Active Backup and VPN (how to avoid backup while connected via VPN?)

Currently reading
Active Backup and VPN (how to avoid backup while connected via VPN?)

44
10
NAS
DS107, DS209, DS210+, DS715, DS918+
Router
  1. RT2600ac
Active Backup is a nice solution. I like it.
Unfortunately I have a problem which I'm not able to solve: as soon as I connect to our network via VPN, The Synology Active Backup for Business (server) thinks that I'm on LAN and start the backup task (when it is the time to do it). You can imagine that this task is not suitable for VPN connection and I do not want to run the backup while I'm connected to the LAN via VPN.

Any idea how to avoid this behaviour?
Thanks for help.
 
Why wouldn’t it be suitable for clients connected via vpn? Do you want that or not is a different matter entirely.

Have you tried to setup a specific time frame for backups? Maybe that way you could avoid autobackup scenarios that you are having when connecting.
 
Hi,
To do bare metal backup you need to transfer quite lot of data (10 and more GB). You can do it via VPN but it takes many hours/days (depends on the type of connection) slowing other work.

Another important reason is that when you are connectoed to VPN via mobile network, you easily run out of the data limit - taht's really annoying and expensive...

To set time is not possible simply because it is not predictable, when the notebooks ar out of the cpompany.

Any other idea how to soleve the problem?
 
Hello Everyone,

I just subscribed to the forum as this was the only place i could find where such question was posted. I am travelling a lot and while ABB does a great job in keeping my files backed up i have no way to ensure it only works in the LAN.

originally i had used only the NAS IP on the client just to find out months later the issue where the lets encrypt certificate was renewed and ABB stopped backing up without notification. So since i can do nothing about it i had to open the 5510 port on my router and use the DDNS on the client.

I tried to restrict the 5510 port on the firewall to only work for the range of IPs given by my routers DHCP server but it would not work as it would also block the connection even when i am on the LAN.

any other suggestions or developments since the last post of this thread would really be appreciated.

thanks a lot!
 
Hello Everyone,

I just subscribed to the forum as this was the only place i could find where such question was posted. I am travelling a lot and while ABB does a great job in keeping my files backed up i have no way to ensure it only works in the LAN.

originally i had used only the NAS IP on the client just to find out months later the issue where the lets encrypt certificate was renewed and ABB stopped backing up without notification. So since i can do nothing about it i had to open the 5510 port on my router and use the DDNS on the client.

I tried to restrict the 5510 port on the firewall to only work for the range of IPs given by my routers DHCP server but it would not work as it would also block the connection even when i am on the LAN.

any other suggestions or developments since the last post of this thread would really be appreciated.

thanks a lot!
Would running a VPN connection back to your LAN where your ABB NAS is do the trick for you? This way you will be able to back up with settings that you would normally use while you are in fact inside your LAN. Depending on your remote connection going via VPN might be slower than usual but in return, you would get your backup running over the internet with LAN settings.
 
My LAN is behind and rt2600AC so i do use the OpenVPN service to connect. I did a test as per your suggestion but it is not conclusive:
1. I closed port 5510 on the router so that it cannot be accessed from outside
2. After some seconds the ABB client indicated an internet connection error as expected
3. I used my mobile as hotspot and connected my laptop there - then engaged the OpenVPN connection
4. Tested that i can still reach 192.168.1.x addresses which worked fine (however in my ABB client i still have to use the DDNS name so that it does not disconnect when the SSL certificate is renewed)
5. The client continued to show internet error but after logging to the NAS and the ABB package it seemed that the backup is ongoing but at very slow speed (512kb/s).

I ll try to do more extensive testing to see how it is behaving in detail...

Its a pity though there is no clean solution for this :(
 
My LAN is behind and rt2600AC so i do use the OpenVPN service to connect. I did a test as per your suggestion but it is not conclusive:
1. I closed port 5510 on the router so that it cannot be accessed from outside
2. After some seconds the ABB client indicated an internet connection error as expected
3. I used my mobile as hotspot and connected my laptop there - then engaged the OpenVPN connection
4. Tested that i can still reach 192.168.1.x addresses which worked fine (however in my ABB client i still have to use the DDNS name so that it does not disconnect when the SSL certificate is renewed)
5. The client continued to show internet error but after logging to the NAS and the ABB package it seemed that the backup is ongoing but at very slow speed (512kb/s).

I ll try to do more extensive testing to see how it is behaving in detail...

Its a pity though there is no clean solution for this :(
So if you will use the VPN connection then you can reconfigure your clients to use your ABB NAS local IP address.
 
So if you will use the VPN connection then you can reconfigure your clients to use your ABB NAS local IP address.
My main issue is that if i use the local IP address, when the certificate will renew automatically, it will silently stop syncing until i manually bring up the GUI and confirm to trust the certificate.
I m not saying I m too lazy for this, but since there is no notification (either by the app or via email or anything) it is very easy to just forget it and realize some months later that the device hasn't been backup for all this time...
This is what actually freaked me up and i started looking for ways to ensure it wont happen again..
 
Last edited:
My main issue is that if i use the local IP address, when the certificate will renew automatically, it will silently stop syncing until i manually bring up the GUI and confirm to trust the certificate.
I m not saying I m too lazy for this, but since there is no notification (either by the app or via email or anything) it is very easy to just forget it and realize some months later that the device hasn't been backup for all this time...
This is what actually freaked me up and i started looking for ways to ensure it wont happen again..

