How can I use rsync over the internet with ssh without using a VPN or port forwarding?

[Vitalius]

TL;DR at the bottom.

Basically, what the title says. I want to use rsync to have a remote back of a server. I know I can use ssh to connect the two, but the only way to do so over the internet that I've found is VPN's and port forwarding. 

I'd prefer neither because VPNs aren't free and port forwarding isn't the best in terms of security. From what I can tell, the answer is "you can't then", but I wanted to make sure, so I thought I'd ask here.

If that is the answer, note that I already have access to a website/domain that has a static IP address that is accessible from the internet as it is. Is there a way I could use that? For example, the web server hosting the actual website is right beside the server I want to be using rsync with. They are on the same LAN. If I can access one in such a way, I'd imagine I could the other with SSH. 

However, I'm a bit of a noob at WAN networking. All I know is that part of what allows people to access the web server and use the website like they can is that our Domain Controller redirects them there. Is there a way to have SSH redirected to the correct rsync server? 

The two servers are currently on a LAN and replicating correctly as it is using SSH. I'm just needing help moving that to allow off-site backups.

I know. Lots of specific questions. I'm just kind of lost in the WAN world, so yeah. Any help is appreciated. 

TL;DR: I require help to rsync using SSH over WAN/Internet without using VPN or port forwarding when it appears that the connection part is already set up in a way with our web server for access to the WAN/Internet, and I might be able to use something similar for this.

[xXxYOLOxSWAGxXx_420BlazeIt]

You are thinking about the wrong kind of VPN.

 

Look at OpenVPN. Once you have installed it on your server and a client machine you will be able to do what you want to do with rsync. OpenVPN is 100% free.

[Vitalius]

You are thinking about the wrong kind of VPN.

 

Look at OpenVPN. Once you have installed it on your server and a client machine you will be able to do what you want to do with rsync. OpenVPN is 100% free.

Huh. Why didn't I notice that? Thanks for enlightening me.

Well, I'd still prefer not to use OpenVPN. The two machines are FreeNAS servers. You can get OpenVPN working on FreeNAS of course, but it's not idiot proof. Obviously, this is beyond that point already, but less is more when it comes to how difficult this is to setup. 

This means I have the kickback position of using OpenVPN, but I still feel like I shouldn't need that already. How do I explain what I mean... Hmm.

Basically, the way I see it, I already have all I should need to do this set up aside from the specifics. Follow me on this for a second. I have a web server that is accessible from anywhere via a URL as we have a Static IP address. From my limited understanding, it goes User -> User's ISP -> Level 3 ISPs -> Our ISP -> Us where our Domain Controller redirects the URL www.domain.com to our web server, thus giving people on the internet anywhere access to our website.

So, if I were to go to the DC and set up backup.domain.com to redirect to a different server on the same LAN as our Domain Controller, it should work the same way, but only someone with the SSH key could actually access the server (such as the other server which it will be syncing to). 

Is there some thing I'm completely missing there? If I can use a process that is shown elsewhere, I'd prefer that as knowing how to do one means knowing how to do another (i.e. setting up the WAN part of rsync is the same as setting up access to our webserver in some ways). 

If I am wrong there, a simple "That won't work. Read about [subject related to how it won't work]." would be great. 

Thanks though. It's good to know I have some free way of doing this regardless.

[xXxYOLOxSWAGxXx_420BlazeIt]

Huh. Why didn't I notice that? Thanks for enlightening me.

Well, I'd still prefer not to use OpenVPN. The two machines are FreeNAS servers. You can get OpenVPN working on FreeNAS of course, but it's not idiot proof. Obviously, this is beyond that point already, but less is more when it comes to how difficult this is to setup. 

This means I have the kickback position of using OpenVPN, but I still feel like I shouldn't need that already. How do I explain what I mean... Hmm.

Basically, the way I see it, I already have all I should need to do this set up aside from the specifics. Follow me on this for a second. I have a web server that is accessible from anywhere via a URL as we have a Static IP address. From my limited understanding, it goes User -> User's ISP -> Level 3 ISPs -> Our ISP -> Us where our Domain Controller redirects the URL www.domain.com to our web server, thus giving people on the internet anywhere access to our website.

So, if I were to go to the DC and set up backup.domain.com to redirect to a different server on the same LAN as our Domain Controller, it should work the same way, but only someone with the SSH key could actually access the server (such as the other server which it will be syncing to). 

Is there some thing I'm completely missing there? If I can use a process that is shown elsewhere, I'd prefer that as knowing how to do one means knowing how to do another (i.e. setting up the WAN part of rsync is the same as setting up access to our webserver in some ways). 

If I am wrong there, a simple "That won't work. Read about [subject related to how it won't work]." would be great. 

