Le jeudi 30 juillet 2009 00:47:10, Keith Lofstrom a écrit : > On Wed, Jul 29, 2009 at 11:18:16PM +0200, Xavier Brochard wrote: > > Hello > > > > I need to backup a client without a fix IP (it change randomly 2 or 3 > > times per week). The backup server is on the internet. > > > > I was wondering what is the best solution (regarding security, network > > load and dirvish run): > > - a push backup but mounting the backup disk with sshfs, dirvish on the > > client - a pull backup, dirvish on the backup server, using dyndns.com or > > no-ip.com - something else ? > > Your remote clients should probably be talking to "home base" with > an encrypted vpn tunnel to your firewall. Then you pull backups > through the tunnel. Yes, it means more computation to do the tunnel > encryption at both ends (and I run dirvish/rsync with ssh, so I am > encrypting twice!). I have dynamic IP addresses on both ends, but > my firewall establishes its external URL with dyndns (using one of > the free subdomains), and remote clients talk to that. I have five > remote clients, one is 3000km away. > > I use a small ALIX computer (from PC Engines) for my firewall, see > http://wiki.keithl.com/index.cgi?SL5Alix > Cheap, fast, low power, X86, runs my favorite distro, and has three > 100Mbit ethernet ports, WAN/DMZ/LAN . It has built-in encryption > hardware which works with SSL/OpenVPN, but my main site has only > a 4Mbps connection. The ALIX CPU is fast enough for that, so I > haven't made the kernel patch. > > Security is easy. When I detect something going wrong, I pull out > the WAN connector. > > The one remaining issue is that user laptops move between the > inside network and outside vpns. It is possible to tweak internal > DNS so the backup server can always find them, but I haven't taken > the time to implement that. If your remote clients are always on > the same side of the firewall, this is not a problem.
I thought about VPN at first and... forget it when I discovered sshfs. Looks like I was wrong... what is the advantages compare to sshfs (in this case)? Thankyou for you help anyway. Xavier [email protected] _______________________________________________ Dirvish mailing list [email protected] http://www.dirvish.org/mailman/listinfo/dirvish
