If you follow the guide in publication No. 3 of this thread, you will get the two servers connected to each other as if they were on the same LAN. Then you can create a user on your server with access to the folder you want, and only to that folder. Your friend can copy the files he wants to that folder, their backup, in the format he wants (encrypted), and he will not be able to see anything else, only that folder. And you do the same on his server with the user that he creates for you.
password protected backup to offsite
-
- gelöst
- boelle
-
-
that is also my plan for tomorrow
time for some sleep
-
Once the Wireguard connection is created, instead of creating a shared folder with samba, another even better possibility is to create a folder on the rsync server. Your friend can use it as a target for a scheduled rsync copy. Only one shared folder will be necessary and no service is necessary to view it, samba, NFS ... in this case, a username and password to make the backup with rsync is enough.
-
-
first step in the guide throws a warning
wg genkey > earth.key
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.
is that something that matters?i'm ssh'ed in as root to my friends server just to test out the guide and figure out a working setup so we can start over without the experiments to pollute the install
-
https://linuxconfig.org/how-to…ntu-20-04-using-wireguard
says to change to 600 later which is what you dobut you might update the guide to let people know the warning is ok
-
This tells you, that the permissions for the file are to wide open, so anyone on the server can read it.
before you go all through this, make up your mind, how your friend is goign to connect to your home network. For storing off-site backups, it is enought to open just one service (rsync, sftp, ...) for your friend, not the whole house.
-
-
I suppose that you are adapting the values of earth, moon, etc to your particular case ... the configuration of the guide is a didactic example.
is that something that matters?
That warning message means that the read and write permissions for that file are not restrictive. You can modify them if you are concerned about this. It will not affect the settings for the rest of the guide.
-
Haven't read your guide but this only happens, when it's run as a normal user.
Wireguard on the host is ran as root:
wg genkey > earth.key
Warning: writing to world accessible file.
Consider setting the umask to 077 and trying again.
Don't know if this won't break the docker-wireguard,
This action should've been done before generating the keys, but
Go to the folder where "earth.key" is (maybe /etc/wireguard ) and:
-
before you go all through this, make up your mind, how your friend is goign to connect to your home network. For storing off-site backups, it is enought to open just one service (rsync, sftp, ...) for your friend, not the whole house.
This connection setting does not grant access to the whole house. It is a point-to-point connection, it just connects the two servers to each other.
A site-to-site connection would grant access to the entire house, it is another type of configuration.
You can see it here:
-
-
how your friend is goign to connect to your home network
i'm going to connect to him, maybe google translate played a trick on you again
it is enought to open just one service (rsync, sftp, ...)
agreed
Haven't read your guide
i'm talking about his mentioned in post 3, as i said he should put in a note that the warning i get is ok
not everyone knows what it means and i had to google it
you can see his guide here: [How to] Remote server backup with Wireguard (VPN) + Rsync -
Haven't read your guide but this only happens, when it's run as a normal user.
Wireguard on the host is ran as root:
When you create that key file as root it gives that warning too.
Don't know if this won't break the docker-wireguard,
This guide describes the installation of a host-installed Wireguard connection on both servers, point-to-point connection. It is not installed on docker.
Alternatively you can configure a docker container with another tunnel to access the site. It is no problem.
I have this connection set up from my home to a remote server and it works as expected.
-
i'm talking about his mentioned in post 3, as i said he should put in a note that the warning i get is ok
not everyone knows what it means and i had to google itReceived. The note is added to the guide. I appreciate any other suggestions to improve it.
-
-
When you create that key file as root it gives that warning too.
yep, i said i ssh in as root so its run as root
i have now chmod 600 the 2 key files and the conf file
now i just have to wait for a port to be opened at my friends router -
Once the point-to-point wireguard connection is established, maybe you could try using borgbackup if you want, following ryecoaaron's suggestion, I suppose you could make it work on local LAN. I have not tested this, I do not use borgbackup. Or you can use any other backaup application and then sync with rsync. Whatever is most comfortable for you.
-
Whatever is most comfortable for you.
we have not settled for one way to backup or the other
only requirement is that i cant look in his backup and he cant look in mine -
-
only requirement is that i cant look in his backup and he cant look in mine
There are many ways to do this.
I use duplicate in docker. Duplicate creates a local, incremental, versioned, and encrypted backup. So I sync this folder with rsync on the remote server. The remote server will only see a folder with encrypted files.
It is important not to share this folder with any service, samba, etc., this way you will prevent malware from encrypting it and losing access. With a shared folder created in the GUI it is enough to use an rsync job.
-
we might do a mix of both ways
some stuff will be on a samba share and some will be backup of websites and database, the last stuff does not need to be shared as it can be pulled directly
btw... how do i mark what solution was the best once i have it all running?
-
btw... how do i mark what solution was the best once i have it all running?
I assume you mean reporting for other users. Simply when you have it working, summarize what you did at the end of the thread.
-
-
I assume you mean reporting for other users
yep, if someone else see this and has the same idea there are no need for them to go through the same thing again
-
checked both configs and its running on both servers
but ping not working
what could be wrong?
ie this part of the guide:- if you want to test the connection you can do it by typing from "moon":
ping 10.15.15.1
Jetzt mitmachen!
Sie haben noch kein Benutzerkonto auf unserer Seite? Registrieren Sie sich kostenlos und nehmen Sie an unserer Community teil!