[Dirvish] push or pull for client with dynamic ip

Loren M. Lang lorenl at alzatex.com
Fri Jul 31 21:32:40 UTC 2009


Xavier Brochard wrote:
> Le jeudi 30 juillet 2009 00:47:10, Keith Lofstrom a écrit :
>   
>> On Wed, Jul 29, 2009 at 11:18:16PM +0200, Xavier Brochard wrote:
>>     
>>> Hello
>>>
>>> I need to backup a client without a fix IP (it change randomly 2 or 3
>>> times per week). The backup server is on the internet.
>>>
>>> I was wondering what is the best solution (regarding security, network
>>> load and dirvish run):
>>> - a push backup but mounting the backup disk with sshfs, dirvish on the
>>> client - a pull backup, dirvish on the backup server, using dyndns.com or
>>> no-ip.com - something else ?
>>>       
>> Your remote clients should probably be talking to "home base" with
>> an encrypted vpn tunnel to your firewall.  Then you pull backups
>> through the tunnel.  Yes, it means more computation to do the tunnel
>> encryption at both ends (and I run dirvish/rsync with ssh, so I am
>> encrypting twice!).  I have dynamic IP addresses on both ends, but
>> my firewall establishes its external URL with dyndns (using one of
>> the free subdomains), and remote clients talk to that.  I have five
>> remote clients, one is 3000km away.
>>
>> I use a small ALIX computer (from PC Engines) for my firewall, see
>>     http://wiki.keithl.com/index.cgi?SL5Alix
>> Cheap, fast, low power, X86, runs my favorite distro, and has three
>> 100Mbit ethernet ports, WAN/DMZ/LAN .  It has built-in encryption
>> hardware which works with SSL/OpenVPN, but my main site has only
>> a 4Mbps connection.  The ALIX CPU is fast enough for that, so I
>> haven't made the kernel patch.
>>
>> Security is easy.  When I detect something going wrong, I pull out
>> the WAN connector.
>>
>> The one remaining issue is that user laptops move between the
>> inside network and outside vpns.  It is possible to tweak internal
>> DNS so the backup server can always find them, but I haven't taken
>> the time to implement that.  If your remote clients are always on
>> the same side of the firewall, this is not a problem.
>>     
>
> I thought about VPN at first and... forget it when I discovered sshfs. Looks 
> like I was wrong... what is the advantages compare to sshfs (in this case)?
>   

One of the primary benefits of using Dirvish for network backups is it's
use of rsync and rsync's network protocol for efficiently transferring
updates over the network.  When a remote filesystem is mounted locally
whether using NFS, CIFS, sshfs, or something else, that benefit is
lost.  For rsync to compare two files means that it must read the remote
file in it's entirety over the network before it can determine what's
changed.  Whatever solution you choose, you should be running rsync from
point A to point B.  My preferred solution is to just use SSH as a
pseudo VPN.  You could use a Dynamic DNS service on the client and run
Dirvish (rsync+ssh) to connect to that DNS address.  It would be secure
since SSH verifies the host key before connecting.  You could also run a
second SSH tunnel form the client to the backup server which the first
SSH connection will piggy back on.  This eliminates the need for the
client to run Dynamic DNS or otherwise be known or visible on the
Internet.  Something like this command:

while true; do ssh -o ServerAliveInterval=150 -R 8022:localhost:22 -N
notroot at backupserver; sleep 60; done

Will keep a constant connection to the backup server allowing the backup
server to connect to port 8022 on localhost which will be forwarded to
sshd on the client.  If the connection is interrupted it will retry
every 60 seconds.  The above command does not need to be run as a
privileged user on the client and does not need to connect to a
privileged user on the server.  The user notroot can be restricted on
the backupserver to only be allowed to do remote port forwarding and not
have shell access.

> Thankyou for you help anyway.
>
>
> Xavier
> xavier at alternatif.org
> _______________________________________________
> Dirvish mailing list
> Dirvish at dirvish.org
> http://www.dirvish.org/mailman/listinfo/dirvish
>
>   


-- 
Loren M. Lang
lorenl at alzatex.com
http://www.alzatex.com/


Public Key: ftp://ftp.tallye.com/pub/lorenl_pubkey.asc
Fingerprint: 10A0 7AE2 DAF5 4780 888A  3FA4 DCEE BB39 7654 DE5B

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.dirvish.org/pipermail/dirvish/attachments/20090731/239d2d77/attachment.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: lorenl.vcf
Type: text/x-vcard
Size: 247 bytes
Desc: not available
Url : http://www.dirvish.org/pipermail/dirvish/attachments/20090731/239d2d77/attachment.vcf 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3254 bytes
Desc: S/MIME Cryptographic Signature
Url : http://www.dirvish.org/pipermail/dirvish/attachments/20090731/239d2d77/attachment.bin 


More information about the Dirvish mailing list