What is the best method for setting up an off-site backup NAS?

Currently reading
What is the best method for setting up an off-site backup NAS?

484
97
NAS
DS220+, DS918+, RS1219+
Operating system
  1. Windows
Mobile operating system
  1. Android
I've mentioned the system I'm working on building in this thread: Solved - Confused about converting/expanding from my DS819+ to rack-mount options. Most of the hardware just came in and I'm going to start getting it set up.

In order to make the initial setup and backup transfer go faster, I plan on having all 3 NAS connected locally. This will keep all the transfers on my LAN and I'll then move the remote NAS offsite and set them up for true remote access. I will have an RS1219+ at my house, and a DS918+ & DS220+ at dad's house. The DS220+ will be my remote backup NAS.

That being said, I'm not sure what is the best package for running the off-site backup and also how to manage the NAS itself. From what I've read, I can use Central Management System for administration of the remote backup NAS, and then HyperBackup to actually manage the backup to the remote NAS? Is this probably my best practice for now, or are there other options to consider?

I have not yet setup any VPN on my current NAS. I understand what it does, but I don't yet understand how to actually use it. Is it possible to setup a VPN between the 2 NAS and then bury the hyperbackup connection in the VPN tunnel? I assume I'd then be able to lock down the remote NAS pretty tight to remote access as it is only for backups.
 
Solution
That being said, I'm not sure what is the best package for running the off-site backup and also how to manage the NAS itself. From what I've read, I can use Central Management System for administration of the remote backup NAS, and then HyperBackup to actually manage the backup to the remote NAS? Is this probably my best practice for now, or are there other options to consider?
Correct. CMS for general remote administration will do just fine. If you need to access the NAS and tweak some things that you will need "hands-on" with that NAS. You can VPN to it, you can access it via HTTPS/DDNS way or QuickConnect.

HyperBackup is the tool for your NAS backup.

Is it possible to setup a VPN between the 2 NAS and then bury the...
That being said, I'm not sure what is the best package for running the off-site backup and also how to manage the NAS itself. From what I've read, I can use Central Management System for administration of the remote backup NAS, and then HyperBackup to actually manage the backup to the remote NAS? Is this probably my best practice for now, or are there other options to consider?
Correct. CMS for general remote administration will do just fine. If you need to access the NAS and tweak some things that you will need "hands-on" with that NAS. You can VPN to it, you can access it via HTTPS/DDNS way or QuickConnect.

HyperBackup is the tool for your NAS backup.

Is it possible to setup a VPN between the 2 NAS and then bury the hyperbackup connection in the VPN tunnel?
There is a VPN server/client scenario and there are VPN site-to-site options (this is for routers only, DSM does not support this).

So if you mean if you can use VPN to connect to your father's location and then back up via HB, yes you can. That VPN will allow you to have access to a remote LAN and any tasks done can be treated as "local LAN traffic operations". You can set up a VPN server on the 220+ model and then use your RS model as a client to initiate a connection to it. Those 2 NAS will talk in LAN and still use the Internet to initiate a backup.

As much as this can work, you can do your self a favor and just use HB with encryption while doing your backup. This way you don't need to set up a VPN on 220 or use your RS as a VPN client. The result will be the same regarding security and overall configuration will be a bit "easier" and less complex.

Still saying that you could have a VPN server on your 220 setups just in case you need hands-on for both your 918 and 220 NAS in case you need to configure them and maintain them outside CMS operations.
 
Upvote 0
Solution
@silverj

You can bookmark post:

Or Watch it to get notifications when new posts are added:
Screenshot 2020-12-08 at 10.55.52.png
 
Upvote 0
Just so I know, what settings cannot be done via csm?
Anything that requires interaction inside DSM settings. Some that be applied via CMS policies but some can't and you have to log into your NAS. Far too many options to go over.
 
Upvote 0
I had assumed that csm was basically multi-nas dsm and could configure everything the same way you could with a single NAS and dsm. Good to know that's not the case.
There are a lot of things, but for example, you can't create users or manage them. This is just of the top of my head.
 
Upvote 0
Correct. CMS for general remote administration will do just fine. If you need to access the NAS and tweak some things that you will need "hands-on" with that NAS. You can VPN to it, you can access it via HTTPS/DDNS way or QuickConnect.

HyperBackup is the tool for your NAS backup.


There is a VPN server/client scenario and there are VPN site-to-site options (this is for routers only, DSM does not support this).

