Question Offsite backup - DIY

[Batmeat]

Anyone do this? I'm looking to setting up my own offsite backups. It would be used for my family only. In theory they could all connect to my nas and backup their data. The problem I for see is security, and I don't know what type of software to look into. Would want something that in case of catastrophic failure they essentially take a the clone of their hard drive and rebuild it to a new drive on their end. And have on the fly encryption on upload and decryption upon retrieval. Bandwidth issue is already solved. no worries there.

 

[SamirD]

The best thing for something like that solutions like what businesses use. The standard are IPsec vpn tunnels that will essentially join all the local networks into one large wan. Then you can see each system on the wan as local systems. You can even do funky stuff like scan documents to other sites, print on each others printers, and even game like you're on the same lan.

But to create IPsec tunnels, you'll all need routers with vpn capabilities--and this is not that consumer vpn crap for nonsense safety theater, but IPsec vpn capable routers which aren't generally made by consumer companies. There is also a configuration hump to get over. But once you have these in place, you will wonder how you ever did without. I'm actually typing on a computer that's 2000mi+ away from where I am--all over an IPsec vpn tunnel. Feel free to ask questions!

 

[fkoehler]

Thats an interesting problem to think about, however a few issues that could cause headaches.

If you are setting yourself up as 'The Server' on a VPN'd network, are all the OS' homogeneous or hetergeneous?
Assuming a mix of MS, Apple, and Linux just to make it difficult, you're going to need to get multiple different backup clients. Unless someone out there has a cross-platform one.

You have to assume at some point, someone if going to get pwned. What happens when a compromised client connects, assuming a chron job and its not always connected to the 'LAN', and the malware starts poking the network share, or scanning your ports?

Not a sysadmin, however for something like this I think my first blush thoughts would be to set-up OpenBSD as the server, and give all the clients an individual specific window (0000-0100, 0200-0300, etc) to connect and back-up to their individual private share?

Get the firewall locked down solid, and then figure out what you server's own back-up and back-up testing plan is.

Oddly enough, my IT calls from family and friends has pretty much been quiet the past several years.
I think most everyone is really just using their phones now, and their desktops are just dusttops now.

 

[SamirD]

If you are setting yourself up as 'The Server' on a VPN'd network, are all the OS' homogeneous or hetergeneous? Assuming a mix of MS, Apple, and Linux just to make it difficult, you're going to need to get multiple different backup clients. Unless someone out there has a cross-platform one.

You have to assume at some point, someone if going to get pwned. What happens when a compromised client connects, assuming a chron job and its not always connected to the 'LAN', and the malware starts poking the network share, or scanning your ports?

Not a sysadmin, however for something like this I think my first blush thoughts would be to set-up OpenBSD as the server, and give all the clients an individual specific window (0000-0100, 0200-0300, etc) to connect and back-up to their individual private share?

Get the firewall locked down solid, and then figure out what you server's own back-up and back-up testing plan is.

Oddly enough, my IT calls from family and friends has pretty much been quiet the past several years.
I think most everyone is really just using their phones now, and their desktops are just dusttops now.

Generally, most nas units work with almost anything now, and using a backup client is a waste really since most nas units also are iscsi capable which would allow you to mount the nas drive as a local one and image backup right there on the client with any software you wanted.

That's the problem with any lan really--security inside the lan. But that's just standard practice stuff--no default passwords, etc.

Your single server with backup windows idea won't do anything for today's ransomware attacks--it will simply access and encrypt the whole server.

And that's where the server backup comes in.

'dusttops', lol. I like that--I'll add it to my technical vocabulary.

 

[VirtualLarry]

The QNAP "QHORA" router, with it's SD-WAN functionality and (supposedly, I don't have one yet) impressive support for VPNs (Site-to-site, spoke, etc.) could probably help you achieve that. Have one at each location, set up VPNs between them, share a NAS.

Thought a few times about doing that for family & friends as well.

 

[SamirD]

The QNAP "QHORA" router, with it's SD-WAN functionality and (supposedly, I don't have one yet) impressive support for VPNs (Site-to-site, spoke, etc.) could probably help you achieve that. Have one at each location, set up VPNs between them, share a NAS.

Thought a few times about doing that for family & friends as well.

Those are waaaay too expensive when enterprise gear is cheaper and better. I paid less than that for our watchguard m300.

 

[mxnerd]

ZeroTier is another free / open source SD-WAN VPN under 100 devices (well, now 50) . Can be installed on QNAP too. No need to buy QHORA.

ZeroTier on QNAP NAS?

I realize this may be a stretch, but does anyone have experience installing ZeroTier on a QNAP NAS? I’ve looked on the ZeroTier site, but can’t find the commands to get it installed via the CLI. Thanks, Sean

forums.lawrencesystems.com

The setup is easy, you only create a network ID and name, select a private IP range on ZeroTier's website and install client software on each device, each device got a node ID and join the network, add/approve those node IDs and you are done! No firewall rules to create, no port forwarding!

It actually works a bit like TeamViewer, which also lets you create a VPN and you can join the VPN and no firewall & port forwarding to configure, since ZeroTier and TeamViewer both use UDP punching. Teamviewer will ask you buy licenses if you are in a corporate domain, however. Don't know if it's the same case for ZierTier.

I'll try to setup a local DNS later so devices on the ZeroTier VPN can ping each other using their FQDN name.

==

Found one annoying issue. It creates a new network profile every time you disconnect and reconnect to the VPN.

Allow disabling ports instead of deleting, and disable Windows adapters and other interfaces · Issue #659 · zerotier/ZeroTierOne

When reconnecting to the Zero Tier One network, windows creates additional adapter names instead of using the previous one. So with every reconnect, Zero Tier One's network adapter increments 1, su...

github.com

You can use Network Profile Remover to remove the network profiles you don't want/need.

GitHub - falxala/NetworkProfileRemover: Remove the Windows network profile

Remove the Windows network profile. Contribute to falxala/NetworkProfileRemover development by creating an account on GitHub.

github.com

 

[Fallen Kell]

I do offsite backups, but not like you are describing. I have two groups of USB hard drives, each with a ZFS filesystem on them (so two different ZFS filesystems). I have a local storage server which has a ZFS filesystem as well which I will sync to one of the two hard drives groups. I will periodically take one of the groups and put it in a safe deposit box I have with a bank, and swap them back and forth.

The nice thing about ZFS is that it will tell me if there is bitrot happening, and can attempt to rebuild the data (guessing which drive in the group was bad, and trying to rebuild as though there was a single disk failure, and checking to see if it can come up with the combination of proper hash signature with rebuilding).

And since one set is kept at the bank, it is not likely that I will lose them at the same time that I might lose the ones at my home (it would take a pretty big disaster for that to happen at which point, the data on them is probably not that important in the scheme of things like trying to stay alive).