so I’ve built a Nextcloud instance on an Intel NUC for friends and family and before giving everyone the go-ahead to use it as a productive system, I figured I should look into remotely backing up everything. The server is located in my home and I have already set up a RasPi 3 with an attached HDD at my parents’ place to use as a remote backup.
I don’t want to use GDrive or AWS or other hosting platforms, if it can be helped. I’d like to do this all self-hosted.
Unfortunately, every tutorial and guide I’ve found so far is missing a couple of key aspects:
Is there a backup solution (e.g. Duplicati, Borg, rsync) that is most suited to this setup?
Do I need to setup the RPi at my parents’ place with a DDNS?
More precisely: what do I have to do in order to send backup data from my NC to the RPi?
Depends a bit what kind of backup you’d like. I use rsnapshot and this way I only download the difference compared to the last backup and have a bit of history in case someone overwrites their files (by accident, virus, whatever). There is a bunch of backup tools linked with rsync that are all a bit different and you have to chose your preferred one.
No. Ideally, you have a dedicated user on your Nextcloud setup and the backup machine is connecting via this user and loads the backup. So the Nextcloud setup can’t access the backup system (in case someone hacks into your Nextcloud server, he can’t compromise your backup).
I did manage to get the two systems connected via wireguard and then rsync a couple directories over from the NC to the remote backup. Getting my head around wireguard was not easy, but in the end using wg-quick helped.
For posterity, this is how I connected my two machines via wireguard VPN:
ssh into your machines, sudo apt install wireguard (a little more complicated for the Pi depending on OS and architecture), generate your public and private keys (to copy-paste them as shown below), sudo nano /etc/wireguard/wg0.conf and then
NC server:
[Interface]
Address = 192.168.2.**2**/24
#DNS = 10.200.100.1 --- here I just copy-pasted from somwhere but commented out the DNS because I don't need it for my purposes
PrivateKey = cB6a...
ListenPort = 12345
[Peer]
PublicKey = 2PT2Ln1PPE+...
#PresharedKey = /UwcSPg38hW/D9Y3tcS1FOV0K1wuURMbS0sesJEP5ak= again, copy-paste leftovers
AllowedIPs = 192.168.2.**1**/24 # this is basically saying that on this NC server wg0 interface, I only accept traffic incoming from this peer IF it comes from this IP address.
Endpoint = xx.xx.xx.xx:11111 #my parents' static IP OR another DDNS
PersistentKeepalive = 25 # might not need this, but I didn't want to leave it to chance. The two boxes can ping every half minute for all I care.
You then need to set the interface up by wg-quick up wg0 and then test it by sudo wg and finally pinging the machines… and you need to do that for both machines, obvs.
Once you got all of that up and running, it’s time for
sudo apt install rsync
if you haven’t yet. I then made a successful test transfer by executing
If you pass the transfer through ssh, I don’t see a point to pass everything through a VPN. Just an extra software that can fail, have security issues etc.
Using wireguard allows me to not expose any ports on the off-site network to the public, as I understand it. The Pi acting as the backup machine is at my parents’ house and if I understand correctly, I would need to open port 22 in my parents’ fritzbox if I chose to not go the VPN route. Dad is very happy I did not have to mess with his network at all
Though yes, I still haven’t fully figured out wireguard yet and it is another variable. I can’t seem to get the tunnel to automatically update when my Nextcloud-DDNS changes IPs, for example.
If you initiate the connection from the backup system to the server, you only have to open port 22 at your Nextcloud server (which is still exposed through Nextcloud itself).
Well, you expose the wireguard services which probably use a port.
True, but doesn’t that mean I’d only have access to the backup system locally, i.e. at my parents’ house? That’s 500km from where I live.
To be honest (and as you probably could tell ) I’m a bit out of my depth here, so take everything I say with a grain of salt, but: I did not open any ports in any firewall/router to get wireguard going. I also have no idea how wireguard works, just that everyone kept telling me how perfect it is for situations like mine
) I’m a bit out of my depth here, so take everything I say with a grain of salt, but: I did not open any ports in any firewall/router to get wireguard going. I also have no idea how wireguard works, just that everyone kept telling me how perfect it is for situations like mine 
