Setting up offsite backups with two Synology’s over Tailscale
little writedown
NOTE: No LLMs were used to write this blog post
Hardware setup
Just sharing for the curious, if you are even more curious see my current homelab
- Onsite
- DiskStation DS1823xs+
- 3 x WD Ultrastar DC HC580 24 TB in RAID1
- For storage
- 2 x WD_BLACK SN850X 1TB in RAID1
- For dockers (speed!)
- Increased RAM to 64GB with KSM32SED8/32HC
- 3 x WD Ultrastar DC HC580 24 TB in RAID1
- 5Gbps FTTH
- Cloud Gateway Max
- UPS – APC SRT1500RMXLI connected to synology over USB
- DiskStation DS1823xs+
- Offsite
- DiskStation DS923+
- 2 x IronWolf Pro 24 TB in RAID1
- For backup
- 2 x IronWolf Pro 24 TB in RAID1
- 1Gbps FTTH
- Cloud Gateway Ultra
- UPS – APC Back-UPS Pro connected to synology over USB
- DiskStation DS923+
NOTE: make sure your offsite synology has more space then the data you are trying to back up .. (◔_◔)
Software setup
I didn’t want to deal with opening ports and publicly exposing device to future 0 days, so I went for Tailscale
(one could argue that connecting it to the network is already doing that, but the attack surface of my LAN should be smaller then the wild internet)
Set up daily auto updates
Do yourself a favor, just switch auto updates on, on a daily base.
Setup tailscale
From the package center install tailscale and follow setup
Once the package is installed please follow the steps on the TailScale synology documentation as you need to setup auto updates, enable outbound connections
Tailscale notes
Depending on the speed you would like to achieve, tailscale will probably be using its DERP relay servers because NAT traversal issues (at least in my case).
run tailscale netcheck and see if your offsite synology has port mapping/NAT
that or your source (onsite) so it doesn’t rely on DERP
In my case I had to enable UPnP on my UCG under WAN1
Wanted to try the difference with and without NAT … not much… but that makes sense
Tailscale iperf test with no NAT
iperf -c 100.94.210.46 ------------------------------------------------------------ Client connecting to 100.94.210.46, TCP port 5001 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ [ 1] local 100.70.41.99 port 57182 connected with 100.94.210.46 port 5001 (icwnd/mss/irtt=11/1228/33117) [ ID] Interval Transfer Bandwidth [ 1] 0.00-10.03 sec 274 MBytes 229 Mbits/sec
sudo docker run -it --rm -p 5201:5201 networkstatic/iperf3 -c 100.94.210.46 —bidirectional —udp —bitrate 500M Password: Connecting to host 100.94.210.46, port 5201 [ 5] local 172.17.0.2 port 39756 connected to 100.94.210.46 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 18.6 MBytes 156 Mbits/sec 1288 684 KBytes [ 5] 1.00-2.00 sec 21.2 MBytes 178 Mbits/sec 0 738 KBytes [ 5] 2.00-3.00 sec 22.5 MBytes 189 Mbits/sec 0 778 KBytes [ 5] 3.00-4.00 sec 23.8 MBytes 199 Mbits/sec 0 806 KBytes [ 5] 4.00-5.00 sec 25.0 MBytes 210 Mbits/sec 0 820 KBytes [ 5] 5.00-6.00 sec 22.5 MBytes 189 Mbits/sec 21 590 KBytes [ 5] 6.00-7.00 sec 17.5 MBytes 147 Mbits/sec 0 636 KBytes [ 5] 7.00-8.00 sec 20.0 MBytes 168 Mbits/sec 0 668 KBytes [ 5] 8.00-9.00 sec 20.0 MBytes 168 Mbits/sec 0 687 KBytes [ 5] 9.00-10.00 sec 21.2 MBytes 178 Mbits/sec 0 698 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 212 MBytes 178 Mbits/sec 1309 sender [ 5] 0.00-10.46 sec 209 MBytes 168 Mbits/sec receiver iperf Done.
Tailscale iperf test with NAT
iperf -c 100.94.210.46 ------------------------------------------------------------ Client connecting to 100.94.210.46, TCP port 5001 TCP window size: 16.0 KByte (default) ------------------------------------------------------------ [ 1] local 100.70.41.99 port 57490 connected with 100.94.210.46 port 5001 (icwnd/mss/irtt=11/1228/32325) [ ID] Interval Transfer Bandwidth [ 1] 0.00-10.01 sec 337 MBytes 282 Mbits/sec
sudo docker run -it --rm -p 5201:5201 networkstatic/iperf3 -c 100.94.210.46 —bidirectional —udp —bitrate 500M Connecting to host 100.94.210.46, port 5201 [ 5] local 172.17.0.2 port 40044 connected to 100.94.210.46 port 5201 [ ID] Interval Transfer Bitrate Retr Cwnd [ 5] 0.00-1.00 sec 20.2 MBytes 170 Mbits/sec 735 720 KBytes [ 5] 1.00-2.00 sec 21.2 MBytes 178 Mbits/sec 38 704 KBytes [ 5] 2.00-3.00 sec 21.2 MBytes 178 Mbits/sec 0 744 KBytes [ 5] 3.00-4.00 sec 22.5 MBytes 189 Mbits/sec 0 770 KBytes [ 5] 4.00-5.00 sec 23.8 MBytes 199 Mbits/sec 0 784 KBytes [ 5] 5.00-6.00 sec 23.8 MBytes 199 Mbits/sec 0 793 KBytes [ 5] 6.00-7.00 sec 22.5 MBytes 189 Mbits/sec 0 794 KBytes [ 5] 7.00-8.00 sec 23.8 MBytes 199 Mbits/sec 0 794 KBytes [ 5] 8.00-9.00 sec 23.8 MBytes 199 Mbits/sec 0 808 KBytes [ 5] 9.00-10.00 sec 25.0 MBytes 210 Mbits/sec 0 827 KBytes - - - - - - - - - - - - - - - - - - - - - - - - - [ ID] Interval Transfer Bitrate Retr [ 5] 0.00-10.00 sec 228 MBytes 191 Mbits/sec 773 sender [ 5] 0.00-10.46 sec 225 MBytes 180 Mbits/sec receiver iperf Done.
[optional] Onboarding the offsite synology to central management
Install CMS
Add yourself (localhost) and your offsite synology (tailscale IP) in my case
Installing Hyperbackup on the offsite synology
On the destination (offsite) install hyper backup vault
On the onsite synology install hyper backup
Open hyper backup on the client and add a new job, I picked entire system
pick remote NAS
Fill in the tailscale IP of your offsite synology, turn on transfer encryption
Clicking login will pop the remote synology for a login
if the shared folder / directory don’t populate (which I had) it was some auth / 2FA / cookie issue, taking these steps in igoncito / different browser solved this for me
I’ve enabled compression and client side encryption
I also have a schedule to back up every day at 03:00 (default) and a backup integrity check weekly
I have smart backup rotations on with 30 versions
That’s it! you should have offsite backups running!
