Remote Replication - Security Advice

[Austinbru]

Hi,

tl;dr - What is the simplest (but still safe) way to set up and access a remote replication TrueNAS box in another city? And what steps do I need to ensure I've completed before I drive off?

I am doing my best to follow 3-2-1 rule (3 copies, 2 mediums, 1 remote). This question, is around 1 - remote.

I want to run a second TrueNAS box, set it up in another physical location (my parents house), and then set-up remote replication. This is the only role that this box will serve. And it will sit in another city completely, so it's important that I complete everything I need before I leave. Also there would be no static IP for either box.

Also, I am no security guru, and I am wondering 1) what is the safest way to configure this, and 2) what are the steps that I would need to complete before I drive home and try to connect and get this working?

I've read through this, but it's not exactly a tutorial is it, and I really don't want to create a security vulnerability when all I'm trying to do is protect my data. Or end up missing a step and driving home.

I think the part that I'm most worried about is

Configuring a New SSH Connection​

Setting Up a Remote Replication Task

Provides instructions on adding a replication task with a remote system.

www.truenas.com

 

[sfatula]

Personally, I would use a VPN to connect the 2 sites. Then it's basically a "local" replication.

 

[anodos]

If you pull from primary to disaster recovery NAS instead of pushing to it, you can protect against some categories of administrative foul-ups or malicious action.

 

[Austinbru]

If you pull from primary to disaster recovery NAS instead of pushing to it, you can protect against some categories of administrative foul-ups or malicious action.

This is the kind of advice I was hoping for! Is that in the guides anywhere?

 

[elorimer]

Some info for you here: https://www.truenas.com/blog/level-up-your-ransomware-protection-with-truenas/. That explains the push/pull.

I do it over a site to site VPN. (More or less automatically, that means you have different subnets.) If possible, set it all up first on the same local network and do the first replication. Then move the offsite box to its off site location, redo the credentials for the new subnet at the remote location. My primary site is only 10mbps upload, so it takes about 5 months to do a complete replication. If you can't do that, and you have a lot of data, create a pool out of a USB drive, replicate to that pool, export the pool, travel with it to your remote location, import the pool, and then copy it to where it should be.

Also, be clever about dividing your datasets--don't have just one big dataset with directories. If something interrupts a big replication, you are less likely to have to start over.

If you already have a site to site VPN you can do the configuration from your first location and test it.

 

[sfatula]

Personally, for resistance to having to do a second or third full replication, I would suggest using zfs-autobackup software (free). It's much more flexible and tolerant than Truenas replication.