Backup over Tor with BackupPC //at 04:37 //by abe

I have a Raspberry Pi at my parents home. They have internet access via some ISP using Carrier Grade NAT (CGN). Hence their home router is not reachable via IPv4 from the outside, they do have IPv6 and the devices can also be made accessible via IPv6 via the local router.

Did that, was able to access my Raspberry Pi over IPv6 and SSH from the outside. So doing backup of that Raspberry Pi with BackupPC from the outside was a walk in the park.

Unfortunately the IPv6 prefix seems to change occasionally and the router only allows to configure explicit IPv6 addresses in firewall rules — so after a prefix change the configured rules no more match the devices IPv6 addresses. Meh.

So there were multiple possibilities to work around these restrictions and access a devices behind the router:

• Using a permanent VPN connection, e.g. OpenVPN.
• Using a software defined network (SDN), e.g. ZeroTier.
• Enabling a Tor Hidden Service to access the device via SSH and Tor.

Enabling a Tor Hidden Service for port 22 is a no-brainer and was done most quickly (actually it already was in place as I already suspected that an IPv6 prefix change might happen) and I so far was too lazy to replace it with something more proper.

But my backup was relying on direct SSH access via IPv6. So I needed to get that working over Tor, too.

Here’s what was needed for the host named “sherpa” (named after the Fiberfab Sherpa) to be backed up via Tor:

• Make sure the folloing packages are installed on the BackupPC server:
  • netcat-openbsd (netcat-traditional might work, too, but then needs different commandline options)
  • ssh-tools for ssh-ping
  • tor (of course :-)
• Add these lines to ~backuppc/.ssh/config:

  Host sherpa_via_tor
          Hostname abcdefghijklmnop.onion
          ProxyCommand /bin/nc.openbsd -X 5 -x localhost:9050 %h %p
  

  These lines basically configure an alias hostname for ssh which then connects via SOCKS5 to the Tor daemon instead of doing DNS lookup and connection itself. It also configures the actual hostname (a Tor “.onion” hostname) to connect to.
• Add the following lines to /etc/backuppc/sherpa.pl:

  $Conf{ClientNameAlias} = 'sherpa_via_tor';
  $Conf{PingCmd} = '/usr/bin/ssh-ping -c 1 $host';
  $Conf{NmbLookupFindHostCmd} = "";
  

  These lines configure a few things in BackupPC:
  • Use the hostname alias declared in .ssh/config.
  • Use ssh-ping instead of standard ping as command to test connectivity. (ICMP neither works over SOCKS5 nor over Tor. And we configured the connection only for SSH anyways.)
  • Don’t try to do any DNS lookups on the given hostnames. (Otherwise you’ll get error messages like “Can’t find host sherpa_via_tor via netbios” in BackupPC’s per-host log files.)

That’s it basically.

Of course you also need to have the SSH public host key in the .ssh/known_hosts file also for the .onion hostname. And the Tor Hidden Service needs to be configured on the target device.

But that’s left as exercise for the reader. There’s a lot of documentation about that on the internet, including slides and video recordings of talks and live demos I gave about this topic in German.

Ah, and in case you might think that’s unfair and misuse of the resources of the Tor Project: No, I explicitly asked and they said more or less any additional traffic helps to make it more difficult to analyse Tor traffic or to track Tor users — and is hence welcome.

Addendum: The last direct full backup of that Raspberry Pi (5.5 GB) took around 32 minutes. The first full backup over Tor (8.7 GB) took 341 minutes. Seems much slower, but there might be other factors as well: Most backups which ran last night were running at only 0.85 MB/s to 1 MB/s, probably because too many backups were running in parallel after a recent backup server downtime with file system check — the backup server was probably the bottleneck. The backup of the Raspberry Pi over Tor ran at 0.42 MB/s, so about half the speed of the other backups. (Will probably add some more notes if I have more statistics over time.)

Mini-ITX based Home Server: Hardware Review //at 18:23 //by abe

Mostly for my backups needs, I planned a Mini-ITX based home server around the Chenbro ES34069 Mini-ITX case which features four hot-swap S-ATA bays. I wanted a low-consumption motherboard and CPU in there (not only because of the default 120W power supply) and since low-consumption mainboards with 4 S-ATA connectors are quite seldom I’ve chosen the not so cheap VIA EPIA SN18000G mainboard with actively cooled 1.8 GHz VIA C7 processor and a maximum power consumption of less than 30W (including CPU).