So if you mean if you can use VPN to connect to your father's location and then back up via HB, yes you can. That VPN will allow you to have access to a remote LAN and any tasks done can be treated as "local LAN traffic operations". You can set up a VPN server on the 220+ model and then use your RS model as a client to initiate a connection to it. Those 2 NAS will talk in LAN and still use the Internet to initiate a backup.

As much as this can work, you can do your self a favor and just use HB with encryption while doing your backup. This way you don't need to set up a VPN on 220 or use your RS as a VPN client. The result will be the same regarding security and overall configuration will be a bit "easier" and less complex.

Still saying that you could have a VPN server on your 220 setups just in case you need hands-on for both your 918 and 220 NAS in case you need to configure them and maintain them outside CMS operations.
Hi Rusty,
thanks for all your wisdom on this forum. Just double-checking as I have a similar question but just to check whether I understand your explanation, so hope this is not considered spam: I'm using HyperBackup for remote backup between 2 NAS devices (mine and 1 at my brothers house) and it works fine. I backup my NAS to his NAS and vice versa. I would like it to be as secure as possible (both my data as well as access to my NAS).
We both have static IP addresses so I use port forwarding on my router and configured my Synology router firewall to only allow my brothers IP address access to standard HyperBackup port 6281 on my NAS. Also we use transfer and client side encryption.
Would you say:
- setting up VPN (for example OpenVPN) would be even more secure or save me the trouble and just keep my current set-up?
- I don't use my NAS firewall currently, I rely fully on my router firewall. Would you advise me to also enable/configure my NAS firewall to only allow external access from my brothers IP? I'm not familiar with the set-up of the NAS firewall and don't want to run the risk of blocking local client devices (all inside my LAN) from accessing my NAS.

Many thanks in advance!
 
Upvote 0
We both have static IP addresses so I use port forwarding on my router and configured my Synology router firewall to only allow my brothers IP address access to standard HyperBackup port 6281 on my NAS. Also we use transfer and client side encryption.
Seems fine and by the book.

Would you say:
- setting up VPN (for example OpenVPN) would be even more secure or save me the trouble and just keep my current set-up?
to be used in what scenario exactly?

I don't use my NAS firewall currently, I rely fully on my router firewall. Would you advise me to also enable/configure my NAS firewall to only allow external access from my brothers IP?
In order to get to your NAS it has to pass over your router. So if you have it hardened on that level it might be an overkill.
 
Upvote 0
Seems fine and by the book.


to be used in what scenario exactly?


In order to get to your NAS it has to pass over your router. So if you have it hardened on that level it might be an overkill.
First of all, thanks for all your help.
To your question "in what scenario exactly". I was reviewing your comment in this thread:

"So if you mean if you can use VPN to connect to your father's location and then back up via HB, yes you can. That VPN will allow you to have access to a remote LAN and any tasks done can be treated as "local LAN traffic operations". You can set up a VPN server on the 220+ model and then use your RS model as a client to initiate a connection to it. Those 2 NAS will talk in LAN and still use the Internet to initiate a backup.

As much as this can work, you can do your self a favor and just use HB with encryption while doing your backup. This way you don't need to set up a VPN on 220 or use your RS as a VPN client. The result will be the same regarding security and overall configuration will be a bit "easier" and less complex."


My understanding was: if I am only interested in the scenario of using HyperBackup to an offsite NAS and vice versa (and no other external access to the NAS), I could set-up a VPN tunnel to send the backup information through (wasn't aware of that until you mentioned it), but if I understand you correctly as to your view the security (both external NAS/network access as well as my data being sent across the internet) of just using HyperBackup with transfer encryption and a correctly configured router firewall is just as safe?

The second scenario I can think of: if I also want remote access to my NAS to perform admin tasks. In which case I think VPN is advised.
 
Upvote 0
just using HyperBackup with transfer encryption and a correctly configured router firewall is just as safe?
exactly right.

The second scenario I can think of: if I also want remote access to my NAS to perform admin tasks. In which case I think VPN is advised.
Reason I asked what scenario exactly. If you want an incoming vpn back to your lan then a remote vpn to your other location will not do you any good.

So focus on HB with encryption and an incoming vpn server for your second scenario.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

thanks @Telos @Coop777 and @fredbert . Now I got the device and doing the migration (from my older NAS)...
Replies
10
Views
1,403

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top