[How to] Remote server backup with Wireguard (VPN) + Rsync

  • Configuration of two remote servers with a Point-to-Point Wireguard connection, and backup configuration with Rsync through the Wireguard tunnel.




    Theory:



    WireGuard® is an extremely simple yet fast and modern VPN that uses state-of-the-art cryptography. Built into the Linux kernel, it could already be considered the safest, fastest, easiest to use, and simplest VPN solution in the industry today.


    Rsync is an application that offers efficient transmission of incremental data, allows you to synchronize files and directories between two machines on a network or between two locations on the same machine, minimizing the volume of data transferred.


    By combining both systems in OMV we can obtain the configuration of an efficient remote backup with maximum speed and security through an encrypted tunnel.


    We will install a Point-to-Point Wireguard tunnel between two servers, dedicated solely to this purpose directly on the host, so that this tunnel will only serve this purpose. To control and access a remote server, another parallel tunnel can be created for that purpose, thus avoiding unnecessary configurations in iptables for the Point-to-Point tunnel.


    We will take advantage of the OMV interface to operate with Rsync, establishing an Rsync server module on one of the servers and accessing it from the other.



    Practice:



    1. Initial parameters



    • Server A. It is the server that houses the data to be copied.
      • Host: earth
      • Public domain: earth.domain.com
      • Wireguard tunnel access port: 51500 (Important, this UDP port must be opened on the "earth" router).
    • Server B. It is the server that will extract the data and host the backup.


      • Host: moon
    • Subnet to use for the tunnel (you can change it but it must be within the address space for private use. In this case we will use the network:


      • 10.15.15.0


    2. Installation of Wireguard in the host


    - Install wireguard on both servers from one terminal:

    apt install wireguard


    - Generate keys in "earth"

    wg genkey > earth.key

    wg pubkey < earth.key > earth.pub


    - See the keys in "earth"

    cat earth.key

    AAAAAAAA_private_AAAAAAAA_earth.key_AAAAAAAA

    cat earth.pub

    AAAAAAAA_public_AAAAAAAA_earth.pub_AAAAAAAA


    - Repeat the process in "moon"

    BBBBBBBB_private_BBBBBBBBB_moon.key_BBBBBBBB

    BBBBBBBB_public_BBBBBBBBB_moon.pub_BBBBBBBB



    3. Configuration of the tunnel Point to Point


    • "earth" server

    - Create a new file in /etc/wireguard/rsynctunnel.conf with the server configuration

    nano /etc/wireguard/rsynctunnel.conf


    - In the window copy the following settings. Replace the keys with the real keys that you have created, replace the domain with your real domain:


    Code
    [Interface]
    #interface earth
    PrivateKey = AAAAAAAA_private_AAAAAAAA_earth.key_AAAAAAAA #adjust
    ListenPort = 51500
    Address = 10.15.15.1/32
    [Peer]
    # peer moon
    PublicKey = BBBBBBBB_public_BBBBBBBBB_moon.pub_BBBBBBBB #adjust
    AllowedIPs = 15.15.15.2/32


    - Set the owner of the file to root and its permissions to 600

    chown root:root /etc/wireguard/rsynctunnel.conf

    chmod 600 /etc/wireguard/rsynctunnel.conf


    • "moon" server

    - Repeat the process in "moon", create the file:

    nano /etc/wireguard/rsynctunnel.conf


    with the following configuration:


    - And set the file permissions the same as before

    chown root:root /etc/wireguard/rsynctunnel.conf

    chmod 600 /etc/wireguard/rsynctunnel.conf



    4. Start the service


    - Start the wireguard tunnel "rsynctunnel" on both servers

    systemctl enable wg-quick@rsynctunnel.service

    systemctl start wg-quick@rsynctunnel.service


    - to see the result you can run

    journalctl -u wg-quick@rsynctunnel.service

    or

    systemctl status wg-quick@rsynctunnel.service


    - the result will be something like this:

    systemd [1]: Starting WireGuard via wg-quick (8) for rsynctunnel ...

    wg-quick [271288]: [#] ip link add rsynctunnel type wireguard

    wg-quick [271288]: [#] wg setconf rsynctunnel / dev / fd / 63

    wg-quick [271288]: [#] ip -4 route add 10.0.0.1/32 dev rsynctunnel

    wg-quick [271288]: [#] ip link set mtu 8921 up dev rsynctunnel

    wg-quick [271288]: [#] ip -4 address add 10.0.0.2/32 dev rsynctunnel

    systemd [1]: Started WireGuard via wg-quick (8) for rsynctunnel.

