Configuration of two remote servers with a Point-to-Point Wireguard connection, and backup configuration with Rsync through the Wireguard tunnel.
- It is assumed that the user has already
configured their OMV system and has SSH access on both servers. In
one of the servers you have a domain configured that points to the
public IP of the server. It is advisable to have access to the remote server, for example a Wireguard tunnel that provides access to your network.
- To configure OMV see the New User Guide . To configure SSH see here . To access by SSH remotely with Putty see here
- To obtain a domain see here Wiki omv-extras - Duckdns and dynamic IP update in scheduled tasks or here [How-To] Install DuckDNS. Automatic dynamic IP update.
- To configure a Wireguard tunnel to the remote server see https://wiki.omv-extras.org/do…v6:omv6_plugins:wireguard
Theory:
WireGuard® is an extremely simple yet fast and modern VPN that uses state-of-the-art cryptography. Built into the Linux kernel, it could already be considered the safest, fastest, easiest to use, and simplest VPN solution in the industry today.
Rsync is an application that offers efficient transmission of incremental data, allows you to synchronize files and directories between two machines on a network or between two locations on the same machine, minimizing the volume of data transferred.
By combining both systems in OMV we can obtain the configuration of an efficient remote backup with maximum speed and security through an encrypted tunnel.
We will install a Point-to-Point Wireguard tunnel between two servers, dedicated solely to this purpose directly on the host, so that this tunnel will only serve this purpose. To control and access a remote server, another parallel tunnel can be created for that purpose, thus avoiding unnecessary configurations in iptables for the Point-to-Point tunnel.
We will take advantage of the OMV interface to operate with Rsync, establishing an Rsync server module on one of the servers and accessing it from the other.
If you want to protect your files on the destination server you can send encrypted files with an incremental backup using duplicati or borgbackup. This will also protect you against encryption by malware, you will be able to revert to a previous version of your files if this happens. Don't share that backup folder on samba or NFS, or it might also be encrypted by a virus.
Both servers must have public IP (it can be dynamic). If one of the two lives behind CGNAT the connection will not work. Check this with your internet provider.
Instructions:
Update: Peer-to-peer configuration can now be configured in the openmediavault-wireguard plugin https://wiki.omv-extras.org/do…oint_tunnel_configuration
1. Initial parameters
-
Server A. It is the server that houses
the data to be copied.
- Host: earth
- Public domain: earth.domain.com
- Wireguard tunnel access port: 51500 (Important, this UDP port must be opened on the "earth" router).
- Server B. It is the server that will
extract the data and host the backup.
- Host: moon
- Subnet to use for the tunnel (you can
change it but it must be within the address space for private use. In
this case we will use the network:
- 10.15.15.0
2. Installation of Wireguard in the host
- Install wireguard on both servers from one terminal:
apt install wireguard
- Generate keys on the "earth" server
wg genkey > earth.key
wg pubkey < earth.key > earth.pub
- You will receive a warning about the file's permissions. You can set the owner to root and its permissions to 600
chmod 600 /root/earth.key
chmod 600 /root/earth.pub
- See the keys on the "earth" server
cat earth.key
AAAAAAAA_private_AAAAAAAA_earth.key_AAAAAAAA
cat earth.pub
AAAAAAAA_public_AAAAAAAA_earth.pub_AAAAAAAA
- Repeat the process in "moon"
wg genkey > moon.key
wg pubkey < moon.key > moon.pub
chmod 600 /root/moon.key
chmod 600 /root/moon.pub
cat moon.key
cat moon.pub
BBBBBBBB_private_BBBBBBBBB_moon.key_BBBBBBBB
BBBBBBBB_public_BBBBBBBBB_moon.pub_BBBBBBBB
3. Configuration of the tunnel Point to Point
We define the configuration of the tunnel that we call rsynctunnel, you can choose the name you prefer. You can create as many tunnels as you need, simply by changing the subnet, they will work independently.