When you get the cert message, saying the cert has changed do you want to use? say NO. It then wont use the cert , which doesnt work anyway for local ip’s
 
My main issue is that if i use the local IP address, when the certificate will renew automatically, it will silently stop syncing until i manually bring up the GUI and confirm to trust the certificate.
I m not saying I m too lazy for this, but since there is no notification (either by the app or via email or anything) it is very easy to just forget it and realize some months later that the device hasn't been backup for all this time...
This is what actually freaked me up and i started looking for ways to ensure it wont happen again..
I get that but if you only access ABB via VPN there is no need to push it via an ssl cert or reverse proxy. In that case, you will not have to deal with certs or the problem of it skipping the backup.
 
sorry but maybe my knowledge of these maybe is on the surface of it.. what i can say for the two responses above:

@Gerard: as far as i remember you can only opt to proceed with the untrusted certificate (something like this https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSXoar6VYwpEF9sL9IArOCFRD_CyUwwoV_7Cg&usqp=CAU). so you "have" to use it.. and after it gets renewed you bump it the problem again.

@Rusty: thanks for your patience. The thing is that I was already using the local IP on the client so far and did hit the untrusted SSL certificate issue. that's why i started looking to it. The NAS has several SSL certificates installed as i have several services on docker that i access through the reverse proxy. Does it make sense that even when i use the local ip the client "sees" the certificate on the servers and tries to use it? in other words... would i have to remove all certificates from the server so that it sees none and works without it?
 
@Gerard: as far as i remember you can only opt to proceed with the untrusted certificate (something like this https://encrypted-tbn0.gstatic.com/images?q=tbn:ANd9GcSXoar6VYwpEF9sL9IArOCFRD_CyUwwoV_7Cg&usqp=CAU). so you "have" to use it.. and after it gets renewed you bump it the problem again.

Yes thats the message , proceed anyway.

Thinking back i think i resolved this by adding a dns entry in my local lan router which pointed the domain name i used to the local ip of the nas. In this way all the traffic stayed local and you are able to use the cert.
 
Does it make sense that even when i use the local ip the client "sees" the certificate on the servers and tries to use it? in other words... would i have to remove all certificates from the server so that it sees none and works without it?
No need. Just remove the certificate from the ABB service in the Security > Certificate section if you have it as as well as any reverse proxy/application portal settings towards that service
 
No need. Just remove the certificate from the ABB service in the Security > Certificate section if you have it as as well as any reverse proxy/application portal settings towards that service
Ok i did as you said and also restarted the NAS, and uninstall/reinstalled the client on my pc. When it connected locally it again popped the message for the selfsigned certificate so i am a bit sceptic if it sees the default (or any other of the 5) certificates i have. In any case i will try to renew the certificates i have and see if it makes a difference.

thanks a lot for the advice!
 
I am not sure how to do it.
i have the synology rt2600AC but i have also set up a raspberry pi with Pihole (for ad bloking) that i have declared as DNS to that is assigned by the rt2600AC DHCP server.

so if i have to declare it on the raspberry i would probably not know how to do it as well.. 🥺

i ll do some searching on the net on this..
-- post merged: --

Another update is that after pots #15 i manually renewed the certificates on the NAS and the ABB client got a glorious red exclamation mark saying SSL certificate has been changed. so probably it does always check the certificates on the NAS....
 
You basically want to create a nat loopback entry in your dns. In your local network dns you want an entry mydomain.com connects to 192.168.1.x (or your local nas ip). This way you can use the fqdn (fully qualified domain name)
 
You basically want to create a nat loopback entry in your dns. In your local network dns you want an entry mydomain.com connects to 192.168.1.x (or your local nas ip). This way you can use the fqdn (fully qualified domain name)
Thanks so much for pointing me to the right direction.

i think i managed to do it as follows:
1. re-installed all certificates and closed the 5510 port so that the router blocks the connection
2. the fact that i use Pihole as DNS made it easier as allows to enter Local DNS Records so i just added my domain and the local ip
3. setup again the client using the domain instead of the local ip. It connected to the server and no requests about certificates or any other thing

tomorrow i ll try to renew the certificates manually once again and see if it it works as expected.

thanks both Rusty and Gerard for your help!
 
I habe the same problem,
User in HomeOffice should not try the backup from HomeOffice.
But they need the connection to the NAS, because there is other important data for them.
Can it be a solution to start the synology service only when the PC has an IP of a certain subnet (192.168.4.XXX)?
How could that be done?
Thank you ThoBa
 

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Have you configured the email sending option on the DSM level? That is the channel ABB and all the other...
Replies
2
Views
831
  • Question
^ this is the way. OP it's a 2 drive NAS - keep it simple unless there's a valid technical reason for...
Replies
3
Views
1,091
Deleted member 5784
D
Hello, I have exactly the same problem... Have you found a solution? Thanks in advance!
Replies
1
Views
999
Thank you Rusty. With your advice I was able to resolve the IP issue. Not quite as you described, but your...
Replies
4
Views
932
Im not sure i even can include/exclude folders.. But "Mail" is selected yes, other folders are updating...
Replies
2
Views
819
  • Question
Anyone using Active backup on a linux server. I have it backing up, can't restore it.
Replies
0
Views
777

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top