Server

• Server:
  • Adding secure rsync protocol
  • Setting up rsync server config (which dir to rsync to)
  • Running rsync service
  • Setting up stunnel config
  • Running stunnel service

Rsync

Configure Rsync Server

On the server, we want to run an rsync daemon that will listen for incoming requests to synchronize files. The daemon will compare incoming files to the current copies of files, and update any changes it does not have.

To run an rsync daemon, edit the rsync config file at /etc/rsyncd.conf.

In the config file you will set the name of your module, which has a specific data directory on the server. You can potentially have multiple clients syncing to multiple locations on the server by using multiple modules, but we are just using one.

See rsyncd.conf in https://charlesreid1.com:3000/rpi/pi-transmission

Running Rsync Server

Once you have set the rsync configuration file, the rsync daemon will run like any standard system service.

$ sudo service rsync start

Adding Tcp Wrappers for Secure Rsync Protocol

The next thing we need to do is give the system a bit more information about the protocol we are using. Rsync is just tcp traffic, so we can define a new service and tell the system what port and protocol it uses. We do this using /etc/services.

Add the following line to the server's /etc/services (match it exactly):

ssyncd 273/tcp # secure rsync over stunnel

(Optional: may need to add this to /etc/hosts.allow but this messed things up for me:

ssyncd : A.B.C.D

where A.B.C.D is the server's IP address.)

See https://charlesreid1.com:3000/docker/d-stunnel/src/master/stunnel.server.rsync_over_273.conf for details

Stunnel Server for Rsync

Configure Stunnel Server for Rsync

The rsync daemon will run on port 873. The stunnel connection we will set up will be over port 273. The stunnel configuration file will accept connections on 273 and connect them to port 873.

Note these require the rsync service to be defined following the above steps.

Server stunnel.conf file for rsync over port 273:

output	= /var/log/stunnel4/stunnel.log
cert	= /etc/stunnel/stunnel.fullchain.pem
key		= /etc/stunnel/stunnel.key.pem
pid		= /var/run/stunnel4/stunnel.pid
client	= no

debug = 7
foreground = yes

[rsync]
accept = 273
connect = 873

See https://charlesreid1.com:3000/docker/d-stunnel/src/master/stunnel.server.rsync_over_273.conf

Running Stunnel Server for Rsync

Just start it up with stunnel command

Can also add debug = 7 and foreground = yes to see what's happening and troubleshoot

Opening Server Firewall to Stunnel

Need to open firewall to incoming connections on the stunnel rsync port (273):

[server] $ iptables -A INPUT -p tcp --dport 273 -j ACCEPT
[server] $ iptables -A FORWARD -p tcp -j ACCEPT --dport 273 -m state --state NEW

Client

• Client:
  • Adding secure rsync protocol
  • No rsync setup needed
  • Setting up stunnel config
  • Running stunnel service
  • Running rsync over stunnel

Rsync

Configuring Rsync

No rsync setup is needed for the client. Woo hoo!

Running Rsync

No rsync background service runs on the client, so when you want to run rsync, you just call the rsync command directly.

See https://git.charlesreid1.com/rpi/pi-transmission

rsync script contains the actual rsync commands.

Adding Tcp Wrappers for Secure Rsync Protocol

Edit the etc files again. See repo.

Stunnel

Configuring Stunnel Client for Rsync

Client stunnel over rsync configuration file goes here.

Running Stunnel Client for Rsync

The usual - run stunnel using the stunnel command.

To monitor what is happening use debug = 7 and foreground = yes.

Debugging

Debugging problems with the two interacting stunnel-rsync layers can get tricky. Here's a good workflow.

Debugging stunnel

First, if you want to see what stunnel is actually doing, add the following to the stunnel configuration file:

debug = 7
foreground = yes

These will run stunnel in the foreground and print out lots of information. You can run this in a terminal window, then open another window and run rsync commands. You should see activity in the stunnel window, indicating it is initiating a connection with the server and passing traffic.

You can do the same thing on the server to monitor the server instance of stunnel, so if you need to troubleshoot a problem on the server side, edit the server stunnel configuration file and add the debug and foreground options.

Debugging rsync

If you are confident stunnel is working properly and that the problem is with rsync, you can monitor rsync using the system log. rsync does not log to its own log file.

By running tail -f /var/log/syslog on the server in a window, then running rsync over stunnel commands in another, you should see messages about rsync activity showing up in the syslog. This should also give you more helpful and descriptive information when things go wrong, and help you diagnose the error.

• Debugging:
  • How to debug stunnel
  • How to debug rsync
  • Workflow for checking connections while running commands

Flags

stunnel secure tunnel - create secure encrypted connections on any port to wrap any protocol Stunnel  · Category:Stunnel Using: Client: Stunnel/Client Server: Stunnel/Server Stunnel Over Docker: Stunnel/Docker Certificates: Stunnel/Certificates Protocols: Stunnel/Rsync  · Stunnel/SSH  · Stunnel/Scp  · Stunnel/HTTP  · Stunnel/OpenVPN Other Links: RaspberryPi/Headless  · RaspberryPi/Reverse SSH Category:Stunnel  · Category:SSH  · Category:Networking Flags  · Template:StunnelFlag  · e