Steven Kussmaul

setting up truenas remote replication task

another process that is more complicated than initial investigation would indicate.

there are 2 ways you can do it, a push or a pull, i am going to do a push. pros/cons revolve around security, more details later.

steps:

  1. on source:
    • create manual snapshot
  2. wef
  3. wefk
  • 1.

on target:

  • create user
    • set it as no password
    • make sure to create home directory
  • create target dataset
    • add simple settings
  • on source:
    • create manual snapshot
    • create replication task
      • set up ssh connection
    • options

on source: create manual snapshot

go to Data Protection –> periodic snapshot tasks

then choose the Snapshots button

then choose “add” at the top

choose your dataset, and if you have any child datasets you also want to include in this snapshots, then you can select recursive. i have none below this, so the button would have no effect anyway. there arent any other settings here, the default name is fine.

This will create a new, one-time manual snapshot. The “Hold” button on a snapshot prevents it from being deleted. When a snapshot is “held,” TrueNAS will not allow you to delete it, even if you attempt to do so through batch operations or other means. This feature is useful for protecting snapshots that are important for backups, restoring data, or other critical purposes. 

on target: create new user

go to credentials –> users –> add

make sure to

  1. actually create/set a home directory foor this user, and
  2. uncheck “smb user” since we wont be using it for that.
  3. select “disable password”

on target: set up datasets

if you would like to encrypt the backup, the target dataset cannot be encrypted, so you’ll need to encrypt a parent dataset and add the actual target dataset as a child with “inherit” encryption.

on source: create replication task

start by selecting the source, as “on this system”, and check the box for your dataset.

then select destination as “on a different system” and then select “create new” under SSH connections.

this is where it gets tricky,

  • for authentication, select the ip address of your target, including the “HTTPS” part, so it would look like “https://192.168.1.3”
  • for the “admin username”, type in the admin user from your target machine, by default it’s the “truenas_admin” user, with the password of that user on the target machine.
  • in the “username” field, type in the passwordless/non-admin user you just created on the target machine. example names are usually like, “push_repl” but i am using a unique name so i can keep track later.

in the “private key” field, select generate new:

i got an error about my ssh key being self-signed:

middlewared.service_exception.CallError: [ESSLCERTVERIFICATIONERROR] [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: self-signed certificate (_ssl.c:1006)

but it seems to allow me to continue, albeit “insecurely”. we can work out how to create trusted self-signed certs later.

troubleshooting

error i was getting is this, such a generic error!

[EACCES] AuthenticationException('Authentication failed.')

Possible solutions:

Incorrect private key — the key used in the SSH connection doesn’t match the public key on the remote server.

Wrong user — the SSH connection is trying to log in as one user, but the key is in another user’s authorized_keys.

Wrong permissions — either on the private key (locally) or on the .ssh directory / authorized_keys file (on the remote system).

Missing private key — the TrueNAS GUI can’t find or use the key if it wasn’t pasted correctly.

Wrong hostname or unreachable host — mabye getaddrinfo issues with hostnames.

also make sure to run these commands on the .ssh folder and authorized keys file:


chown user:userPrimaryGroup /home/user
chmod 700 /home/user/.ssh
chmod 600 /home/user/.ssh/authorized_keys
chmod 600 /path/to/your/private_key

sudo chown -R replicator:replicator ~/.ssh
sudo chmod 700 ~/.ssh
sudo chmod 600 ~/.ssh/authorized_keys

-rw------- 1 replicator replicator  1234 May 12 15:30 authorized_keys

create new setup:

ssh-keygen -t ed25519 -f /root/.ssh/my-repl-key
ssh-copy-id -i /root/.ssh/my-repl-key.pub replicatorUser@remote-host

try to test it with terminal ssh:

ssh -vvv replicatorUser@targetIPaddress

add all the v’s

check the target server ssh service is running right:

check sshd_config: on the target system:

open /etc/ssh/sshd_config
check for the following lines:

PubkeyAuthentication yes
AuthorizedKeysFile .ssh/authorized_keys

make sure to restart the ssh service after change:

sudo systemctl restart sshd

agent forwarding:

ssh-add

no idea what this is, but it is to check if the correct key is loaded into your SSH agent. do this on both source and target?

terminal ssh, telling it the key to use:

this doesnt work, tells me the same public key error:

ssh -v -i /path/to/your/private_key replicator@remote_host

check ssh host keys (both machines?)

host may have 3 files, for each type of encryption. ssh client should auto-negotiate which they both can work with .

does truenas only support one of these key types?

system checks this with :

ssh-keyscan
Key FileTypeAlgorithmPurpose
/etc/ssh/ssh_host_rsa_key.pubRSAssh-rsaOlder, widely supported
/etc/ssh/ssh_host_ecdsa_key.pubECDSAecdsa-sha2-nistp256Modern EC-based key (faster than RSA)
/etc/ssh/ssh_host_ed25519_key.pubEd25519ssh-ed25519Newest and most secure/efficient

where does truenas store this keypair when generated through the GUI?

i can’t find it

i believe it is not using the private key that i am telling the (target) of the matching public key.

Steven Kussmaul

Leave a Reply

Your email address will not be published. Required fields are marked *