Active Backup and VPN (how to avoid backup while connected via VPN?)

Currently reading
Active Backup and VPN (how to avoid backup while connected via VPN?)

44
10
NAS
DS107, DS209, DS210+, DS715, DS918+
Router
  1. RT2600ac
Active Backup is a nice solution. I like it.
Unfortunately I have a problem which I'm not able to solve: as soon as I connect to our network via VPN, The Synology Active Backup for Business (server) thinks that I'm on LAN and start the backup task (when it is the time to do it). You can imagine that this task is not suitable for VPN connection and I do not want to run the backup while I'm connected to the LAN via VPN.

Any idea how to avoid this behaviour?
Thanks for help.
 

Rusty

Moderator
NAS Support
4,380
1,270
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Why wouldn’t it be suitable for clients connected via vpn? Do you want that or not is a different matter entirely.

Have you tried to setup a specific time frame for backups? Maybe that way you could avoid autobackup scenarios that you are having when connecting.
 
44
10
NAS
DS107, DS209, DS210+, DS715, DS918+
Router
  1. RT2600ac
Hi,
To do bare metal backup you need to transfer quite lot of data (10 and more GB). You can do it via VPN but it takes many hours/days (depends on the type of connection) slowing other work.

Another important reason is that when you are connectoed to VPN via mobile network, you easily run out of the data limit - taht's really annoying and expensive...

To set time is not possible simply because it is not predictable, when the notebooks ar out of the cpompany.

Any other idea how to soleve the problem?
 

Rusty

Moderator
NAS Support
4,380
1,270
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Valid points, no question about it. If you have devices using the mobile network not sure any of those can ever be processed and backed up using any specific rule or time table especially if they are random.
If I get an idea i’ll be sure to share it.
 
18
6
Hello Everyone,

I just subscribed to the forum as this was the only place i could find where such question was posted. I am travelling a lot and while ABB does a great job in keeping my files backed up i have no way to ensure it only works in the LAN.

originally i had used only the NAS IP on the client just to find out months later the issue where the lets encrypt certificate was renewed and ABB stopped backing up without notification. So since i can do nothing about it i had to open the 5510 port on my router and use the DDNS on the client.

I tried to restrict the 5510 port on the firewall to only work for the range of IPs given by my routers DHCP server but it would not work as it would also block the connection even when i am on the LAN.

any other suggestions or developments since the last post of this thread would really be appreciated.

thanks a lot!
 

Rusty

Moderator
NAS Support
4,380
1,270
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Hello Everyone,

I just subscribed to the forum as this was the only place i could find where such question was posted. I am travelling a lot and while ABB does a great job in keeping my files backed up i have no way to ensure it only works in the LAN.

originally i had used only the NAS IP on the client just to find out months later the issue where the lets encrypt certificate was renewed and ABB stopped backing up without notification. So since i can do nothing about it i had to open the 5510 port on my router and use the DDNS on the client.

I tried to restrict the 5510 port on the firewall to only work for the range of IPs given by my routers DHCP server but it would not work as it would also block the connection even when i am on the LAN.

any other suggestions or developments since the last post of this thread would really be appreciated.

thanks a lot!
Would running a VPN connection back to your LAN where your ABB NAS is do the trick for you? This way you will be able to back up with settings that you would normally use while you are in fact inside your LAN. Depending on your remote connection going via VPN might be slower than usual but in return, you would get your backup running over the internet with LAN settings.
 
18
6
My LAN is behind and rt2600AC so i do use the OpenVPN service to connect. I did a test as per your suggestion but it is not conclusive:
1. I closed port 5510 on the router so that it cannot be accessed from outside
2. After some seconds the ABB client indicated an internet connection error as expected
3. I used my mobile as hotspot and connected my laptop there - then engaged the OpenVPN connection
4. Tested that i can still reach 192.168.1.x addresses which worked fine (however in my ABB client i still have to use the DDNS name so that it does not disconnect when the SSL certificate is renewed)
5. The client continued to show internet error but after logging to the NAS and the ABB package it seemed that the backup is ongoing but at very slow speed (512kb/s).

I ll try to do more extensive testing to see how it is behaving in detail...

Its a pity though there is no clean solution for this :(
 

Rusty

Moderator
NAS Support
4,380
1,270
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
My LAN is behind and rt2600AC so i do use the OpenVPN service to connect. I did a test as per your suggestion but it is not conclusive:
1. I closed port 5510 on the router so that it cannot be accessed from outside
2. After some seconds the ABB client indicated an internet connection error as expected
3. I used my mobile as hotspot and connected my laptop there - then engaged the OpenVPN connection
4. Tested that i can still reach 192.168.1.x addresses which worked fine (however in my ABB client i still have to use the DDNS name so that it does not disconnect when the SSL certificate is renewed)
5. The client continued to show internet error but after logging to the NAS and the ABB package it seemed that the backup is ongoing but at very slow speed (512kb/s).

I ll try to do more extensive testing to see how it is behaving in detail...

Its a pity though there is no clean solution for this :(
So if you will use the VPN connection then you can reconfigure your clients to use your ABB NAS local IP address.
 
18
6
So if you will use the VPN connection then you can reconfigure your clients to use your ABB NAS local IP address.
My main issue is that if i use the local IP address, when the certificate will renew automatically, it will silently stop syncing until i manually bring up the GUI and confirm to trust the certificate.
I m not saying I m too lazy for this, but since there is no notification (either by the app or via email or anything) it is very easy to just forget it and realize some months later that the device hasn't been backup for all this time...
This is what actually freaked me up and i started looking for ways to ensure it wont happen again..
 
