diff --git a/docs/deployment/pull-backup.rst b/docs/deployment/pull-backup.rst index ce593cdb7..bceb37ba8 100644 --- a/docs/deployment/pull-backup.rst +++ b/docs/deployment/pull-backup.rst @@ -422,3 +422,61 @@ Parentheses are not needed when using a dedicated bash process. ``kill "${SSH_AGENT_PID}"`` Kill ssh-agent with loaded keys when it is not needed anymore. + +Remote forwarding +================= + +The ssh client allows to create tunnels to forward local ports to a remote server and also to allow remote ports to +be forwarded to local ports.borg + +This remote forwarding can be used to allow remote backup clients to access the backup server even if the backup server +usually cannot be reached by the backup client. + +This can even be used in cases where neither the backup server can reach the backup client and the backup client cannot +reach the backup server, but some intermediate host can access both. + +A schematic approach is as follows + +:: + + Backup Server (backup@mybackup) Intermediate Machine (john@myinter) Backup Client (bob@myclient) + + 1. Establish SSH remote forwarding -----------> SSH listen on local port + + 2. Starting borg create establishes + 3. SSH forwards to intermediate machine <------- SSH connection to the local port + 4. Receives backup connection <------- and further on to backup server + via SSH + +So for the backup client the backup is done via SSH to a local port and for the backup server there is a normal backup +performed via ssh. + +In order to achieve this, the following commands can be used to create the remote port forwarding: + +1. On machine `myinter` + +``ssh bob@myclient -v -C -R 8022:myclient:22 -N`` + +This will listen for ssh-connections on port `8022` on `myclient`. + +2. On machine `myclient` + +``borg create -v --progress --stats ssh://backup@localhost:8022/home/backup/repos/dogado /`` + +Make sure to use port `8022` and `localhost` for the repository as this instructs borg on `myclient` to use the +remote forwarded ssh connection. + +SSH Keys +~~~~~~~~ + +If you want to automate backups when using this method, the ssh `known_hosts` and `authorized_keys` need to be set up +to allow connections. + +Security Considerations +~~~~~~~~~~~~~~~~~~~~~~~ + +Opening up SSH access this way can pose a security risk as it effectively opens remote access to your +backup server on the client even if it is located outside of your company network. + +All the additional security considerations for borg should be applied, see :ref:`central-backup-server` for some additional +hints.