TrueNAS offsite replication
How to replicate a ZFS dataset to a second offsite TrueNAS computer with OpenVPN
I am a big fan of the ZFS filesystem and the TrueNAS operating system for DYI NAS. In my previous post I wrote about why backups are important and described my personal backup strategy. In this blog post I’ll describe the nitty-gritty involved with setting up automatic replication to an offsite TrueNAS box.
The Options
TrueNAS has built in support for replication via SSH. So, what we basically need to do is to make the offsite TrueNAS box accessible via SSH. There are few options to do it.
- Static IP and port forwarding : Some ISPs offer static IPs, but they are usually expensive. This is however the easiest option. You just need to port forward the SSH port of the TrueNAS box via your router.
- Dynamic DNS and port forwarding : If you can only get a dynamic IP from your ISP, you can use a Dynamic DNS service to get a URL that points to your changing IP. Then simply port forward the SSH port like before. Some ISPs block port forwarding, like in my case. Otherwise this is a good option for most people.
- Virtual Private Server (VPS) and SSH port forwarding : You can setup a VPS from a provider like Linode. This will give you a static IP. Then you can have the two TrueNAS box’s SSH to the VPS and use SSH local and remote port forwarding to allow one FreeNAS box to SSH to the other. The problem with this approach is keeping the SSH connections up. I couldn’t figure out an easy option to setup a persistent connection from TrueNAS.
- Self hosted OpenVPN : This is the option that I eventually ended up with and what I will describe in detail in the rest of this post. Essentially we setup an OpenVPN server on a VPS and adjust the settings so that our TrueNAS instances can connect with static IPs and see each other. TrueNAS has an inbuilt OpenVPN client, so once you setup the server, the rest is pretty straightforward.
Setting up the OpenVPN server
Proceed to setup a secure OpenVPN server. I can recommend the following guide from DigitalOcean:
Note the following key changes:
- Skip the traffic routing steps (Steps 8 & 9 from the above link). We won’t setup the clients to use the VPN as the default gateway; as such we don’t need the VPN server to route internet traffic.
- In the config file
/etc/openvpn/server/server.conf, uncommentclient-to-clientso that the clients can see each other - Set static IP rules for your clients via config files in
/etc/openvpn/ccd/. Refer this guide: https://kifarunix.com/assign-static-ip-addresses-for-openvpn-clients/
Setting up TrueNAS
TrueNAS has an inbuilt OpenVPN client configurable via the web GUI.
First we need to add the CA cert and client cert that we generated while setting up the server; after which we can configure the OpenVPN client. This forum post describes the process: https://www.truenas.com/community/resources/truenas-and-openvpn-client-configuration.158/
This is what my OpenVPN client config looks like:
You can use the TrueNAS shell to test where the VPN IPs have been correctly assigned (using ifconfig) and when you can ping each other across the VPN.
Next we need to setup the replication tasks. First step is to create the SSH connections.
Then create the local replication task.
Misc tips
- Create a local variant of the SSH connection and replication task so that you can do the initial replication on your LAN (without going through the VPN)
- You can setup the replication task on either the local or remote TrueNAS box. If you set it up on the local one, then you will be notified when the remote box is not reachable.
- You can access the remote TrueNAS box’s web GUI using SSH port forwarding as described below:
From your VPS shell:
ssh -L 8080:localhost:80 root@remote-nas-ipFrom your machine:
ssh -L 8080:localhost:8080 user@vps-ipNow enter
localhost:8080in your machine’s browser to access the remote NAS’s web GUI
That’s all folks!
