HowTo: Use Reverse SSH Tunnel for Rsync Backup on a Synology DS

Reading Time: 4 minutes

This post will describe, how to use a reverse ssh tunnel to backup an external device, like a server to your Synology DS via rsync. I have to use the reverse SSH tunnel function, as my DS is behind my firewall at home and my server (which should use the DS for backup) is in a datacenter of an ISP. I will not open any ports for SSH or rsync in my firewall, so a reverse SSH tunnel will solve this. As I described in this post:

How To: Enable SSH and Rsync on Synology DS

You should enable rsync and ssh on your DS before starting this one. As I would like to run the backup as a script, I use the internal cron daemon on the DS to start the backup and needed to create RSA authentication on both machines, the DS and the device which should use the DS as the backup server.

Setup RSA Authentication

To be able to set up a SSH connection from within a script, is would make life easier to use RSA with public key authentication.

Connect to your DS via SSH and open this file with your favourite text editor:

/etc/ssh/sshd_config

Look for this entry and uncomment it, if necessary:

PubkeyAuthentication yes

This will enable RSA on you DS. For Debian based systems (I tested it with Debian) and other Linux-based systems it should work the same way.

Generate RSA Key Pair

The next step is to generate the key pair for both machines. you should run this command on both machines:

ssh-keygen -t rsa -b 2048 -f rsa-key-id

Replace “rsa-key-id” with whatever you need, as this is the file name for the key pair. If you are asked for a password, leave it empty, or you need to enter this password every time you would like to use the key, which would make no sense for the script:

DiskStation> ssh-keygen -t rsa -b 2048 -f rsync-key-id
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in rsa-key-id.
Your public key has been saved in rsa-key-id.pub.
The key fingerprint is:
96:79:16:27:e4:28:08:a0:6b:da:f0:2a:88:e9:64:36 root@DiskStation
The key's randomart image is:
+--[ RSA 2048]----+
|...       .      |
|.  . .   +       |
|.   . . . + .    |
| .     . o +     |
|o.      S o      |
|o+     . o       |
|+Eo              |
|O..              |
|+.               |
+-----------------+

I did not use this key 🙂

Copy both files in the ssh folder of the user:

/home/user/.ssh/

Afterwards I would make the file as secure as possible with:

chmod 600 /home/user/.ssh/rsa-key-id

Do those steps on both machines, the DS and the Linux server. It will work on Debian based systems without any changes and from my experience on all other Linux-based systems as well. The files with the *.pub ending needs to be copied to the other machine. Afterwards you need to import the public key into the “authorized_keys” file:

cat rsa-key-id >> /home/user/.ssh/authorized_keys

Delete the file with the *.pub ending and make the “authorized_keys” file as secure as possible by:

chmod 600 /home/user/.ssh/authorized_keys

Do the same on both machines and you should be able to connect from one machine to the other using the keys:

ssh -i /root/.ssh/rsa-key-id [email protected]

If this is working you are done with this this step.

 Create Reverse SSH Tunnel

Creating a reverse SSH tunnel is quite easy. You only have to issue this command on your DS:

ssh -R 8730:localhost:22 [email protected]

Using this command will set up a connection to my-machine.tld with the username “user” and after a successful connection, set up a tunnel back to the machine you are sitting on. Let’s assume you are connected to your DS and use this command to connect to your server. After you logged in into your server with the command above, you are able to connect via SSH back to your DS using the port 8730, through the reverse SSH tunnel, with this command:

ssh -p 8730 user@localhost

To automate this process, you can add the “-i” option from the section above, to use the RSA authentication. If this succeeds, you can use the reverse SSH tunnel to backup your machine with rsync to your DS.

Use the Reverse SSH Tunnel for Rsync Backup

If you established the reverse SSH tunnel, you can use this tunnel for your rsync backup. Just use rsync, together with SSH like the example below:

rsync -avuz -e '/usr/bin/ssh -i /home/user/.ssh/rsa-key-id -p 8730' --delete /path/to/source/folder user@localhost:/path/to/destination/folder

This will use the established reverse SSH tunnel to backup the data in the source folder to the destination folder.

The last step will put everything together in script and run this script as a cron job.

Create a Backup Script and Run it as a Cron Job

To automate all the things I explained so far, I created two scripts. One script on the DS, running as a cron job and establishing the reverse SSH tunnel. Afterwards, this script will start the actual backup script on my server and put the output (log) into a file which is send via mail to my mail account. Just in case 🙂

You have to create a file called “backup-script.sh” or whatever you want and save this file on your DS. Do not use the home folder for root, as I lost my file after the last update. Put it somewhere on your homes directory. I use this one:

/volume1/homes/admin/

My script on the DS looks like this:

#!/bin/ash
echo *** Connect to Server for Backup ***
ssh -i /home/user/.ssh/rsa-key-id -R 8730:localhost:22 [email protected] '/path/to/the/actual/backup-script > /path/to/backup/log; mail -s "Server Backup" [email protected] < /path/to/backup/log;  rm /root/scripts/backup.log'
echo *** backup done ***

This script will set up a reverse SSH tunnel and run the commands between the apostrophes. The actual backup script is started here and the output is mailed to my mail account. Afterwards, the connection is closed. BTW: the “#!/bin/ash” is no typo!

In the backup-script I put all the files I need to backup together in one folder and start the rsync process. The file looks like this:

#!/bin/bash
echo ***Backup Webserver Content***
rsync -avuz -e '/usr/bin/ssh -i /home/user/.ssh/rsa-key-id -p 8730' --delete /var/www user@localhost:/volume1/Data/Backup/WebserverContent
echo ***Backup Webserver Content done***
echo
echo ***Backup MySQL Database***
mysqldump --defaults-extra-file=/etc/mysql/debian.cnf --all-databases > /var/backups/mysql/mysql_backup.sql
echo ***Backup MySQL Database done***
echo
echo ***Backup Scalix***
bash /root/scripts/ombackup
echo ***Backup Scalix Done***
echo
echo ***restart postfix***
/etc/init.d/postfix restart
echo ***restart of postfix done***
echo
echo ***rsync everything to the backup NAS***
rsync -avuz -e '/usr/bin/ssh -i /home/user/.ssh/rsa-key-id -p 8730' --delete /var/backups user@localhost:/volume1/Data/Backup/
echo *** rsync finished***

As you can see, this is just a simple script, backing up the data using the reverse SSH tunnel.

the last step is to create a cron job on your DS to run this automatically every night. Simply open this file:

/etc/crontab

You have to add a new line like this to the file:

0       3       *       *       *       root    /volume1/homes/admin/server-backup

This will run the script “server-backup” as root every day at 03:00am.

If you have any questions or feedback about this post, leave me comment.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.