- "earth" server
- Create a new file in /etc/wireguard/rsynctunnel.conf with the server configuration
nano /etc/wireguard/rsynctunnel.conf
- In the window copy the following settings. Replace the keys with the real keys that you have created:
[Interface]
#interface earth
PrivateKey = AAAAAAAA_private_AAAAAAAA_earth.key_AAAAAAAA #adjust
ListenPort = 51500
Address = 10.15.15.1/32
[Peer]
# peer moon
PublicKey = BBBBBBBB_public_BBBBBBBBB_moon.pub_BBBBBBBB #adjust
AllowedIPs = 10.15.15.2/32
- Set the owner of the file to root and its permissions to 600
chown root:root /etc/wireguard/rsynctunnel.conf
chmod 600 /etc/wireguard/rsynctunnel.conf
- "moon" server
- Repeat the process on the "moon" server, create the file:
nano /etc/wireguard/rsynctunnel.conf
In the window copy the following settings. Replace the keys with the real keys that you have created, replace the domain with your real domain:
[Interface]
# interface moon
PrivateKey = BBBBBBBB_private_BBBBBBBBB_moon.key_BBBBBBBB #adjust
ListenPort = 51500
Address = 10.15.15.2/32
[Peer]
# peer earth
PublicKey = AAAAAAAA_public_AAAAAAAA_earth.pub_AAAAAAAA #adjust
AllowedIPs = 10.15.15.1/32
Endpoint = earth.domain.com:51500 #adjust domain
PersistentKeepalive = 25
Alles anzeigen
- And set the file permissions the same as before
chown root:root /etc/wireguard/rsynctunnel.conf
chmod 600 /etc/wireguard/rsynctunnel.conf
4. Start the service
- Start the wireguard tunnel "rsynctunnel" on both servers
systemctl enable wg-quick@rsynctunnel.service
systemctl start wg-quick@rsynctunnel.service
- to see the result you can run
journalctl -u wg-quick@rsynctunnel.service
or
systemctl status wg-quick@rsynctunnel.service
- the result will be something like this:
systemd [1]: Starting WireGuard via wg-quick (8) for rsynctunnel ...
wg-quick [271288]: [#] ip link add rsynctunnel type wireguard
wg-quick [271288]: [#] wg setconf rsynctunnel / dev / fd / 63
wg-quick [271288]: [#] ip -4 route add 10.0.0.1/32 dev rsynctunnel
wg-quick [271288]: [#] ip link set mtu 8921 up dev rsynctunnel
wg-quick [271288]: [#] ip -4 address add 10.0.0.2/32 dev rsynctunnel
systemd [1]: Started WireGuard via wg-quick (8) for rsynctunnel.
- If you need to modify the configuration file you must first stop the interface with:
systemctl stop wg-quick@rsynctunnel.service
- and then upload it again with:
systemctl start wg-quick@rsynctunnel.service
- if you want to test the connection you can do it by typing from the "moon" server:
ping 10.15.15.1
- the result should be something like this:
PING 10.15.15.1 (10.15.15.1) 56 (84) bytes of data.
64 bytes from 10.15.15.1: icmp_seq = 1 ttl = 64 time = 30.6 ms
64 bytes from 10.15.15.1: icmp_seq = 2 ttl = 64 time = 30.7 ms
64 bytes from 10.15.15.1: icmp_seq = 3 ttl = 64 time = 29.6 ms
64 bytes from 10.15.15.1: icmp_seq = 4 ttl = 64 time = 28.9 ms
^ C
--- 10.15.15.1 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 8ms
rtt min / avg / max / mdev = 28.877 / 29.934 / 30.677 / 0.775 ms
- you can stop it by pressing ctrl + c, you should see packets sent and received, if so your connection works.
5. Configuration of the Rsync copy
There are several ways to configure this, I describe one with several security options:
On the "earth" server go to the OMV GUI, Services> Rsync> Server> Change the port to 8873 (for example), hit the enable button and then Save.
Go to Services> Rsync> Server> Modules>Press the + Create button on the menu bar.
In the window, open the Shared folder field and select the shared folder where the data you want to copy is located.
Put the name of the folder in the Name field.
In the User field, choose the user you will use for communication.
In the Group field choose the group to which the user you chose belongs, normally users.
Press + and add the name and password of the user authorized to access the module.
Enable the Enable user authentication button
Enable the Set Read Only button
In the field Allowed computers write 10.15.15.2
Press Save
On the "moon" server, go to the OMV GUI, Services> Rsync> Tasks> and press the + Create button.
In the Type field choose Remote.
In the Mode field choose Pull.
In Source server write the following: rsync://rsyncuser@10.15.15.1:8873/data (Replace rsyncuser with the user you have chosen on the "earth" server for rsync, replace data with the name of your data folder on the "earth" server)
In the field Destination shared folder choose the folder where the backup data will be copied.
In the Password field write the password of the user that you configured on the "earth" server for rsync.
In the Time field choose the time you want to make the automatic copy. For example 3. This will make a copy every day at 3pm.
You can enable the send email button, you will receive a notification email every morning.
You can enable the delete button. This will delete files on "moon" that are no longer on "earth".
Click on Save.
Your daily automatic copy is already set up.
6. More information
I hope that helps