuntu. Make sure to edit RPCMOUNTDOPTS apropriately and to add the other three. Of course, you may freely choose another editor instead of vi.

Before masking rpcbind.service with systemctl (which pretends, that it is started, though it is not), make sure, that no other service on your machine needs that it.