rsync over ssh (+ wireguard)

darkopi · Oct 2nd 2021

How can I setup rsync over ssh between two (local and remote) omv5 servers?

How to do this in "safe way"?

Can I use rsync daemon mode over ssh?

chente · Oct 2nd 2021

Quote from darkopi

How to do this in "safe way"?

I suppose there will be other ways. If it helps, I make remote copies with rsync through an OpenVPN connection. It is simple to configure and use.

darkopi · Oct 2nd 2021

How can I do that?

I only want to connect two servers for remote rsync backup.

I do not have any experience whit openvpn.

chente · Oct 3rd 2021

If you want an easy way check this out.

https://hub.docker.com/r/linuxserver/wireguard

It is not OpenVPN, it is wireguard. It is a more advanced VPN system. Easier to set up and use, and with more efficient operation. Install through docker on one of the servers and access from the other.

Once the connection between two servers is established in this way, all communications between them are encrypted. You don't need anything else. You can run them as if they were on the same LAN.

chente · Oct 3rd 2021

Quote from darkopi

I do not have any experience whit openvpn.

A VPN connection is an encrypted communication tunnel between two computers.

One is the server, in it the service is configured and it is listened to by clients. A server certificate is exported to configure the client.

The other is the client, you need the certificate and credentials provided by the server to configure the client and be able to make the connection.

These credentials are unique and are what guarantee the privacy of communication between both. No one can decrypt the data without the certificate that you install on the client before accessing the server.

The most secure VPN connection today is Wireguard.

Here you have more information.

https://en.wikipedia.org/wiki/Virtual_private_network

https://www.wireguard.com/

Agricola · Oct 9th 2021

Quote from chente

Once the connection between two servers is established in this way, all communications between them are encrypted. You don't need anything else. You can run them as if they were on the same LAN.

You should write a [How-To] showing how to set up Wireguard from a container. Especially:

How the variables in the yml should be set.
How to set up the tunnel once deployed.
How to set up a Rsync job between two machines.

chente · Oct 9th 2021

Quote from Agricola

You should write a [How-To] showing

I will try to make a guide. It is easy to do. Explaining it is more difficult. See if I can make it easy to understand.

I advance you a stack that has worked for me. Explanations are missing... I don't have time now, I'll take it easy.

Code

---
version: "2.1"
services:
  wireguard:
    image: ghcr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000   #change if needed
      - PGID=100    #change if needed
      - TZ=Europe/Madrid     #change if needed
      - SERVERURL=your.domain.com    #change if needed
      - SERVERPORT=51820
      - PEERS=2      #change if needed
      - PEERDNS=auto #optional
      - INTERNAL_SUBNET=10.13.13.0 #optional
      - ALLOWEDIPS=192.168.10.0/24 #change if needed
    volumes:
      - /srv/wireguard/config:/config   #change if needed
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Display More

As for point 3, once the connection is established it is like being locally. There is not much to explain, there are many guides on that.

chente · Oct 10th 2021

And done

[How-To] Install Wireguard (VPN) in docker, server mode

chente · Oct 10th 2021

darkopi

In that guide you have how to configure the server. To access from another server as a client, Wireguard would have to be installed in client mode. In the page

https://hub.docker.com/r/linuxserver/wireguard

it is explained how to do this. I'm sorry but I've never done that, you'll have to develop it yourself. It doesn't seem difficult.

If you do it would be great if you posted the method.

darkopi · Oct 16th 2021

I managed to install and configure the wireguard but i only have access to the server where the wireguard is installed and its services. What should I do to see other devices in the lan?

chente · Oct 16th 2021

can you post your stack? (hides sensitive information)

darkopi · Oct 17th 2021

Peer1 conf:

[Interface]

Address = 10.13.13.2/32

DNS = 10.13.13.1

[Peer]

AllowedIPs = 0.0.0.0/0

Endpoint = myip:51820

Wg0 conf:

[Interface]

Address = 10.13.13.1

ListenPort = 51820

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE

PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

[Peer]

# peer1AllowedIPs = 10.13.13.2/32

chente · Oct 17th 2021

I would need to see your docker-compose or yml file. Publish it by pressing the code button first </>. In this way:

Code

version: "2.1"
services:
  wireguard:
    image: ghcr.io/linuxserver/wireguard
    container_name: wireguard
    cap_add:
      - NET_ADMIN
      - SYS_MODULE
    environment:
      - PUID=1000   #should be set to the UID of your user "docker1"
      - PGID=100    #should be set to the GID of your user "docker1"
      - TZ=Europe/Madrid     #should be adjusted according to your location
      - SERVERURL=your.domain.com    #adjust your public IP or your domain
      - SERVERPORT=51820
      - PEERS=2      #adjust to the number of clients you want to configure
      - PEERDNS=auto
      - INTERNAL_SUBNET=10.13.13.0 #only change if it conflicts
      - ALLOWEDIPS=0.0.0.0/0
    volumes:
      - /path/to/appdata/config:/config   #adjust the path of your config folder
      - /lib/modules:/lib/modules
    ports:
      - 51820:51820/udp
    sysctls:
      - net.ipv4.conf.all.src_valid_mark=1
    restart: unless-stopped

Display More

darkopi · Oct 17th 2021

version: "2.1"

services:

wireguard:

image: ghcr.io/linuxserver/wireguard

container_name: wireguard

cap_add:

- NET_ADMIN

- SYS_MODULE

environment:

- PUID=1000

- PGID=100

- TZ=Europe/Zagreb

- SERVERURL= my public IP

- SERVERPORT=51820

- PEERS=1

- PEERDNS=auto

- INTERNAL_SUBNET=10.13.13.0

volumes:

- /docker/wireguard/config:/config

- /docker/wireguard/modules:/lib/modules

ports:

- 51820:51820/udp

sysctls:

- net.ipv4.conf.all.src_valid_mark=1

restart: unless-stopped

chente · Oct 17th 2021

Quote from darkopi

What should I do to see other devices in the lan?

The stack is correct. What device do you want to access?

darkopi · Oct 17th 2021

I can access to NAS where is wireguard server installed and I can access services and shares on that NAS but I want to have access to another servers and devices on my LAN.

chente · Oct 18th 2021

You should have access to your entire network. If you can't access another machine, I don't know what the reason is.

darkopi · Oct 18th 2021

I was trying with that but without succes:

sysctl -w net.ipv4.ip_forward = 1

What can I more try to fix this?

Wireguard (vpn) between server and my android phone work ok, but without access to another devices on lan I will not by happy 🙁

Soma · Oct 18th 2021

If your client is connect to the wireguard( vpn) server, you can see all other services on other IPs on the LAN.

What exactly do you need to do?

darkopi · Oct 18th 2021

I can connect only to my NAS where is wireguard server.

I hope I can connect to all devices on my lan.

rsync over ssh (+ wireguard)

darkopi Oct 2nd 2021

Participate now!

Similar Threads

Proper installation and configuration of Nextcloud on Portainer on OMV machine with already configured nginx/duckdns

"How-to" videos apply to OMV4 and other questions...

r-sync error for renaming aquota.group and others.

Help! - Restore from Rsnapshot

How do I know if the rsynch copy is good and usable ...

Error after reinstall

Tags