Can't replicate to another TrueNAS outside local network

[Keven]

Hello,

I already have a TrueNAS box at home for a long time now. i Just setup a new TrueNAS box for my father and i want to setup a mutual off-site backup. Using ZFS replication seems the logical way to do it, but i can't make it work. i temporarely tried to simplify the setup to see where it's not working by doing a plain simple port-forward port 22, but i still get error. i'm able to SSH to my father's TrueNAS via putty

I get this error when creating SSH connection.

[EFAULT] Unable to connect to remote system: timed out
remove_circle_outline
More info...

Code:

Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/keychain.py", line 563, in remote_ssh_semiautomatic_setup
    client = Client(os.path.join(re.sub("^http", "ws", data["url"]), "websocket"))
  File "/usr/local/lib/python3.9/site-packages/middlewared/client/client.py", line 286, in __init__
    self._ws.connect()
  File "/usr/local/lib/python3.9/site-packages/middlewared/client/client.py", line 124, in connect
    rv = super(WSClient, self).connect()
  File "/usr/local/lib/python3.9/site-packages/ws4py/client/__init__.py", line 216, in connect
    self.sock.connect(self.bind_addr)
  File "/usr/local/lib/python3.9/ssl.py", line 1343, in connect
    self._real_connect(addr, False)
  File "/usr/local/lib/python3.9/ssl.py", line 1330, in _real_connect
    super().connect(addr)
socket.timeout: timed out


Code:
During handling of the above exception, another exception occurred:


Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 139, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1251, in _call
    return await self.run_in_executor(prepared_call.executor, methodobj, *prepared_call.args)
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1156, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
  File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 985, in nf
    return f(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/keychain.py", line 565, in remote_ssh_semiautomatic_setup
    raise CallError(f"Unable to connect to remote system: {e}")
middlewared.service_exception.CallError: [EFAULT] Unable to connect to remote system: timed out

 

[Whattteva]

I may be wrong on this. But if you're connecting through SSH, I think the URL field should probably not be using HTTPS schema and instead just specify the host + domain name.

Also, you'd probably want to use key instead of password based auth since you're going to be exposing this to the internet. It's much more secure. Use ed25519 or RSA with at least 3072 bits or preferably 4096 bits.

 

[Keven]

what the format would be?

i already tried
https://[FQDN]
http://[FQDN]
[FQDN]


Also, i though that's what it was set "private key*" "generate new"

 

[Whattteva]

Ahh I see now. Under "Setup Method" change it to "Normal" and it will replace the "URL" field with "Host" field. Then you can just use your FQDN.
The Semi-Automatic method probably requires you to forward the HTTPS port (443) and frankly, I wouldn't be comfortable exposing TrueNAS web UI to the internet vs SSH with keys, which is tried and true for security.

 

[Keven]

when going manual it doesn't complaint on the "create SSH connection" page, but when i try to navigate the folder on the destination it give me this error

Code:

[EACCES] AuthenticationException('Authentication failed.')
remove_circle_outline
More info...



Error: Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/zettarepl.py", line 654, in _handle_ssh_exceptions
    yield
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/zettarepl.py", line 409, in list_datasets
    datasets = await self.middleware.run_in_thread(list_datasets, shell)
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1159, in run_in_thread
    return await self.run_in_executor(self.thread_pool_executor, method, *args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1156, in run_in_executor
    return await loop.run_in_executor(pool, functools.partial(method, *args, **kwargs))
  File "/usr/local/lib/python3.9/concurrent/futures/thread.py", line 58, in run
    result = self.fn(*self.args, **self.kwargs)
  File "/usr/local/lib/python3.9/site-packages/zettarepl/dataset/list.py", line 13, in list_datasets
    return [dataset["name"] for dataset in list_datasets_with_properties(shell, dataset, recursive)]
  File "/usr/local/lib/python3.9/site-packages/zettarepl/dataset/list.py", line 30, in list_datasets_with_properties
    output = shell.exec(args)
  File "/usr/local/lib/python3.9/site-packages/zettarepl/transport/interface.py", line 92, in exec
    return self.exec_async(args, encoding, stdout).wait(timeout)
  File "/usr/local/lib/python3.9/site-packages/zettarepl/transport/interface.py", line 96, in exec_async
    async_exec.run()
  File "/usr/local/lib/python3.9/site-packages/zettarepl/transport/base_ssh.py", line 32, in run
    client = self.shell.get_client()
  File "/usr/local/lib/python3.9/site-packages/zettarepl/transport/base_ssh.py", line 142, in get_client
    client.connect(
  File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 435, in connect
    self._auth(
  File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 766, in _auth
    raise saved_exception
  File "/usr/local/lib/python3.9/site-packages/paramiko/client.py", line 666, in _auth
    self._transport.auth_publickey(username, pkey)
  File "/usr/local/lib/python3.9/site-packages/paramiko/transport.py", line 1634, in auth_publickey
    return self.auth_handler.wait_for_response(my_event)
  File "/usr/local/lib/python3.9/site-packages/paramiko/auth_handler.py", line 258, in wait_for_response
    raise e
paramiko.ssh_exception.AuthenticationException: Authentication failed.

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 139, in call_method
    result = await self.middleware._call(message['method'], serviceobj, methodobj, params, app=self)
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1240, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.9/site-packages/middlewared/schema.py", line 981, in nf
    return await f(*args, **kwargs)
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/replication.py", line 642, in list_datasets
    return await self.middleware.call("zettarepl.list_datasets", transport, ssh_credentials)
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1283, in call
    return await self._call(
  File "/usr/local/lib/python3.9/site-packages/middlewared/main.py", line 1240, in _call
    return await methodobj(*prepared_call.args)
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/zettarepl.py", line 409, in list_datasets
    datasets = await self.middleware.run_in_thread(list_datasets, shell)
  File "/usr/local/lib/python3.9/contextlib.py", line 199, in __aexit__
    await self.gen.athrow(typ, value, traceback)
  File "/usr/local/lib/python3.9/site-packages/middlewared/plugins/zettarepl.py", line 657, in _handle_ssh_exceptions
    raise CallError(repr(e).replace("[Errno None] ", ""), errno=errno.EACCES)
middlewared.service_exception.CallError: [EACCES] AuthenticationException('Authentication failed.')

i find it weird that it says create a new key, but how the other side knows it is from a trusted computer without password?

 

[danb35]

The Semi-Automatic method probably requires you to forward the HTTPS port (443)

It does (temporarily), as it handles the SSH key exchange via that connection. It wouldn't have any further need for HTTPS after that, so port 443 could be closed.

 

[Keven]

It does (temporarily), as it handles the SSH key exchange via that connection. It wouldn't have any further need for HTTPS after that, so port 443 could be closed.

so does it mean that i just need the https for setup and then i can block it again after?

 

[danb35]

so does it mean that i just need the https for setup and then i can block it again after?

That should be correct.

 

[Keven]

That should be correct.

fowrarding port 443 on both side didn' help sadly

 

[Whattteva]

when going manual it doesn't complaint on the "create SSH connection" page, but when i try to navigate the folder on the destination it give me this error

Code:

[EACCES] AuthenticationException('Authentication failed.')

This looks like auth error. Likely from wrong password?

i find it weird that it says create a new key, but how the other side knows it is from a trusted computer without password?

I think you either login with a key or password and not both. The other side knows what to trust because you first set it up with the correct public key (that matches the private key on the client side). You should check out SSH key tutorials (if you want to use key route) on Google to guide you through this.