383
76
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Last edited:
My main issue is that if i use the local IP address, when the certificate will renew automatically, it will silently stop syncing until i manually bring up the GUI and confirm to trust the certificate.
I m not saying I m too lazy for this, but since there is no notification (either by the app or via email or anything) it is very easy to just forget it and realize some months later that the device hasn't been backup for all this time...
This is what actually freaked me up and i started looking for ways to ensure it wont happen again..

When you get the cert message, saying the cert has changed do you want to use? say NO. It then wont use the cert , which doesnt work anyway for local ip’s
 

Rusty

Moderator
NAS Support
4,380
1,270
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
My main issue is that if i use the local IP address, when the certificate will renew automatically, it will silently stop syncing until i manually bring up the GUI and confirm to trust the certificate.
I m not saying I m too lazy for this, but since there is no notification (either by the app or via email or anything) it is very easy to just forget it and realize some months later that the device hasn't been backup for all this time...
This is what actually freaked me up and i started looking for ways to ensure it wont happen again..
I get that but if you only access ABB via VPN there is no need to push it via an ssl cert or reverse proxy. In that case, you will not have to deal with certs or the problem of it skipping the backup.
 
18
6
sorry but maybe my knowledge of these maybe is on the surface of it.. what i can say for the two responses above:

@Gerard: as far as i remember you can only opt to proceed with the untrusted certificate (something like this https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSXoar6VYwpEF9sL9IArOCFRD_CyUwwoV_7Cg&usqp=CAU). so you "have" to use it.. and after it gets renewed you bump it the problem again.

@Rusty: thanks for your patience. The thing is that I was already using the local IP on the client so far and did hit the untrusted SSL certificate issue. that's why i started looking to it. The NAS has several SSL certificates installed as i have several services on docker that i access through the reverse proxy. Does it make sense that even when i use the local ip the client "sees" the certificate on the servers and tries to use it? in other words... would i have to remove all certificates from the server so that it sees none and works without it?
 
383
76
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
@Gerard: as far as i remember you can only opt to proceed with the untrusted certificate (something like this https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSXoar6VYwpEF9sL9IArOCFRD_CyUwwoV_7Cg&usqp=CAU). so you "have" to use it.. and after it gets renewed you bump it the problem again.

Yes thats the message , proceed anyway.

Thinking back i think i resolved this by adding a dns entry in my local lan router which pointed the domain name i used to the local ip of the nas. In this way all the traffic stayed local and you are able to use the cert.
 

Rusty

Moderator
NAS Support
4,380
1,270
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Does it make sense that even when i use the local ip the client "sees" the certificate on the servers and tries to use it? in other words... would i have to remove all certificates from the server so that it sees none and works without it?
No need. Just remove the certificate from the ABB service in the Security > Certificate section if you have it as as well as any reverse proxy/application portal settings towards that service
 
18
6
No need. Just remove the certificate from the ABB service in the Security > Certificate section if you have it as as well as any reverse proxy/application portal settings towards that service
Ok i did as you said and also restarted the NAS, and uninstall/reinstalled the client on my pc. When it connected locally it again popped the message for the selfsigned certificate so i am a bit sceptic if it sees the default (or any other of the 5) certificates i have. In any case i will try to renew the certificates i have and see if it makes a difference.

thanks a lot for the advice!
 
383
76
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
Do you have the ability to add a dns entry in your router?
 
18
6
I am not sure how to do it.
i have the synology rt2600AC but i have also set up a raspberry pi with Pihole (for ad bloking) that i have declared as DNS to that is assigned by the rt2600AC DHCP server.

so if i have to declare it on the raspberry i would probably not know how to do it as well.. 🥺

i ll do some searching on the net on this..
-- post merged: --

Another update is that after pots #15 i manually renewed the certificates on the NAS and the ABB client got a glorious red exclamation mark saying SSL certificate has been changed. so probably it does always check the certificates on the NAS....
 
383
76
NAS
RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
You basically want to create a nat loopback entry in your dns. In your local network dns you want an entry mydomain.com connects to 192.168.1.x (or your local nas ip). This way you can use the fqdn (fully qualified domain name)
 
18
6
You basically want to create a nat loopback entry in your dns. In your local network dns you want an entry mydomain.com connects to 192.168.1.x (or your local nas ip). This way you can use the fqdn (fully qualified domain name)
Thanks so much for pointing me to the right direction.

i think i managed to do it as follows:
1. re-installed all certificates and closed the 5510 port so that the router blocks the connection
2. the fact that i use Pihole as DNS made it easier as allows to enter Local DNS Records so i just added my domain and the local ip
3. setup again the client using the domain instead of the local ip. It connected to the server and no requests about certificates or any other thing

tomorrow i ll try to renew the certificates manually once again and see if it it works as expected.

thanks both Rusty and Gerard for your help!
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

I tested this on ABB / DSM 7 and Win 10. Both on the LAN The ABB client is configured to use abb.my...
Replies
8
Views
116
Hi, After restoring a full drive I get a warning that the restore task was only partially completed. I...
Replies
0
Views
90
  • Question
@pbrennan845 You can change the task by first changing the display role on the left side, choose the...
Replies
1
Views
224
  • Question
1624376598 I agree, I think that's the next step. I'll recreate the folder and start from scratch again...
Replies
8
Views
532

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top