9 October 2020

Unraid Server to Server Backups

Guide on how to securely back up one Unraid server to another geographically separated Unraid server using rsync and Wireguard.

Serverto Server Backup 1

This Guest Blog is by Stefano Partida of SPX Labs

In this guide, we will show how to back up one local Unraid server to another geographically separated Unraid server using rsync and Wireguard. While the steps to make this happen may seem daunting at first, they are very simple and mostly painless! Sound intriguing? Let's get started:

The Setup

Let’s begin with an example diagram to help us picture what is happening between both servers. As you will see, both servers have Wireguard installed and can communicate directly with each other as if they are on the same network.

Example Network Diagram

Set up the Local Server (SiteA)

  1. Using the Community Apps Plugin; go ahead and search, download, and install the "Dynamix WireGuard" app.
  2. Once it is installed you can now configure Wireguard by clicking the Settings tab -> VPN Manager
  3. Now you will want to Add Tunnel
    1. Local Name: SiteA , you can name it whatever you want.
    2. Click the Generate Keypair button
    3. Local Tunnel Network Pool should not be the same as your current subnet. As in, if you current server IP address is 192.168.#.#, then let the subnet be 10.#.#.#. This will prevent routing issues later on.
    4. Give your Site A Unraid server an IP address, Local Tunnel Address: 10.253.0.1
    5. Local Endpoint is your WAN IP, you can find this by Google Searching, “What Is My IP”
    6. You can change the default port to whatever port you want.
    7. I chose to not use NAT
    8. Add Peer
    9. Peer Name: SiteB
    10. Click the Generate Keypair button
    11. Peer type of access: Server to Server Access
    12. Peer Tunnel Address: 10.253.0.2 , This will be the address given to your remote server
    13. Peer Endpoint: WAN IP for Remote Server aka SiteB
    14. Peer Allowed IPs: 10.253.0.2 , You can specify more IPs as needed, I chose to just allow the single remote server access to my local server
    15. Apply.
    16. Click the “Eye” Icon next to the SiteB Peer and download the WireGuard Configuration you just created. We will import this configuration on to SiteB to make our lives a bit easier.

Here is my configuration:

Source Site A

Set up the Remote Server (SiteB)

The easiest way to set up SiteB is to import the "peer-siteA-wg0-1.conf" file that was generated in step 16 above. Simply click the Import Tunnel button near the top right-hand corner of the WebUI and you will be done from here. After importing your Tunnel should look similar to this. As you can see SiteB is essentially in reverse order of SiteA.

Please note: A zip file will be generated and you will need to extract the file in order to get the “peer-siteA-wg0-1.conf” file that needs to be imported.

Destination Site B

Port Forwarding

You will need to port forward UDP Port 51820 on your router at Site A and Site B for this to work. If you changed the default port, then make sure you port forward that UDP port. Unfortunately due to the vast number of routers in existence, I cannot show you how to do this on your router, you will need to Google search this. However, I have provided an example of my AT&T Router at home:

Screen Shot2020 10 02at1 41 38 PM

Test the Settings

After making all of the changes to both servers, all that is left to do is “Activate” the Tunnels on both ends. It will take several seconds for the servers to start communicating. If you are unsure if the Handshake is active we can test our connection by pressing the “Ping” button next to Peer Tunnel Address. This will attempt to ping the peer server directly and listen for a response. If you did everything correctly you will see this. The first picture is Site A pinging Site B. The second picture is Site B pinging Site A.

Setting up Site A and Site B for RSYNC

Okay, not so bad so far, right? Now for the slightly more complex part. Now that our two servers can ping each other, it’s time to prepare our servers to be able to automatically communicate without manual intervention. From this point, you should be able to do everything from your home/local/SiteA server. A couple of things to remember from the examples provided for later on:

  • Site A IP Address is 10.253.0.1
  • Site B IP Address is 10.253.0.2

Okay, just a couple more points to make: By default, the directory /root/.ssh does not exist. Furthermore, the file authorized_keys does not exist by default. So, I have to add some extra steps here for everyone’s convenience because neither the directory nor file exists.

Setting up Site A

Let's start by opening an Unraid Terminal window. In the top right corner of the Unraid WebUI press the Icon that looks like this >_

Now, we need to execute a few commands.

First, we need to generate a public/private key pair to allow an SSH connection to work without a password and manual intervention. To do this simply do the following command on Site A.

     ssh-keygen -t rsa -b 2048 -f /root/.ssh/siteA-rsync-key

You will be prompted to “Enter a Passphrase”. Hit the ‘Enter’ key twice. Deep breath.

Now enter:

     cp /root/.ssh/* /boot/config/ssh/ 

      printf "#Copies all files needed for authorized ssh connections \nmkdir /root/.ssh \ncp /boot/config/ssh/* /root/.ssh/ \ncd /root/.ssh \nchmod 600 * \n" >> /boot/config/go

Second, we need to give the key we just generated to Site B so it knows that Site A is allowed access:

     scp /root/.ssh/siteA-rsync-key.pub [email protected]:/root/

siteA-rsync-key.pub is not a typo. Two files will be created from the command above. You need to copy the public key only.

