Join Log in
Score:0
Sunny avatar Server

NFS over wireguard on Ubuntu. Mounting fails with error: "reason given by server: no such file or directory"

in flag
Sunny

I have setup wireguard VPN network 192.168.6.x. The network topology(if that is the correct term) is:

  [client] ----- VPN ---- [VPN server] ----- Local net-----[NFS&SSH server]
  [192.168.6.32]          [192.168.6.21]                   [192.168.2.93]
                          [192.168.2.1]

client (Ubuntu 18.04) is connected to the Internet using a different ISP then the VPN server (Ubuntu 22.04). I mean the public IP addresses of client and VPN servers are different and the two nets are not connected in any other way other than thru wireguard. It works fine when using ssh from the client as in ssh [email protected]. However I am having problems with NFS. I suspect some config lines in NFS config files.

On client, I have /etc/fstab entry as follows:

  192.168.6.21:/home/john/someDir  /someDir nfs auto,nofail,noatime,nolock,intr,tcp,actimeo=1800 0 0

When I do a sudo mount -a, it simply hangs. But when I execute:

  sudo mount -t nfs -o vers=4.2 192.168.6.21:/home/john/someDir   /someDir

It complains:

 mount.nfs: mounting 192.168.6.21:/home/john/someDir failed, reason given by server: No such file or directory

NFS-related iptables rules on VPN Server:

#NFS TCP port forwarding
iptables -t nat -A PREROUTING   -d 192.168.6.21  -p tcp --dport 2049 -j DNAT --to-destination 192.168.2.93:2049
iptables -t nat -A POSTROUTING  -s 192.168.2.93 -p tcp --sport 2049 -j SNAT --to-source 192.168.6.21

#NFS TCP mountd port forwarding. Needed by NFS
iptables -t nat -A PREROUTING   -d 192.168.6.21  -p tcp --dport 50022 -j DNAT --to-destination 192.168.2.93:50022
iptables -t nat -A POSTROUTING  -s 192.168.2.93 -p tcp --sport 50022 -j SNAT --to-source 192.168.6.21

#NFS UDP port forwarding
iptables -t nat -A PREROUTING   -d 192.168.6.21  -p udp --dport 2049 -j DNAT --to-destination 192.168.2.93:2049
iptables -t nat -A POSTROUTING  -s 192.168.2.93 -p udp --sport 2049 -j SNAT --to-source 192.168.6.21

#NFS UDP mountd port forwarding. Needed by NFS
iptables -t nat -A PREROUTING   -d 192.168.6.21  -p udp --dport 50022 -j DNAT --to-destination 192.168.2.93:50022
iptables -t nat -A POSTROUTING  -s 192.168.2.93 -p udp --sport 50022 -j SNAT --to-source 192.168.6.21

nfs-kernel-server on NFS&SSH Server:

  # Number of servers to start up
  RPCNFSDCOUNT=8

  # Runtime priority of server (see nice(1))
  RPCNFSDPRIORITY=0

  # Options for rpc.mountd.
  # If you have a port-based firewall, you might want to set up
  # a fixed port here using the --port option. For more information, 
  # see rpc.mountd(8) or http://wiki.debian.org/SecuringNFS
  # To disable NFSv4 on the server, specify '--no-nfs-version 4' here
  #RPCMOUNTDOPTS="--manage-gids"
  RPCMOUNTDOPTS="--manage-gids -N 2 -N 3 -H 192.168.2.93 --port 50022"


  #New added
  RPCNFSDOPTS="-N 2 -N 3"

  # Do you want to start the svcgssd daemon? It is only required for Kerberos
  # exports. Valid alternatives are "yes" and "no"; the default is "no".
  NEED_SVCGSSD=""

  # Options for rpc.svcgssd.
  RPCSVCGSSDOPTS=""

Only uncommented entries in /etc/exports are:*

 /home/john/someDir  192.168.2.0/24(ro,sync,fsid=0,no_subtree_check)
 /home/john/someDir  192.168.6.0/24(ro,sync,fsid=0,no_subtree_check)

Only uncommented entries in /etc/nfs.conf are:

  [general]
  pipefs-directory=/run/rpc_pipefs

  [mountd]
  # debug=0
  manage-gids=y

One more observation: When I configured VPN server as a NFS client, it is able to see the NFS folders exported from NFS&SSH server. I did this only for testing to see that basic NFS setting is correct.

271
0 + 6
nfs
shodanshok avatar
ca flag
shodanshok
Please show `cat /etc/exports` on the NFS server. Also, I would avoid NAT - rather, setup your VPN to route the 192.168.2.x network behind your `wg` interfaces.
1
Reply
Sunny avatar
in flag
Sunny
@shodanshok I have added /etc/exports content. Will look into your other suggestion.
0
Reply
Sunny avatar
in flag
Sunny
@shodanshok I am new to setting up wireguard or any VPN. Is your suggestion that I set up the 192.168.2.x network as local net 192.168.6.x with only the VPN server having wireguard installed as local traffic may not need to be encrypted? Thanks for your comments.
0
Reply
shodanshok avatar
ca flag
shodanshok
Your `/etc/exports` seems fine. What I mean is to add a client route similar to `route add 192.168.2.0/24 gw <wg0_ip>` and setup your VPN server to route received packets (via `sysctl ip_forwarding=1` and appropriate firewall rules).
1
Reply
Sunny avatar
in flag
Sunny
@shodanshok am I missing any NFS-related port forwarding? The error is coming from the NFS&SSH server? ssh works over wireguard. NFS for the same exported directory works over local network. Can you give me some pointers to debug further?
0
Reply
shodanshok avatar
ca flag
shodanshok
As stated above, I wound Nou use NAT. That said, the only thing I can suggest is to use `tcpdump` to sniff packets exchanged by both ends.
1
Reply
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.