This post will describe, how to use a reverse ssh tunnel to backup an external device, like a server to your Synology DS via rsync. I have to use the reverse SSH tunnel function, as my DS is behind my firewall at home and my server (which should use the DS for backup) is in a datacenter of an ISP. I will not open any ports for SSH or rsync in my firewall, so a reverse SSH tunnel will solve this. As I described in this post:
You should enable
Setup RSA Authentication
To be able to set up a SSH connection from within a script, is would make life easier to use RSA with public key authentication.
Connect to your DS via SSH and open this file with your favourite text editor:
Look for this entry and uncomment it, if necessary:
This will enable RSA on you DS. For Debian based systems (I tested it with Debian) and other Linux-based systems it should work the same way.
Generate RSA Key Pair
The next step is to generate the key pair for both machines. you should run this command on both machines:
ssh-keygen -t rsa -b 2048 -f rsa-key-id
DiskStation> ssh-keygen -t rsa -b 2048 -f rsync-key-id Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in rsa-key-id. Your public key has been saved in rsa-key-id.pub. The key fingerprint is: 96:79:16:27:e4:28:08:a0:6b:da:f0:2a:88:e9:64:36 [email protected] The key's randomart image is: +--[ RSA 2048]----+ |... . | |. . . + | |. . . . + . | | . . o + | |o. S o | |o+ . o | |+Eo | |O.. | |+. | +-----------------+
I did not use this key 🙂
Copy both files in the ssh folder of the user:
Afterwards I would make the file as secure as possible with:
chmod 600 /home/user/.ssh/rsa-key-id
Do those steps on both machines, the DS and the Linux server. It will work on Debian based systems without any changes and from my experience on all other Linux-based systems as well. The files with the *.pub ending needs to be copied to the other machine. Afterwards you need to import the public key into the “authorized_keys” file:
cat rsa-key-id >> /home/user/.ssh/authorized_keys
Delete the file with the *.pub ending and make the “authorized_keys” file as secure as possible by:
chmod 600 /home/user/.ssh/authorized_keys
Do the same on both machines and you should be able to connect from one machine to the other using the keys:
ssh -i /root/.ssh/rsa-key-id [email protected]
If this is working you are done with this this step.
Create Reverse SSH Tunnel
Creating a reverse SSH tunnel is quite easy. You only have to issue this command on your DS:
ssh -R 8730:localhost:22 [email protected]
Using this command will set up a connection to my-machine.tld with the username “user” and after a successful connection, set up a tunnel back to the machine you are sitting on. Let’s assume you are connected to your DS and use this command to connect to your server. After you logged in into your server with the command above, you are able to connect via SSH back to your DS using the port 8730, through the reverse SSH tunnel, with this command:
ssh -p 8730 [email protected]
To automate this process, you can add the “-i” option from the section above, to use the RSA authentication. If this succeeds, you can use the reverse SSH tunnel to backup your machine with rsync to your DS.
Use the Reverse SSH Tunnel for Rsync Backup
If you established the reverse SSH tunnel, you can use this tunnel for your rsync backup. Just use rsync, together with SSH like the example below:
rsync -avuz -e '/usr/bin/ssh -i /home/user/.ssh/rsa-key-id -p 8730' --delete /path/to/source/folder [email protected]:/path/to/destination/folder
This will use the established reverse SSH tunnel to backup the data in the source folder to the destination folder.
The last step will put everything together in script and run this script as a cron job.
Create a Backup Script and Run it as a Cron Job
To automate all the things I explained so far, I created two scripts. One script on the DS, running as a
You have to create a file called “backup-script.sh” or whatever you want and save this file on your DS. Do not use the home folder for root, as I lost my file after the last update. Put it somewhere on your homes directory. I use this one:
My script on the DS looks like this:
#!/bin/ash echo *** Connect to Server for Backup *** ssh -i /home/user/.ssh/rsa-key-id -R 8730:localhost:22 [email protected] '/path/to/the/actual/backup-script > /path/to/backup/log; mail -s "Server Backup" [email protected] < /path/to/backup/log; rm /root/scripts/backup.log' echo *** backup done ***
This script will set up a reverse SSH tunnel and run the commands between the apostrophes. The actual backup script is started here and the output is mailed to my mail account. Afterwards, the connection is closed. BTW: the “#!/bin/ash” is no typo!
In the backup-script I put all the files I need to backup together in one folder and start the rsync process. The file looks like this:
#!/bin/bash echo ***Backup Webserver Content*** rsync -avuz -e '/usr/bin/ssh -i /home/user/.ssh/rsa-key-id -p 8730' --delete /var/www [email protected]:/volume1/Data/Backup/WebserverContent echo ***Backup Webserver Content done*** echo echo ***Backup MySQL Database*** mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --all-databases > /var/backups/mysql/mysql_backup.sql echo ***Backup MySQL Database done*** echo echo ***Backup Scalix*** bash /root/scripts/ombackup echo ***Backup Scalix Done*** echo echo ***restart postfix*** /etc/init.d/postfix restart echo ***restart of postfix done*** echo echo ***rsync everything to the backup NAS*** rsync -avuz -e '/usr/bin/ssh -i /home/user/.ssh/rsa-key-id -p 8730' --delete /var/backups [email protected]:/volume1/Data/Backup/ echo *** rsync finished***
As you can see, this is just a simple script, backing up the data using the reverse SSH tunnel.
the last step is to create a cron job on your DS to run this automatically every night. Simply open this file:
You have to add a new line like this to the file:
0 3 * * * root /volume1/homes/admin/server-backup
This will run the script “server-backup” as root every day at 03:00am.
If you have any questions or feedback about this post, leave me comment.