    - If you need to modify the configuration file you must first stop the interface with:

    systemctl stop wg-quick@rsynctunnel.service


    - and then upload it again with:

    systemctl start wg-quick@rsynctunnel.service


    - if you want to test the connection you can do it by typing from "moon":

    ping 10.15.15.1


    - the result should be something like this:

    PING 10.15.15.1 (10.15.15.1) 56 (84) bytes of data.

    64 bytes from 10.15.15.1: icmp_seq = 1 ttl = 64 time = 30.6 ms

    64 bytes from 10.15.15.1: icmp_seq = 2 ttl = 64 time = 30.7 ms

    64 bytes from 10.15.15.1: icmp_seq = 3 ttl = 64 time = 29.6 ms

    64 bytes from 10.15.15.1: icmp_seq = 4 ttl = 64 time = 28.9 ms

    ^ C

    --- 10.15.15.1 ping statistics ---

    4 packets transmitted, 4 received, 0% packet loss, time 8ms

    rtt min / avg / max / mdev = 28.877 / 29.934 / 30.677 / 0.775 ms

    - you can stop it by pressing ctrl + c, you should see packets sent and received, if so your connection works.



    5. Configuration of the Rsync copy


    There are several ways to configure this, I describe one with several security options:


    On the "earth" server go to the OMV GUI, "Services" section, then "Rsync" and click "Server" in the top menu bar. Change the port to 8873 (for example), hit the "enable" button and then "Save".

    Press the "Modules" button on the menu bar, and then "Add".

    In the window, open the "Shared folder" field and select the shared folder where the data you want to copy is located.

    Put the name of the folder in the "Name" field.

    In the "User" field, choose the user you will use for communication.

    In the "Group" field choose the group to which the user you chose belongs, normally "users".

    Enable the "Enable user authentication" button

    Enable the "Set Read Only" button

    In the field "Allowed computers write 10.15.15.2

    Press "Save"


    On the "moon" server, go to the OMV GUI, "Services" section, then "Rsync" and press the "Add" button.

    In the "Type" field choose "remote".

    In the "Mode" field choose "pull".

    In "Origin server" write the following: rsync: //usuariorsync@10.15.15.1: 8873 / data (Replace useriorsync with the user you have chosen on the "earth" server for rsync, replace data with the name of your data folder on the "earth" server)

    In the field "Destination shared folder" choose the folder where the backup data will be copied.

    In the "Password" field write the password of the user that you configured on the "earth" server for rsync.

    In the "Time" field choose the time you want to make the automatic copy. For example 3. This will make a copy every day at 3pm.

    You can enable the "send email" button, you will receive a notification email every morning.

    You can enable the "delete" button. This will delete files on "moon" that are no longer on "earth".

    Click on "Save".


    Your daily automatic copy is already set up.


    Tip: Instead of copying data directly, you can make an incremental copy to a shared folder on "earth", and then copy the contents of this folder to the remote server. It is not necessary to share this folder on samba or NFS to configure this copy. In this way you protect yourself from malware encrypting your files.



    6. More information


    https://www.procustodibus.com/…rd-point-to-point-config/


    If you have questions about this guide you can ask them in this thread Wireguard questions


    I hope that helps ;)

    The best thanks to the help provided is to report what your solution was. The next one will thank you :thumbup:

    Edited once, last by chente ().

  • chente

    Approved the thread.
  • chente

    Changed the title of the thread from “[How to] Remote server backup with Wireguard + Rsync” to “[How to] Remote server backup with Wireguard (VPN) + Rsync”.

Participate now!

Don’t have an account yet? Register yourself now and be a part of our community!