Waiting for delivery

While the Chenbro ES34069 case I ordered at digitec “only” needed a few weeks to deliver, the VIA EPIA SN18000G mainboard from Brack took over eleven weeks to deliver, it finally has been delivered on Wednesday, 5th of November 2008.

I initially ordered the VIA board for CHF 324, now it’s at CHF 397 (without rebate even at CHF 439) because Brack seems to have had a lot of hassles to get some of them at all. Although they usually sell for the prices at the time they ship the hardware (market price), they sold it to me at their purchase price, so it became only about CHF 15 more expensive than when I ordered. And since the RAM price dropped by one third during those eleven weeks, the whole order became about CHF 25 cheaper, the order was CHF 10 cheaper overall than when ordered. :-) (Still waiting for the according voucher, though.)

So I’ve joined the two main components together, installed Debian Lenny on it, crammed four 400 GB Samsung S-ATA disks (formerly in a TheCus N4100) and the 160 GB 2.5” harddisk from my MicroClient JrSX (I never really used it in there, it always runs from CF card) into it, created a software RAID-5 and now fill it with music, games and backups.

But not everything was as easy as it sounds above. Although Chenbro lists the VIA EPIA SN18000G as officially compatible mainboard for the ES34069, not everything really fitted as expected. So here’s my review of this hardware combination.

Chenbro ES34069

It’s really awesome how much features you can stuff in such a small case. Of course it’s not as small as a thin client case or the mCubed HFX micro case, but it’s smaller than most book-size cases like the ASUS Pundits, just a little bit thicker.

Inside the case (laying on its left side) there are two decks. The lower deck contains the 3.5” hot-swappable S-ATA harddisk bays, the internal part of the power supply and the two fans for cooling the interal power supply components and the disks. The upper deck has space for the mainboard, a 2.5” harddisk, a slim-line optical drive slot and all the front-panel stuff (card reader, LEDs, USB sockets).

Both decks are divided in two section. The front section belongs to the case itself and the back section containing the mainboard mount points and the two fans can be easily unplugged after removing four screws and keeping an eye on the cables from the lower to the upper deck. That way the mainboard can be mounted very easily. So far a very convincing design.

To mount the 2.5 harddisk in between the mainboard and the front panel, it’s not really necessary, but convenient to remove the slim-line optical drive slot, since you then have better access to the harddisk’s IDE socket. To remove the slot, you need to remove the front cover. That sounded easier than it actually was and I nearly broke of one its catches. :-/

Although all parts of the case seems to fitting very well together, the bays for the hot-swappable drives weren’t perfect: The drive slots not always connected even if the latch iss already closed. This was definitely better with the TheCus N4100. Additionally the bays seem to be made for slightly larger disks, so mine had play and the screws pressed the it together and you need to take care that the screws don’t cant.

A big positive point of the case was that there were all necessary screws included and they were fitting. This was a bigger problem with the TheCus N4100, since many harddisks ship with their own screws, but those are seldom the needed flat-head ones.

Even a P-ATA to slim-line optical drive adapter was included, so I don’t need to buy one. (Would have costed CHF 42 at digitec.)

VIA EPIA SN18000G

While it’s surely not the most performant board out there, I’m quite satisfied with its performance. I installed BackupPC 3.1.0 as backup system on it and it works like a charm. It daily backs up up to 14 machines over ssh tunnels – more to come) and is way more performant than expected. But I probably had very low expectations due to everyone arguing about the bad performance of the VIA C7. ;-)

Not nice, but known is the problem that most (but not all) USB connectors on the SN mainboard have 2.00mm pitch while all the case’s plugs have 2.54mm pitch. Apropriate adaptors are available from Mini-ITX.com. Thanks to Akim for this tip!

Power consumption

I hoped to get more details into this posting, e.g. measured power consumption, etc. But then I recently read in the c’t magazine how inexact my watt meter (from Brennenstuhl) is, so its values would probably bring more confusion than help. Additionally I don’t feel like powering down the server just for measurement.

Feedback

I got quite a few mails with hints to further Mini-ITX boards and TDP but also with questions about the case. I hope that this blog post asnwers some of the questions also for other readers. Thanks to all who replied to my initial blog post about my Chenbro/VIA based home server, either by mail, or comment, or both. :-)

Further plans

For deploying music to my other computers I tried both, mediatomb and gmediaserver but none really convinced me. Currently I just mount the media directory using the FUSE and ssh based sshfs. Not sure if I’ll add NFS due to it’s user base syncing hell.

Further plans are an HTTP proxy with ad filtering and caching capabilities, it’ll be Privoxy combined with either Squid or Polipo. Maybe even a Tor SOCKS proxy.