As i already had certificates set up for my homenetwork including a private CA i gave it a try and wanted to share steps here in case someone is interested.
Basically what is described at arch wiki.
Prerequisites:
Code: Select all
CA file
Server certifiate + key file: server_signed.pem server.key
Client certificate + key file: client_signed.pem client.key (in case of mTLS)I used https://github.com/oracle/ktls-utils/
and created this wish-bug (with attached git ebuild for openrc, adaptation to systemd should not be too hard)
https://bugs.gentoo.org/942003
Configuration of /etc/tlshd.conf (from ktls-utils, NFS Server)
Code: Select all
[debug]
loglevel=0
tls=0
nl=0
[authenticate]
[authenticate.server]
x509.truststore= /etc/nfs-certs/ca-cert.pem
x509.certificate= /etc/nfs-certs/server_signed.pem
x509.private_key= /etc/nfs-certs/server.key
Configuration of /etc/tlshd.conf (from ktls-utils, NFS Client)
Code: Select all
[debug]
loglevel=0
tls=0
nl=0
[authenticate]
[authenticate.client]
x509.truststore= /etc/nfs-certs/ca-cert.pem
x509.certificate= /etc/nfs-certs/client_signed.pem
x509.private_key= /etc/nfs-certs/client.key
[authenticate.server]
e.g. rc-update add tlshd default
Configuration of NFS (/etc/conf.d/nfs.conf for openrc, NFS Server)
Code: Select all
OPTS_RPC_NFSD="8 -V 4 -V 4.2"
Configiration on exports (NFS server)
add
Code: Select all
xprtsec=mtlsConfiguration of fstab (or options to mount, NFS client)
Code: Select all
server:/mnt/test /mnt/test nfs nofail,auto,rw,soft,_netdev,sec=sys,xprtsec=mtls 0 0Ensure that NFS 4.2 is available, should be 6.5 or newer and enable kernel TLS.
the only one i had missing was
Code: Select all
CONFIG_TLS Application:
umount on client
adapt configurations on both sides.
apply on server using
exportfs -ra
/etc/init.d/nfs restart
mounting on client
on success one should also see the syslog output from tlshd
e.g. on my auth.log
Oct 23 14:56:48 servername tlshd[28330]: Handshake with client.domain (192.168.x.y) was successful