Backing up Windows computers to a Synology NAS via SSH and rsync
I recently purchased a Synology DS1511+ to act as a NAS (network attached storage) for my home network. The 5-drive, Linux powered device is beautiful – small, sleek and quiet. What sold me was the amazing web-based configuration interface they provide, and the ability to access the device remotely via the web or from mobile apps Synology provides in the iTunes App Store and Android Market.
After setting it up with a couple 2TB and 3TB drives, I wanted to use the device to backup documents from several Windows computers I manage (my own, my wife’s netbook and my parents’ computers thousands of miles away). Local network backup is pretty easy – you can use the Synology Data Replicator to backup Windows hosts to your Synology on your local network. However, it seemed pretty slow to me, and doesn’t use the highly-optimized rsync protocol for backing up files. Since I was previously using rsync over SSH to a Linux server I run at home, I figured since the Synology was Linux-based, it should be able to do the same.
All it takes is a few updates to the Synology server, and a few scripts on the Windows computers you want to backup to make this work for both computers on your home network as well as any external computers you want to backup, as long as they know the address of the remote server. You can use a dynamic-IP service such as TZO.com or DynDNS.org so your remote Windows clients know how to contact your home Synology.
Once I got it all working, I figured the process and scripts I created could be used by others with a Synology NAS (or any server or NAS running Linux). I’ve created a GitHub repository with the scripts and instructions so you can setup your own secure backup for local and remote Windows computers:
- Uses rsync over ssh to securely backup your Windows hosts to a Synology NAS.
- Each Windows host gets a unique SSH private/public key that can be revoked at any time on the server.
- The server limits the SSH private/public keys so they can only run rsync, and can’t be used to log into the server.
- The server also limits the SSH private/public keys to a valid path prefix, so rsync can’t destroy other parts of the file system.
- Windows hosts can backup to the Synology NAS if they’re on the local network or on a remote network, as long as the outside IP/port are known.
NOTE: The backups are performed via the Synology root user’s credentials, to simplify permissions. The SSH keys are only valid for rsync, and are limited to the path prefix you specify. You could change the scripts to backup as another user if you want (config.csv).
Synology NAS Setup
- Enable SSH on your Synology NAS if you haven’t already. Go to Control Panel – Terminal, and check “Enable SSH service”.
- Log into your Synology via SSH.
- Create a /root/.ssh directory if it doesn’t already exist
mkdir /root/.ssh chmod 700 /root/.ssh
- Upload server/validate-rsync.sh to your /root/.ssh/validate-rsync.sh. Then chmod it so it can be run:
chmod 755 /root/.ssh/validate-rsync.sh
- Create an authorized_keys file for later use:
touch /root/.ssh/authorized_keys chmod 600 /root/.ssh/authorized_keys
- Ensure private/public key logins are enabled in /etc/ssh/sshd_config.
You want to ensure the following lines are uncommented:
PubkeyAuthentication yes AuthorizedKeysFile .ssh/authorized_keys
- You should reboot your Synology to ensure the settings are applied:
- Setup a share on your Synology NAS for backups (eg, ‘backup’).
Client Package Preparation
Before you backup any clients, you will need to make a couple changes to the files in the client/ directory.
