Offsite backup to another TrueNAS

[cK7Tcosta]

Hello all,

Let me preface by saying I’m very new to TrueNAS and not an IT pro.

I recently got a scare when both drives on a mirror disappeared from the system. That got me thinking I should have an offsite backup for my whole system.
Reading the documentation, I found the best way to backup a TrueNAS system to another is by using replication. This however requires an SSH connection with root access which, for obvious reasons, the documentation also recommends that one should not allow from outside sources.
That said, how would you do this? Is there some kind of service that allows this offsite backup?
The relevant threads I have found in the forums don’t really answer my questions.

I’ll be running two TrueNAS Scale systems in different houses. I only have DDNS working on the main house but I can have it in both.

Thank you in advance

 

[jgreco]

If you can nail up a permanent VPN between the two sites, you can run an rsyncd (daemon mode rsync) on your local machine, and have the remote pull from your local machine. This gets around the whole root access issue.

 

[danb35]

That said, how would you do this?

I'm doing it--SCALE on my system to CORE on my parents' system. I do have an IPsec VPN connection set up between the two sites, and I'm using replication--using SSH public key authentication, it's plenty secure for my comfort level.

 

[mb17]

Just my 2 cents...

As others have said, here is what I would recommend. (I too am not a TrueNAS expert.)

1. Setup site2site VPN connection of your choosing. I would suggest IPSEC.
2. Setup secondary TrueNAS at site1 unless you are sure your Site2site is good.
3. Configure the second TrueNAS to Pull data from the primary unit.
   1. Pull configuration using it's own login credentials is a higher level of security.
4. Migrate the second unit to the offsite. This way you aren't diagnosing both the Pull config and VPN settings at the same time.

What is your experience with running your own VPN's? If you don't want the hassle of this then you might want to skip the second unit all together and do an online backup with Immutable storage. Here is something that could help get you started. https://www.truenas.com/community/threads/how-to-back-up-truenas-to-backblaze.92909/ Downside to this option is just the monthly cost based on the amount of data you are storing.

I personally have a second unit in a detached garage as my backup. It is hobbled together out of an old desktop from work. I am too cheap to pay for online storage.

 

[cK7Tcosta]

Hello everyone,

Thank you so much for the info.
I have dabbled with VPNs when my company had a local storage server that was not on the same location I worked on and, during the pandemic I had to help my mother and my wife setup their respective VPNs for work. That being said I have never setup one from scratch but I don’t thinks it’s something I cannot learn how to do.

1. Pull configuration using it's own login credentials is a higher level of security.

That was my first reaction but I was not sure if that was possible, with a user that has admin access but is not the actual “root” user?

Thank you, I guess I’m gonna learn a bit more about VPNs and give it a go

 

[jgreco]

That was my first reaction but I was not sure if that was possible, with a user that has admin access but is not the actual “root” user?

Sort of meaningless distinction. With a pull configuration and rsyncd, your puller is allowed to do whatever it is configured to do, and the restrictions are enforced by your local host. This means that if your remote box is taken over by a bad guy, it does not have open access to just SSH on in to your local box as root and then run whatever. There are ways to restrict what SSH can do as well, but it gets down to a matter of it being simple to implement the rsyncd solution as compared to scripts and .ssh/authorized_keys hacking.

For example on your local system you might have

Code:

[ISO]
        path = /mnt/pool1/ISO
        max connections = 0
        uid = root
        gid = wheel
        comment = ISO content
        write only = false
        read only = true
        hosts allow = 10.84.20.121

This is straightforward and mostly self-explanatory.

 

[cK7Tcosta]

Hello again everyone.

So thank you for your guidelines here, they proved very useful. After many YouTube videos and forum posts I have VPN and SSH connections working. Tonight, hopefully, Site 1 will perform an automated snapshot and tomorrow I’ll see if FutureSite 2 (currently under my desk at the office) is able to see the snapshot and start a replication job.
Thank you so much

 

[2twisty]

I used to do it. I set up a VPN with pfSense routers on both ends, but you should be able to set up a point-to-point VPN directly on the 2 TN boxes.

Unfortunately, the friend who was hosting my backup passed away, so my backup server is back here on site until I can convince someone else that I trust to allow me to put it in there.