Backup Synology NAS over SSH via a wireguard proxy

2024 Thursday 6 Jun

I have a Synology NAS. And I would like to backup my files on a Raspberry Pi at my parents place. How would I do that?

The solution: a point-to-point wireguard connection that allows the ssh-port of the backup-server to be exposed on my home-server (not my NAS), so that my NAS can ssh into the backup-server as if it was in the same network.

TL;DR in order to achieve my goal I only needed one single wireguard-config file on a server in the same network as my NAS.

topology of the solution

Yes, unfortunately it involves a solution between my nas and the backup-server, let's call it the wireguard-ssh proxy. I my case it runs on my home-server; however, the footprint is small, one could run this in a virtual machine on the actual nas.

The backup-server

First, I assume there is a working wireguard endpoint on the backup-server, in my case with the homeassistant-wireguard addon, but this can of course be any wireguard configuration. I also assume that this wireguard endpoint is exposed to the internet, e.g. via port-forwarding in the router.

Add a new peer to the wireguard configuration. This peer will be the wireguard-ssh proxy. Leave the publickey empty - we will fill this later. The peer should have access to the local network. In my case this is done automatically by the homeassitant wireguard addon, but if that is not your case, your wireguard config file should have rules like (this is quite common):

PostUp = iptables -A FORWARD -i %i -j ACCEPT; iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
PostDown = iptables -D FORWARD -i %i -j ACCEPT; iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D POSTROUTING -o eth0 -j MASQUERADE

The wireguard-ssh proxy

The wireguard-ssh proxy runs on my debian based home-server. This requires the wireguard packages to be installed.

In order to achieve my goal I only need one single wireguard.conf file on my home-server:

# MY_WIREGUARD_INTERFACE.conf

[Interface]
PrivateKey = PRIVATEKEY
Address = 172.27.66.3/24

# ssh tunnel part
PreUp = sysctl -w net.ipv4.ip_forward=1
PostUp = iptables -A FORWARD -o %i -j ACCEPT; iptables -t nat -A PREROUTING -p tcp --dport 2255 -j DNAT --to-destination 192.168.1.60:22; iptables -t nat -A POSTROUTING -o %i -j MASQUERADE
PostDown = iptables -D FORWARD -o %i -j ACCEPT; iptables -t nat -D PREROUTING -p tcp --dport 2255 -j DNAT --to-destination 192.168.1.60:22; iptables -t nat -D POSTROUTING -o %i -j MASQUERADE

[Peer]
PublicKey = PUBLICKEY_OF_BACKUP_SERVER
Endpoint = IP_OF_ENDPOINT:51820
AllowedIPs = 172.27.66.0/24, 192.168.1.0/24
PersistentKeepalive = 25

This file has two functions:

  1. the wireguard connection between the backup-server and my home-server;
  2. the redirection of the ssh port of the backup-server on a local port of the home-server.

Let's zoom in:

the wireguard function

When we leave out the ssh redirect part, we have:

[Interface]
PrivateKey = PRIVATEKEY
Address = 172.27.66.3/24

# the section of the ssh redirect will be here, but is now left out.

[Peer]
PublicKey = PUBLICKEY_OF_BACKUP_SERVER
Endpoint = IP_OF_ENDPOINT:51820
AllowedIPs = 172.27.66.0/24, 192.168.1.0/24
PersistentKeepalive = 25

The Interface section: Here we specify the wireguard interface of the home-server. Remember to generate your own private/public key pair. The private key should be put in this file. Now you can fill the public key in the wireguard-configuration on backup-server for this peer. Also, make sure that the address corresponds with the address that is defined in the wireguard-configuration on the backup-server for this peer.

The Peer section: Here we specify the wireguard endpoint of the backup-server. Fill in the PUBLICKEY_OF_BACKUP_SERVER and IP_OF_ENDPOINT. Also make sure the port is correct (51820 is common). For AllowedIps you'll need to specify the ip-range of the wireguard network (172.27.66.0/24), and the ip of the network or device you want ssh access to. In my case I used the whole 192.168.1.0/24 subnet, since this allows me to access every device in my parents network - which I find usefull. However, you can also use a specific IP, the one of the backup server. In my case that would be 192.168.1.60/32. Note that limiting to 1 IP is not really protection (since that should be done with firewall-rules on the backup-server), it's just convenience.

the ssh redirect

The ssh redirect mechanism is done by configuring various aspects of the server using PreUp/PostUp/PostDown actions.

# packet forwarding
PreUp = sysctl -w net.ipv4.ip_forward=1

This allows the system to route packets between the wireguard-network and the local network.

The PostUp contains three commands, lets take a look at each one:

The PostDown is just the reverse of PostUp.

running the wireguard-ssh proxy

I use systemd to run the wireguard-ssh proxy automatically on boot: Make sure the wireguard-config file is in the /etc/wireguard folder, and run

sudo systemctl enable wg-quick@MY_WIREGUARD_INTERFACE

where MY_WIREGUARD_INTERFACE is the name of your config file minus .conf.

the result/conclussion

Now I can ssh into the backup-server from any device inside my home network, by using the IP of my home-server with port 2255:

ssh root@IP_OF_WIREGUARD_SSH_PROXY -p2255

With that I can do things like rsync, or use advanced tools like restic - all from my Synology NAS!