- First, you’ll need a few binaries (rsync, ssh, chmod, ssh-keygen) on your system to facilitate the ssh/rsync transfer. Cygwin can be used to accomplish this. You can easily install Cygwin from http://www.cygwin.com/. After installing, pluck a couple files from the bin/ folder and put them into the client/ directory. The binaries you need are:
chmod.exe rsync.exe ssh.exe ssh-keygen.exe
You may also need a couple libraries to ensure those binaries run:
cygcrypto-0.9.8.dll cyggcc_s-1.dll cygiconv-2.dll cygintl-8.dll cygpopt-0.dll cygspp-0.dll cygwin1.dll cygz.dll
- Next, you should update config.csv for your needs:
rsyncServerRemote - The address clients can connect to when remote (eg, a dynamic IP host) rsyncPortRemote - The port clients connect to when remote (eg, 22) rsyncServerHome - The address clients can connect to when on the local network (for example, 192.168.0.2) rsyncPortHome - The port clients connect to when on the local network (eg, 22) rsyncUser - The Synology user to backup as (eg, root) rsyncRootPath - The root path to back up to (eg, /volume1/backup) vcsUpdateCmd - If set, the version control system command to use prior to backup up (eg, svn up)
- The version control update command (%vcsUpdateCmd%) can be set to run a version control update on your files prior to backing up. This can be useful if you have a VCS repository that clients can connect to. It allows you to make remote changes to the backup scripts, and have the clients get the updated scripts without you having to log into them. The scripts are updated each time start-backup.cmd is run. For example, you could use this command to update from a svn repository:
If you are using a VCS system, you should ensure you have the proper command-line .exes and .dlls in the client/ directory. I’ve used Collab.net’s svn.exe and lib*.dll files from their distribution (http://www.collab.net/downloads/subversion/).
During client setup, you simply need to log into the machine, checkout the repository, and setup a scheduled task to do the backups (see below). Each time a backup is run, the client will update its backup scripts first.
The client package is now setup! If you’re using %vcsUpdateCmd%, you can check the client/ directory into your remote repository.
For each client you want to backup, you will need to do the following:
- Generate a private/public key pair for the computer. You can do this by running ssh-keygen.exe, or have generate-client-keys.cmd do it for you:
If you run ssh-keygen.exe on your own, you should name the files rsync-keys-[computername]:
ssh-keygen.exe -t dsa -f rsync-keys-[computername]
If you run ssh-keygen.exe on your own, do not specify a password, or clients will need to enter it every time they backup.
- Grab the public key out of rsync-keys-[computername].pub, and put it into your Synology backup user’s .ssh/authorized_keys:
You will want to prefix the authorized key with your validation command. It should look something like this
command="[validate-rsync.sh location] [backup volume root]" [contents of rsync-keys-x.pub]
command="/root/.ssh/validate-rsync.sh /volume1/backup/MYCOMPUTER" ssh-dss AAAdsadasds...
This ensures that the public/private key is only used for rsync (and can’t be used as a shell login), and that the rsync starts at the specified root path and no higher (so it can’t destroy the rest of the filesystem).
- Copy backup-TEMPLATE.cmd to backup-[computername].cmd
- Edit the backup-[computername].cmd file to ensure %rsyncPath% is correct. The following DOS environment variable is available to you, which is set in config.csv:
%rsyncRootPath% - Remote root rsync path
You should set rsyncPath to the root remote rsync path you want to use. For example:
%rsyncRootPath% is set in config.csv to your Synology backup volume (eg, /volume1/backup), so %rsyncPath% would evaluate to this if your current computer’s name is MYCOMPUTER:
You can see this is the same path that you put in the authorized_keys file.
- Edit the backup-[computername].cmd file to run the appropriate rsync commands. The following DOS environment variables are available to you, which are set in start-backup.cmd:
%rsyncStandardOpts% - Standard rsync command-line options %rsyncConnectionString% - Rsync connection string
set cmdArgs=rsync %rsyncStandardOpts% "/cygdrive/c/users/bob/documents/" %rsyncConnectionString%:%rsyncPath%/documents echo Starting %cmdArgs% call %cmdArgs%
- Copy the client/ directories to the target computer, say C:\backup. If you are using %vcsUpdateCmd%, you can checkout the client directory so you can push remote updates (see above).
- Setup a scheduled task (via Windows Task Scheduler) to run start-backup.cmd as often as you wish.
- Create the computer’s backup directory on your Synology NAS:
The client is now setup!
As noted above, the source for these scripts is available on Github:
If you have any suggestions, find a bug or want to make contributions, please head over to GitHub!