[How to] Remote server backup with Wireguard (VPN) + Rsync

Configuration of two remote servers with a Point-to-Point Wireguard connection, and backup configuration with Rsync through the Wireguard tunnel.

• It is assumed that the user has already configured their OMV system and has SSH access on both servers. In one of the servers you have a domain configured that points to the public IP of the server. It is advisable to have access to the remote server, for example a Wireguard tunnel that provides access to your network.
  • To configure OMV see the New User Guide . To configure SSH see here . To access by SSH remotely with Putty see here
  • To obtain a domain see here Wiki omv-extras - Duckdns and dynamic IP update in scheduled tasks or here [How-To] Install DuckDNS. Automatic dynamic IP update.
  • To configure a Wireguard tunnel to the remote server see https://wiki.omv-extras.org/do…v6:omv6_plugins:wireguard

Theory:

WireGuard® is an extremely simple yet fast and modern VPN that uses state-of-the-art cryptography. Built into the Linux kernel, it could already be considered the safest, fastest, easiest to use, and simplest VPN solution in the industry today.

Rsync is an application that offers efficient transmission of incremental data, allows you to synchronize files and directories between two machines on a network or between two locations on the same machine, minimizing the volume of data transferred.

By combining both systems in OMV we can obtain the configuration of an efficient remote backup with maximum speed and security through an encrypted tunnel.

We will install a Point-to-Point Wireguard tunnel between two servers, dedicated solely to this purpose directly on the host, so that this tunnel will only serve this purpose. To control and access a remote server, another parallel tunnel can be created for that purpose, thus avoiding unnecessary configurations in iptables for the Point-to-Point tunnel.

We will take advantage of the OMV interface to operate with Rsync, establishing an Rsync server module on one of the servers and accessing it from the other.

If you want to protect your files on the destination server you can send encrypted files with an incremental backup using duplicati or borgbackup. This will also protect you against encryption by malware, you will be able to revert to a previous version of your files if this happens. Don't share that backup folder on samba or NFS, or it might also be encrypted by a virus.

Both servers must have public IP (it can be dynamic). If one of the two lives behind CGNAT the connection will not work. Check this with your internet provider.

Instructions:

Update: Peer-to-peer configuration can now be configured in the openmediavault-wireguard plugin https://wiki.omv-extras.org/do…oint_tunnel_configuration

1. Initial parameters

• Server A. It is the server that houses the data to be copied.
  • Host: earth
  • Public domain: earth.domain.com
  • Wireguard tunnel access port: 51500 (Important, this UDP port must be opened on the "earth" router).
• Server B. It is the server that will extract the data and host the backup.
  • Host: moon
• Subnet to use for the tunnel (you can change it but it must be within the address space for private use. In this case we will use the network:
  • 10.15.15.0

2. Installation of Wireguard in the host

- Install wireguard on both servers from one terminal:

apt install wireguard

- Generate keys on the "earth" server

wg genkey > earth.key

wg pubkey < earth.key > earth.pub

- You will receive a warning about the file's permissions. You can set the owner to root and its permissions to 600

chmod 600 /root/earth.key

chmod 600 /root/earth.pub

- See the keys on the "earth" server

cat earth.key

AAAAAAAA_private_AAAAAAAA_earth.key_AAAAAAAA

cat earth.pub

AAAAAAAA_public_AAAAAAAA_earth.pub_AAAAAAAA

- Repeat the process in "moon"

wg genkey > moon.key

wg pubkey < moon.key > moon.pub

chmod 600 /root/moon.key

chmod 600 /root/moon.pub

cat moon.key

cat moon.pub

BBBBBBBB_private_BBBBBBBBB_moon.key_BBBBBBBB

BBBBBBBB_public_BBBBBBBBB_moon.pub_BBBBBBBB

3. Configuration of the tunnel Point to Point

We define the configuration of the tunnel that we call rsynctunnel, you can choose the name you prefer. You can create as many tunnels as you need, simply by changing the subnet, they will work independently.

