How to do peer-to-peer backups with ZeroTier VPN


This is not yet a guide - juts my experiences so far.

Warning 1: This is something I’m still testing, but I thought I’d share in case others might be playing with it as well. It is NOT a suggestion for how you should set up your system (yet). :slight_smile:

Warning 2: This is SUPER overkill for a backup destination. Doing this will essentially put all devices attached to your ZeroTier network literally on the same network. So if you and a friend both have your own home networks AND connect over ZeroTier, you are at best giving your friend access to your computer as if they were on your home network and at worst (depending on your configuration) giving them access to your entire home network! (Consider this - are you constantly having to clean your friends computer of viruses? Then maybe this isn’t the solution for you-and-them…)

As with any VPN solution, you should be aware of what you are allowing to access your network and consider setting up a firewall to limit access across the ZeroTier IP range to only the ports needed for backups, only in the directions, and/or only for appropriate apps (like Duplicati.server).

ZeroTier DOES have “flow rules” that can be configured to work like a firewall. For example, if you know you are only using your ZeroTier VPN for Duplicati backups using an SFTP connection you could set up a flow rule that says something like “drop the ethernet frames if they are not over port 22” (assuming you are using 22 as your SFTP port).

Of course, using their “flow rules” means you’re trusting them to be your firewall. If you do trust them, then great! If not, it couldn’t hurt to ALSO set up your local firewall with similar rules. :slight_smile:

One feature that people (including myself) seem to really like about CrashPlan is (was) the ability to back up directly between two computers even if they weren’t on the same network (ignoring “the cloud” completely).

While Duplicati does not (as of canary) have that functionality built in, it can be approximated with third-party VPN tools such as OpenVPN or the ZeroTier VPN,

I’ve played with ZeroTier a bit and found it exceedingly easy to work with (especially compared to OpenVPN). Basically, it will create a virtual network of your own that runs on top of your regular network. Since it’s virtual, any devices can join as long as they can get to the internet.

Note that currently ZeroTier is open source and it is free for up to 100 devices using ZeroTier Central as the service to get all your virtual devices talking to each other. If you don’t want to be “at the mercy” of a third party controller, you can even run your own DIY ZeroTier Controller.

Before you ask, no - this is NOT a VPN like one could use to mask your location and all traffic is NOT routed through it (unless you do more configuring). This will make it look like your machine is on two DIFFERENT networks - your regular one and the virtual ZeroTier one. And they should ABSOLUTELY HAVE DIFFERENT IP ADDRESS RANGES.

As a reminder, this is a rough draft work-in-progress so I’m starting with what I did - which was to:

  • install the ZeroTier Docker container on my unRAID box
  • create a free ZeroTier account on their web site @
  • create a network (which automatically assigned me a 16 character hex Network ID that looked something like 3f72959a04d7c77)
  • choose an IP address range (such as 10.147.17.* or 192.168.193.* - as long as it’s DIFFERENT from your current IP ranges). For now lets say I chose 192.168.2.*
  • that’s it - the network as been created!

Adding my Windows PC to the network was simple:

  • I downloaded the msi install file from ZeroTier | Download ZeroTier One (they also have Mac, iOS, Android, Linux DEB/RPM, QNAP, Synology, libzt, MyCloud, FreeBSD, and OpenWRT links!)
  • installed the app and told it to run which brought up a window which allowed me to create or join a network
  • I joined my existing network by entering the 3f72959a04d7c77 address assigned earlier
  • I logged back into and clicked on my network
  • I scrolled down to the “Members” section and click the “Auth?” box next to the new machine (and gave it a useful name while I was at it)
  • that’s it - my Windows PC could now connect to my unRAID by via the ZeroTier IP address!

Running Duplicati over this connection was as simple as:

  • setting up my backup job with a Destination storage type of “Local folder or drive”
  • selecting “Manually type path” and entering “\<share name><backup path>”. For example: \\\Backups\Duplicati\MyPC. Remember, I’m working on Windows so have built in SMB capabilities and use back-slashes - I suspect you could also use FTP, SFTP, etc. for whatever server happens to be running at your ZeroTier destination box
  • finish the job setup as normal

That’s pretty much it! The job runs as normal thinking it’s working over a standard SMB connection.