Running NFS shares on a VPS is an efficient way to centralize backups and media storage across multiple Linux servers. With a secure NFS Server on VPS infrastructure, you can share folders just for backups and media, and make sure only specific and trusted servers are allowed to access them.

In this guide from PerLod Hosting, you will learn to build a secure NFS setup, from the basic installation to hardened exports designed specifically for backups and media.

When to Use an NFS Server on VPS?

It is important to know whether NFS is actually good to use for your VPS setup or not. In this step, we want to explore the situations where NFS on a VPS works well, and the cases where you should avoid it or choose a different method.

You can use NFS when:

• You have Linux backup or media servers that need a shared network filesystem.
• You control both the VPS and the client over a VPN or a private network.

Avoid using NFS when:

• You must expose it directly to the public internet. It has a security risk.
• You need Windows sharing. You can use SMB instead.

Tip: If you need a dedicated node just for storage, you can use a Storage VPS and keep NFS traffic on a private network only.

Prerequisites for Setting up NFS Shares on VPS

Before starting the NFS server setup, make sure to meet these requirements:

• Server: An Ubuntu 22.04 or 24.04 VPS with root or sudo access.
• Client: A Linux system like Ubuntu, Debian, or a RHEL-based distro.
• Network: A private network or VPN connection between the VPS and the client. It is strongly recommended for NFS security.

Once you are done, proceed to the following steps to set up the NFS server on VPS.

Install NFS Server

On your Ubuntu VPS, run the system update with the command below:

sudo apt update && sudo apt upgrade -y

Use the command below to install the NFS server:

sudo apt install nfs-kernel-server -y

This command installs the core NFS server tools.

Create NFS Share Directories

At this point, you must decide what folders you actually want to share with the network. We want to create two dedicated directories on the VPS, one for backups and one for media:

• /mnt/nfs/backups: For backup jobs such as restic, borg, rsync, etc.
• /mnt/nfs/media: For media libraries such as Plex, Jellyfin, etc.

sudo mkdir -p /mnt/nfs/backups
sudo mkdir -p /mnt/nfs/media

Set the correct ownership and permissions for the directories:

sudo chown nobody:nogroup /mnt/nfs/backups /mnt/nfs/media
sudo chmod 775 /mnt/nfs/backups /mnt/nfs/media

The chown nobody:nogroup changes ownership to a non-privileged user and group. It follows common NFS security guidelines by preventing remote root users from having full root access on the server.

Configure NFS Exports

At this point, you must define which directories to share, who can access them, and their permission levels.

Edit the default configuration file for the NFS server:

sudo nano /etc/exports

Add the following lines to the file and replace the CLIENT_IP with your actual client server’s IP address:

/mnt/nfs/backups CLIENT_IP(rw,sync,no_subtree_check,root_squash)
/mnt/nfs/media CLIENT_IP(ro,sync,no_subtree_check,root_squash)

Option explanations:

• rw and ro: Allows Read and Write for backups and Read-Only for media to prevent accidental deletion.
• sync: Forces changes to be written to disk before replying to the client, preventing data loss during crashes.
• no_subtree_check: Disables subtree checking to improve reliability when files are renamed while open.
• root_squash: Secures the server by mapping client root users to an unprivileged account (nobody).

Apply your configuration changes and restart NFS to apply the changes:

sudo exportfs -arv
sudo systemctl restart nfs-kernel-server
sudo systemctl enable nfs-kernel-server

Also, you must restrict access to your client’s IP. To do this, you can use the following UFW rule:

sudo ufw allow from CLIENT_IP to any port nfs
sudo ufw enable

Install and Configure the NFS Client

Once you are done with setting up the NFS server on VPS, you can log in to your client machine to set up the connection.

We assume your client machine is an Ubuntu system. Run the system update, install the NFS client, and create the local mount points:

sudo apt update
sudo apt install nfs-common -y
sudo mkdir -p /mnt/backups_client
sudo mkdir -p /mnt/media_client

Mount the NFS Shares

From the client machine, you can test the connection by mounting the shares manually. To do this, you can run the commands below:

sudo mount -t nfs SERVER_IP:/mnt/nfs/backups /mnt/backups_client
sudo mount -t nfs SERVER_IP:/mnt/nfs/media /mnt/media_client

The mount -t nfs specifies the filesystem type as NFS and maps the remote server’s directory to your local client directory.

Make NFS Mounts Persistent with fstab

In this step, you can add your NFS mounts to /etc/fstab, so they automatically mount after a reboot. This prevents your backup and media paths from disappearing when the client server restarts.

Edit the filesystem table:

sudo nano /etc/fstab

Add these lines at the bottom of the file with your NFS server’s IP:

SERVER_IP:/mnt/nfs/backups /mnt/backups_client nfs defaults,timeo=900,retrans=5,_netdev 0 0
SERVER_IP:/mnt/nfs/media /mnt/media_client nfs defaults,ro,timeo=900,retrans=5,_netdev 0 0

Once you are done, save and close the file. Verify the fstab configuration without rebooting with the command below:

sudo mount -a

This attempts to mount all filesystems listed in /etc/fstab. If the command returns no output, your configuration is correct and active.

FAQs

Conclusion

At this point, you have a secure NFS share setup for an NFS server on VPS, with separate exports for writable backups and safer read-only media. The key is to keep exports clean in /etc/exports and restrict access to trusted clients only.

We hope you enjoy this guide. Subscribe to our X and Facebook channels to get the latest updates and articles.

For further reading:

How to Set Up BorgBackup on a Storage VPS