Running Duplicati from destination machine

Ken · February 5, 2022, 10:06am

Hi,

A family member is firmly committed to Duplicati, and we’d like to use do a back up to my Windows PC (DESTINATION) I’m highly unsure about how to secure Windows appropriately (even with WSL) and my IP address also changes much more frequently than the host linux machine where the data is.

I was wondering if it was possible in Duplicati to log in from the DESTINATION PC to the HOST machine. This would solve a lot of my issues. With WSL I can use the linux version of the software as well if that helps.

Many thanks,
Ken

xblitz · February 5, 2022, 11:01pm

No, but yes.
Duplicati is designed as client side backup program: it should be installed in the source pc and configured to log in to destination (PC, cloud…). But a dirty trick is use the network share folders: you must share dorectory wich you will back up and guarantee the access by the destination PC. Finaly, in the destination PC you must set up duplicati to backup the directory shared above.

JimboJones · February 6, 2022, 2:10pm

Hi Ken, welcome to the forums.

There are a few ways to get this working, here’s my suggestion. First off, as stated here, providing you’re on the same LAN (or VPNed into the same LAN) you can access the Web GUI from another machine but I’m not sure you’ll need it once setup. This all presumes that both machines are in the same LAN (or VPN).

“The service includes a full user interface that can be accessed with a browser on http://localhost:8200/. As the server does not use TLS (aka SSL), the server will only respond to requests from the local machine. If you wish to use the server from another machine, make sure that you add the commandline option --webservice-interface=any when starting the server, such that it listens for requests from any machine. If you enable this option, make sure you take precautions to ensure that the machine cannot be access from the internet, as the service is not security hardened, and should NEVER be exposed directly to the internet.”

Just to clarify so long as you don’t DMZ the host or port forward 8200 from the WAN to the hosts LAN IP, the exposure should only exist internally on your LAN and so long as you trust the rest of your LAN to not mess with it there is very little risk in doing so. You could also just use VNC or the like to remote directly into the source machine.

As with anything offering a service, life is much simpler and much more reliable when they are assigned a static IP address. If you need help deriving a usable static IP for your network let me know.

So long as your computer (destination) has a static IP, doesn’t go to sleep and has a shared folder that’s accessible to the other computer (Everyone with Write perms) it should be fine for it to act as the destination. Using the Everyone group for security is not at all secure but exposure should be limited to your LAN. “Better security” can certainly be had but it will require a bit more setup and IMO is only worth it if you don’t trust the users on your LAN.

The big down fall to using the Everyone group is that anyone connected to the LAN can access the folder and delete the backups. Providing the backups are encrypted, the contents will be protected from peeking eyes. They can delete the files but can’t see what’s in them. Like anything security related, it’s all about balance.

On the other end (source) mount that shared folder and tell Duplicati to use that mount location as the destination. A static IP on this machine is not required but helpful if you do want to access the Web GUI.

Once setup as above there should be very little to do in the future other than check the backup logs. I can’t see any benefit to involving WSL at this point but I may have missed a detail. Hope this helps and if you have any questions fire away.

ts678 · February 6, 2022, 5:46pm

@xblitz and @JimboJones are doing a terrific job with this, so I’ll just add a couple of extra comments.

I wasn’t sure if anyone had done this, but a forum search suggests that some people have it up that way…

Consider your restore plan. Duplicati prefers to restore to a system like it backed up from, in terms of drive letters, slash direction, metadata, and so on. One can sometimes mix operating systems, but it’s not ideal.

SMB is sometimes unreliable. It’s unknown why, and I’m not sure if Windows or Linux clients get hit worse.

For protecting Duplicati’s web server, one option is a user interface password, but it’s not strong protection because by default traffic isn’t encrypted, or an Internet attacker might attack the server in some other way.

Ken · February 8, 2022, 9:37pm

Thanks everyone for all your suggestions and advice. I see some things here which may be doable.

I should clarify that I’m not on the same LAN (not even the same country), but that a VPN was something we were going to look into for other things anyway.

With respect to the static IP, my ISP is quite firm on only giving them to business customers, but reports suggest that it’s approximately static.

We have experience in mounting shared folders so that may be a very viable plan.

I’ll talk this over with the fam and see what he says.

Thanks again!

Ken · March 21, 2022, 8:08pm

Hi all;

The solution we’re going with at the moment is for me to mount the server PC on my PC, and then run duplicati on my PC.

I’m unconvinced of the real benefits of this, but the fam doesn’t want a straight rsync.

Just thought I’d update on where we ended up.

Thanks again
Ken

Xavron · March 22, 2022, 11:18am

Can’t you just install Duplicati onto the remote machine and have it run from itself?

There’s a point here where security is completely broken. I think you may have reached it. If when mounting it, if its directly accessible then you have zero security on the backups. It relies on the computer you’re mounting it on to have perfect security and never be compromised.