Great work. Take another breath and grab a beer. We are halfway done. Do not close the terminal WebUI yet, you need it for the next section.

Setting up Site B

Third, now we will remotely access Site B so it can use SiteA’s public key.

     ssh [email protected]

Okay, we are now within SiteB, execute the following commands and we are golden baby!

     if [ ! -d .ssh ]; then mkdir .ssh ; chmod 700 .ssh ; fi

     mv siteA-rsync-key.pub .ssh/

     cd .ssh/ ; if [ ! -f authorized_keys ]; then touch authorized_keys; 

      chmod 644 authorized_keys; fichmod 600 siteA-rsync-key.pub ; cat siteA-rsync-key.pub >> authorized_keys

     cp /root/.ssh/* /boot/config/ssh/

     printf "#Copies all files needed for authorized ssh connections \nmkdir /root/.ssh \ncp /boot/config/ssh/* /root/.ssh/ \ncd /root/.ssh \nchmod 600 * \n" >> /boot/config/go

Do not close the terminal WebUI yet, you need it for the next section. Type: exit

Running RSYNC

Now we can backup Site A to Site B. If you closed the terminal webUI after the previous section, you will need to open it again.

The following command will synchronize files between both SiteA and SiteB servers. In my opinion, it is best to have matching Share names to make copying files super easy.

Example 1

This command copies a share named “Downloads” found on SiteA to a share also named “Downloads” found on SiteB

     rsync -avz -e "ssh -i /root/.ssh/siteA-rsync-key" /mnt/user/Downloads/ [email protected]:/mnt/user/Downloads/

Example 2

This command copies files from SiteB to SiteA, both have matching share names

     rsync -avz -e "ssh -i /root/.ssh/siteA-rsync-key" [email protected]:/mnt/user/homework/isos/ /mnt/user/homework/isos/

Example 3

Copy a full disk and give me some feedback!

     rsync -avu --numeric-ids --progress -e "ssh -i /root/.ssh/siteA-rsync-key -T -o Compression=no -x " /mnt/disk1/ [email protected]:/mnt/disk1/

Congratulations, you have successfully set up a VPN for two remote servers and used RSYNC to back up your data. Great work!

Advanced User Course

Manually running these commands every time you remember to back your data up is not ideal. So, how do you schedule all of this stuff?

You will need to install User Scripts from Community Apps

Use User Scripts to Schedule Backups

User Scripts can be found by clicking the Plugin tab -> User Scripts. We will want to click Add New Script and change my example below to match your setup at home. Or customize my example to fit your specific needs.

Screen Shot2020 10 02at3 43 54 PM

Use the Firefox Container

One thing to consider doing is using Firefox within your Site A container to access your Site B server. Why? This way you can access the Unraid WebUI through one browser without having to remotely connect to Site B with your laptop/computer/workstation just to make some changes. To accomplish this do the following.

  1. Download and configure OpenVPN on Site B
  2. Download DelugeVPN and allow it to act as a proxy for other containers
  3. Download the Firefox container and force it to use DelugeVPN, then you can access your remote Unraid server through your local Unraid server. It will look like this!
Screen Shot2020 10 02at3 54 07 PM

The big take away here is, SpaceInvader One makes a video about setting this up:

The hardest part is setting up OpenVPN on the remote server. Through some sort of magic, Firefox can use DelugeVPN to access the remote server.

Install OpenVPN at Site B

As an alternative to using the Firefox container, you could install OpenVPN and connect to it from any computer with OpenVPN on it. My recommendation would be to go ahead and install OpenVPN alongside Wireguard. This way you have two ways to connect to the server just in case something goes wrong. Furthermore, you are also going to want to create another Peer for that same laptop/workstation in Wireguard that is different from the one you are using for your server to server access. The reason I recommend having a second Peer for your workstation is healthy cyber practice and to minimize potential conflicts with network traffic. A server to server connection only allows you direct access versus local network access or internet passthrough access. The last thing you want to do is mess something up between your two servers while they are synchronizing.

Hardware

To make this write-up happen, I used a few different servers. One of which isn’t listed below but the hardware is near identical to PNAS; that server is in Maine. If you are new to Unraid and prospecting this guide for ideas, then maybe all the hardware listed below will help you get an idea of all of the different hardware choices you can make. If you are looking to set up a remote server and don’t want to build a custom one, then check out a used Dell T320 due to its great price and great options.

My Local Server

IMG 6112copy

My Local Test Server (PNAS)

Server

Two Remote Servers

The two remote servers are in an undisclosed location in Florida. Both are prebuilt systems from Dell. You can read about them if you want, by checking out the following two links.

IMG 4100

Questions or comments?

Let's hear from you in the Unraid forums!