“Back up your data before you continue!” Almost every tutorial where you mess with your data starts with it. And the question is always how? For all the OSX’ users out there, there is TimeMachine. It is an incremental back-up mechanism that is needly integrated into the OS. Backing up is done hourly and restoring data is easy (from a very fancy GUI). OSX supports the TimeCapsule, external harddrives and some NAS as backup location. These NAS are typically Linux-based and run some sort of netatalk, the open-source implementation of the AppleTalk protocol. I have a Netgear NAS running netatalk at home but had the problem that when I’m on the road, I can’t access the data (since I don’t want to drill a hole into my router’s firewall).
A virtual-server was my solution to that. It is 24/7 online, accessible from nearly everywhere and has a 100Mbit/s connection. In this post I will describe how you set up a VPN to do backups via TimeMachine on an AFP-share. I’m using Debian Squeeze here, but the instructions should work on other distributions as well. First, we will configure a VPN to transfer the data securely and then create the AFP service within the new network.
Packages that you need (without dependencies):
OpenVPN creates network “tunnels” between groups of computers by encrypting all traffic. It is very useful for our purpose as we don’t want to have the backup services publicly accessible. A virtual private network can become very complex which is why we will focus on a simple scenario.
First, we have to install the packages.
OpenVPN comes with a set of tools called easy-rsa
to create the neccessary key infrastructure and configuration. We simply copy them to /etc/openvpn
.
Next step is to alter the relevant values in /etc/openvpn/easy-rsa/2.0/vars
. This is an example:
With the following commands we will then build the public key infrastructure.
All scripts will prompt you for additional information regarding the vars you set beforehand. The last command will generate the private key, the challenge password and company names are optional and can be left blank.
The server is now ready, let’s create the certificates for the client.
Last but not least, we have to generate the Diffie Hellman parameters. This method is used to securely exchange the authentication data.
Now, we have all generated keys in /etc/openvpn/easy-rsa/2.0/keys/
. The client needs the following files to authentication towards the server. Just copy them over to the client.
ca.crt
client1.crt
client1.key
On the server, the following files have to be copied to the /etc/openvpn
directory.
The last step is to create the configuration for the OpenVPN server. We will use the sample configs provided with the package.
Great, restart OpenVPN.
The VPN server is now ready. As for the client configuration I’d like to refer to the linode tutorial.
Netatalk is the open-source implementation of Apples AFP protocol. Since most distributions don’t build netatalk with enabled encryption - which is needed by OSX - we have to configure and build the package ourselves.
This is how you do it:
Another approach would be to install netatalk beta from an unofficial repository which is described here.
Now we have installed all dependencies and downloaded the source package the our home directory. From there we can build netatalk with encryption enabled, this may take a while. Encryption is needed since FileVault was introduced to OSX.
When the process is finished without errors (simply ignore the warnings), we can install the new package as follows:
As our new netatalk will have the same version number, Debian will overwrite it when an update is available. To prevent that, we will set the package state to hold.
Netatalk has lots of features which are enabled by default but we only need a few of them. All daemons can be configured in /etc/default/netatalk
. For AFP shares, set AFPD
and CNID_META
to yes, if you want to use a printer enable PAPD
.
Next, we configure the AFP daemon in /etc/netatalk/afpd.conf
. Add the following at the bottom of the file or replace the existing line:
This setting will set the AFP daemon to only listen to our private network for TCP connections and not to the outside world.
The last step is to tell the AFP daemon which Volumes it should offer. This is described in the /etc/netatalk/AppleVolumes.default
configuration file. Because we want TimeMachine to work, add the following line:
This will create a share that can only be accessed from username
and stores the data in /home/username/timemachine
(you have to create this folder manually).
And finally, restart netatalk:
Avahi is a free open-source implementation of Zeroconf methodology and will advertise all services that we have configured before. Apples implementation is Bonjour which we will imitate using Avahi.
The installation is as simple as:
In /etc/nsswitch.conf
we have to add mdns
at the end of the line that starts with hosts:
. It should than look like this:
The next step is to specify the shares we want to publish on the network. We therefor create the file /etc/avahi/services/afpd.service
and put the following XML data into it.
It describes 3 services: The share itself, the device-info and the information needed for the TimeMachine mechanism to work properly. The string model=Xserve
specifies how the device will look like in Finder.
Now restart Avahi.
Before you can use the TimeMachine, we have to enable unsupported network volumes in OSX. This is a hidden option. You also have to allow communications over port 548 and 5353, only if you use a firewall.
After that you are ready to go. Fire up the Time Machine system preferences and you should be able to choose the TimeMachine volume. Time Machine will then create a disk image on that volume (a sparsebundle) to cope the different filesystem formats.
If you ever need to do a full system restore, run the following to mount the complete disk image. Hopefully you’ll never have to…