• "earth" server

- Create a new file in /etc/wireguard/rsynctunnel.conf with the server configuration

nano /etc/wireguard/rsynctunnel.conf

- In the window copy the following settings. Replace the keys with the real keys that you have created:

[Interface]
#interface earth
PrivateKey = AAAAAAAA_private_AAAAAAAA_earth.key_AAAAAAAA #adjust
ListenPort = 51500
Address = 10.15.15.1/32

[Peer]
# peer moon
PublicKey = BBBBBBBB_public_BBBBBBBBB_moon.pub_BBBBBBBB #adjust
AllowedIPs = 10.15.15.2/32

- Set the owner of the file to root and its permissions to 600

chown root:root /etc/wireguard/rsynctunnel.conf

chmod 600 /etc/wireguard/rsynctunnel.conf

• "moon" server

- Repeat the process on the "moon" server, create the file:

nano /etc/wireguard/rsynctunnel.conf

In the window copy the following settings. Replace the keys with the real keys that you have created, replace the domain with your real domain:

[Interface]
# interface moon
PrivateKey = BBBBBBBB_private_BBBBBBBBB_moon.key_BBBBBBBB #adjust
ListenPort = 51500
Address = 10.15.15.2/32

[Peer]
# peer earth
PublicKey = AAAAAAAA_public_AAAAAAAA_earth.pub_AAAAAAAA #adjust
AllowedIPs = 10.15.15.1/32
Endpoint = earth.domain.com:51500  #adjust domain
PersistentKeepalive = 25

- And set the file permissions the same as before

chown root:root /etc/wireguard/rsynctunnel.conf

chmod 600 /etc/wireguard/rsynctunnel.conf

4. Start the service

- Start the wireguard tunnel "rsynctunnel" on both servers

systemctl enable wg-quick@rsynctunnel.service

systemctl start wg-quick@rsynctunnel.service

- to see the result you can run

journalctl -u wg-quick@rsynctunnel.service

or

systemctl status wg-quick@rsynctunnel.service

- the result will be something like this:

systemd [1]: Starting WireGuard via wg-quick (8) for rsynctunnel ...

wg-quick [271288]: [#] ip link add rsynctunnel type wireguard

wg-quick [271288]: [#] wg setconf rsynctunnel / dev / fd / 63

wg-quick [271288]: [#] ip -4 route add 10.0.0.1/32 dev rsynctunnel

wg-quick [271288]: [#] ip link set mtu 8921 up dev rsynctunnel

wg-quick [271288]: [#] ip -4 address add 10.0.0.2/32 dev rsynctunnel

systemd [1]: Started WireGuard via wg-quick (8) for rsynctunnel.

- If you need to modify the configuration file you must first stop the interface with:

systemctl stop wg-quick@rsynctunnel.service

- and then upload it again with:

systemctl start wg-quick@rsynctunnel.service

- if you want to test the connection you can do it by typing from the "moon" server:

ping 10.15.15.1

- the result should be something like this:

PING 10.15.15.1 (10.15.15.1) 56 (84) bytes of data.

64 bytes from 10.15.15.1: icmp_seq = 1 ttl = 64 time = 30.6 ms

64 bytes from 10.15.15.1: icmp_seq = 2 ttl = 64 time = 30.7 ms

64 bytes from 10.15.15.1: icmp_seq = 3 ttl = 64 time = 29.6 ms

64 bytes from 10.15.15.1: icmp_seq = 4 ttl = 64 time = 28.9 ms

^ C

--- 10.15.15.1 ping statistics ---

4 packets transmitted, 4 received, 0% packet loss, time 8ms

rtt min / avg / max / mdev = 28.877 / 29.934 / 30.677 / 0.775 ms

- you can stop it by pressing ctrl + c, you should see packets sent and received, if so your connection works.

5. Configuration of the Rsync copy

There are several ways to configure this, I describe one with several security options:

On the "earth" server go to the OMV GUI, Services> Rsync> Server> Change the port to 8873 (for example), hit the enable button and then Save.

Go to Services> Rsync> Server> Modules>Press the + Create button on the menu bar.

In the window, open the Shared folder field and select the shared folder where the data you want to copy is located.

Put the name of the folder in the Name field.

In the User field, choose the user you will use for communication.

In the Group field choose the group to which the user you chose belongs, normally users.

Press + and add the name and password of the user authorized to access the module.

Enable the Enable user authentication button

Enable the Set Read Only button

In the field Allowed computers write 10.15.15.2

Press Save

On the "moon" server, go to the OMV GUI, Services> Rsync> Tasks> and press the + Create button.

In the Type field choose Remote.

In the Mode field choose Pull.

In Source server write the following: rsync://rsyncuser@10.15.15.1:8873/data (Replace rsyncuser with the user you have chosen on the "earth" server for rsync, replace data with the name of your data folder on the "earth" server)

In the field Destination shared folder choose the folder where the backup data will be copied.

In the Password field write the password of the user that you configured on the "earth" server for rsync.

In the Time field choose the time you want to make the automatic copy. For example 3. This will make a copy every day at 3pm.

You can enable the send email button, you will receive a notification email every morning.

You can enable the delete button. This will delete files on "moon" that are no longer on "earth".

Click on Save.

Your daily automatic copy is already set up.

6. More information

I hope that helps