Thanks though. It's good to know I have some free way of doing this regardless.

The only ways to do it would either be to use a VPN, or allow traffic in on that port. You can always use a firewall or ACL on your router to limit what IP addresses are allowed into the network on that port.

 

Setting up a subdomain wouldnt do anything with regards to allowing access. It would simply make backup.domain.com resolve to the IP you set.

 

A VPN is probably the most easy way. Windows Server has a built in VPN thing thats really quick to set up.

[Vitalius]

The only ways to do it would either be to use a VPN, or allow traffic in on that port. You can always use a firewall or ACL on your router to limit what IP addresses are allowed into the network on that port.

 

Setting up a subdomain wouldnt do anything with regards to allowing access. It would simply make backup.domain.com resolve to the IP you set.

 

A VPN is probably the most easy way. Windows Server has a built in VPN thing thats really quick to set up.

Ah, alrighty then. Thanks. I may do that then. 

Hmm, then I suppose I don't understand how subdomains works. I figured you could just redirect to a different server based on which subdomain you were asking for. i.e. backup.domain.com redirects to the rsync server from the DC's DNS, while www.domain.com redirects to the web server. 

I'd agree. It's just that FreeNAS can be a bit different. It has an rsync feature built into it, but no VPN feature (which would be really nice to have honestly). As I said, it can be set up manually, but I'm not good enough at FreeBSD and such to do that without a guide, and I figure just using the rsync built-in feature and inputting a hostname after adding a host record to the DC's DNS would be quite a bit easier than anything else you could do with FreeNAS. 

Anyway, this answers my question. Thanks again.

[madcow]

I'm a bit confused. What does your offsite network look like? You won't already have either VPN or SSH access to this network that you can use?

[Vitalius]

I'm a bit confused. What does your offsite network look like? You won't already have either VPN or SSH access to this network that you can use?

Nope. Offsite network looks like this:

Internet -> Modem -> Router -> 2 home PCs & the Offsite Server. 

That's it. It's a normal home network. This is intentional for various reasons and won't change. 

I consider this completely irrelevant though because the Offsite server is the pull, meaning it's the one who needs connection to our local network at my workplace to SSH into the server here and start rsyncing the files (I'm assuming that's how rsync works, since that's how replication works with FreeNAS, which is a similar, but different feature). 

So how the network the Offsite computer uses looks won't affect the connection at all since all it needs is an internet connection and a firewall. However, obviously I could be wrong since I haven't used rsync before.

Interestingly, our Firewall at my workplace has a place for VPN setup. That makes the VPN option easier, but still something I'd prefer not to do.

[madcow]

Rsync can work in push or pull.

 

Without knowing too much about the primary network I think the easiest thing to try would be to allow ssh access to your backup server via port forwarding and push from the primary server. Something like:

 

rsync -av /<local_path> <backupuser>@<homeip><backup_path>

[Vitalius]

Rsync can work in push or pull.

 

Without knowing too much about the primary network I think the easiest thing to try would be to allow ssh access to your backup server via port forwarding and push from the primary server. Something like:

 

rsync -av /<local_path> <backupuser>@<homeip><backup_path>

Interesting. Thanks. I didn't know that. I might pitch that at my supervisor/manager and see if they like that idea better than our current plan. 

Won't I need to open the ports on both firewalls, for both the primary and backup servers? Or does SSH somehow use some other port to connect than the specified port? *confused* That'd defeat the purpose kinda.

... I suppose the one thing that's bugging me is the idea that my plan could still work. Oh well. Not important. As long as we have a safe, secure, reliable, and easy/free to set up solution, we'll be happy.

[madcow]

You probably won't have to change anything on the primary site firewall.

[wpirobotbuilder]

I'd agree. It's just that FreeNAS can be a bit different. It has an rsync feature built into it, but no VPN feature (which would be really nice to have honestly). As I said, it can be set up manually, but I'm not good enough at FreeBSD and such to do that without a guide, and I figure just using the rsync built-in feature and inputting a hostname after adding a host record to the DC's DNS would be quite a bit easier than anything else you could do with FreeNAS.

My solution to the offsite backup pulling from work:

 

It's a little ghetto, but you could build a cheap Linux server, install your VPN on that, and mount an NFS share on it (hosted by the FreeNAS machine). Then you copy data to/from the NFS share mounted to the Linux server, but it gets stored on the FreeNAS box.

 

You could also do it with an old PC, or you could get something like a NUC if you're concerned about size. You could also make it a virtual machine.

 

If you go with the push method of backups then you wouldn't need the Linux machine. You just have to make sure the IP of the offsite is kept track of (or is static).

[Darren]

rsync -avzhPe ssh <host/path> <path>

Is what I use.