Thanks for the comments. I really use this "by exception" i.e. when I am traveling and it seems to work just fine. I think the real alternative would be to use a vanilla vpn and inherit the advantages of that...
robin hammond wrote at about 13:07:18 -0500 on Sunday, January 16, 2022: > Cheers! > > Every arrow in our quivers is helpful, but do beware of using SSH > tunnels for intensive TCP traffic. You're wrapping TCP in TCP. So it > might solve some problems really nicely, but may fail in strange ways > for…reasons. > > To understand why you might care, remember that TCP brings flow control > to the table. And if you have two layers of flow control regulating one > flow, you might have an interesting time once the inner flow (rsync) > gets throttled by the outer flow (ssh) and inner flows thinks it's > saturated the link - then backs off too aggressively. If you're > equipment suffers from buffer bloat so much the worse. > > If using a trivial percentage of the totally-not-at-all-saturated links, > then it doesn't become noticeable. EG a slow disk over a gigbit. > > If you're looking for simple, and don't mind SSL, but without strong > key-management (because SSH didn't have it anyway), then tinc-vpn.org - > it prefers UDP, resorts to TCP, but doesn't GRE at all. > > With that caveat aside, it's very helpful to see examples like this. > > > On 15/01/2022 20.21, backu...@kosowsky.org wrote: > > When I travel for pleasure or business, my laptop (and Android phone) > > are no longer on my local network, so BackupPC no longer is able to > > see the devices and back them up. > > > > One could use a VPN, but alternatively, I wrote some perl code that > > can be inserted into the corresponding <host>.pl config.pl to backup > > over an SSH tunnel on port <tunnel port> if the file > > '.sshtunnel-<tunnelport>' exists in the corresponding > > $TopDir/pc/<host> directory. > > > > See the following code (and embedded notes). > > --------------------------------------------------------------------------------------------------- > > my $jhost = $_[1]; #Note: $_[1] is the name of the file (as sourced by > > 'do') > > my $SshUser = 'root'; > > my $SshPort = 22; #Port for sshd server on the remote machine (typically > > 22, or 2222 if non-priveleged) > > > > $Conf{PingMaxMsec} = 400; #Necessary because otherwise get pings too slow > > > > #Backup over SSH tunnel to allow backup of devices when they are not on > > local network... > > #Touch: TopDir/pc/<host>/.sshtunnel-<tunnelport> to enable backup over SSH > > tunnel using port <tunnelport> (remember to DELETE when done!) > > my ($TunnelPort) = map {/\.sshtunnel-([0-9]+)$/ ? $1 : (); } > > </var/lib/backuppc/pc/$jhost/.*>; > > if(defined $TunnelPort) { #If file containing TunnelPort exists in top > > level host directory, then use it > > #Rsync to localhost over SshPort = <tunnelport> > > $SshPort = $TunnelPort; > > $Conf{ClientNameAlias} = 'localhost'; > > > > #For backing-up/restoring remote host over port forwarded-reverse SSH > > tunnel > > #using <tunnelport> (e.g., when using over USB or remote internet) > > # <BackupPC server>:<tunnelport> -> <remote host>:<Orig SshPort> > > #From the remote host, ssh to BackupPC server using: > > # -R <tunnelport>:localhost:<Orig SshPort> > > #E.g., ssh -R <tunnelport>:localhost:22 -p 2222 <user>@<BackupPC > > server> > > #Note: My windoze PuTTY app and android 'connectbot' app is > > configured to automatically includes this port forward > > #Alternatively, On BackupPC servers, ssh to remote host using: > > # -L <tunnelport>:localhost:<Orig SshPort> > > #E.g., ssh -L <tunnelport>:localhost:22 -p <Orig SshPort> > > <SshUser>@<remote host> > > > > #If you want to backup on server2 via server1, then you need to > > create a double port forward > > # server2:<tunnelport> -> server1:<tunnelport> -> <remote > > host>:<Orig SshPort> > > # From, the remote host, use a proxy Jump: > > # ssh -R <tunnelport>:localhost:22 -J <user1>@server1:2222 > > <user2>@server2 > > # Alternatively, first create one of the first port forwards to > > connect 'server1' and the remote host. > > # Then create an aiddiontal port forward to connect 'server2' and > > 'server1' > > # Either, ssh from server1 to server2 as follows: > > # ssh -R <tunnelport>:localhost:<tunnelport> server2 > > #Or ssh from server2 to machine1 as follows: > > # sudo -u backuppc ssh -L <tunnelport>:localhost:<tunnelport> -l > > backuppc-client machine1 > > #Then you can log into the remote host from machine2 using: > > # sudo -u backuppc ssh -p <tunnelport> <remoteUser>@localhost -o > > UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no > > #Note Start from machine1, combine creating the machine1-machine2 > > port with login from machine2 to remote host: > > # ssh -t -R <tunnelport>:localhost:<tunnelport> machine2 "sudo -u > > backuppc ssh -l backuppc-client -p <tunnelport> localhost -o > > UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no" > > > > #Alternative ping command - ssh to remote client over $SshPort = > > <tunnelport> and ping itself (i.e. ping localhost) > > #Linux/Android ping: 'ping -c 1' > > $Conf{PingCmd} = "$Conf{SshPath} -q -x -p $SshPort -l $SshUser -o > > UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no localhost ping -c > > 1 localhost"; > > #Windows Cygwin ping: 'ping -n 1' > > # $Conf{PingCmd} = "$Conf{SshPath} -q -x -p $SshPort -l $SshUser -o > > UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no localhost ping -n > > 1 localhost"; > > #Note above needs double quotes since $sshPath for PingCmd is not set > > at runtime > > #Note: add options to ignore known_hosts and turn off > > StrictHostKeyChecking since already running over a known ssh channel > > # PLUS the known_hosts and keys will need to be added for every > > new <tunnelport> used causing backuppc to wait and fail. > > } > > > > $Conf{RsyncSshArgs} = ['-e', "$Conf{SshPath} -p $SshPort -l $SshUser"]; > > #SshPort is typically 22 (or 2222 if non-privileged) > > $Conf{RsyncSshArgs}->[1] .= " -o UserKnownHostsFile=/dev/null -o > > StrictHostKeyChecking=no" if $TunnelPort; > > #Note above needs double quotes since $sshPath for PingCmd is not set at > > runtime > > #Note: add options to ignore known_hosts and turn off > > StrictHostKeyChecking since already running over a known ssh channel > > # PLUS the known_hosts and keys will need to be added for every new > > <tunnelport> used causing backuppc to wait and fail. > > > > > > _______________________________________________ > > BackupPC-users mailing list > > BackupPC-users@lists.sourceforge.net > > List: https://lists.sourceforge.net/lists/listinfo/backuppc-users > > Wiki: https://github.com/backuppc/backuppc/wiki > > Project: https://backuppc.github.io/backuppc/ > _______________________________________________ > BackupPC-users mailing list > BackupPC-users@lists.sourceforge.net > List: https://lists.sourceforge.net/lists/listinfo/backuppc-users > Wiki: https://github.com/backuppc/backuppc/wiki > Project: https://backuppc.github.io/backuppc/ _______________________________________________ BackupPC-users mailing list BackupPC-users@lists.sourceforge.net List: https://lists.sourceforge.net/lists/listinfo/backuppc-users Wiki: https://github.com/backuppc/backuppc/wiki Project: https://backuppc.github.io/backuppc/