Regular backup of OPNsense config to a local NAS (via SMB)?

Started by aleco, September 29, 2024, 06:16:28 PM

Previous topic - Next topic
Hi everyone, I've been using OPNsense for about a month, so I'm still a new user. Apologies if I'm missing something obvious.

I'm looking for the best way to regularly back up the OPNsense configuration (including plugin configs like Zenarmor) to my local NAS, preferably via SMB. I noticed there's an option to back up to Google Drive, and there are plugins for Nextcloud and Git, but I don't have a Git or Nextcloud server. My goal is to backup the OPNsense config to my NAS, which I already back up to the cloud (encrypted).

Does anyone have a script or cron job that achieves this? I'm surprised there's no built-in option in the GUI for local NAS backups, and unfortunately, I'm not familiar with writing shell scripts (especially when it comes to adding error alerts).

Any advice or examples would be greatly appreciated. Thanks in advance!

You could run a cron job on your NAS (if that feature is available) to pull the configuration via SSH. That's the most simple way I can think of. Personally I'm using push to Nextcloud. Has the bonus that I always ha a synced copy on my laptop via Nextcloud client, in case I have to replace a unit without Internet access.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Thanks for the info! So it looks like the GUI only supports Google Drive, Nextcloud, and Git for backups. There's no built-in rsync option either, as far as I can tell.

Unfortunately, I have zero knowledge of writing Linux shell scripts, so if anyone has a working script (ideally with error alerts), I'd really appreciate it. I imagine I'm not the only one looking to back up to a local server. I'm kind of surprised OPNsense doesn't include such a backup feature out of the box.

I'm a bit worried that one day my OPNsense NVMe drive might crash, and I'd have to set up OPNsense from scratch, which is why I really want to get a proper backup going. As for Google Drive or Nextcloud, I've never really felt the need for either. I use iCloud. I don't have any extra hardware for running a Nextcloud instance, and I prefer not to use additional Google services. Plus, I would like to have my OPNsense backup in the same place I have all other backups too – my NAS, which uses rclone to sync to the cloud.

As for my NAS, I'm using OpenMediaVault, and there doesn't seem to be a GUI for regularly pulling files via SSH either.


What brandof NAS are you using? I'm running a git server on my Synology, and using that as backup. There's an official Synology package for that (I'm using a different one but it shouldn't matter).

Quote from: zz00mm on September 29, 2024, 09:03:25 PM
I haven't used this util in a couple of years and it does work with OPNsense..
https://github.com/KoenZomers/pfSenseBackup
Thanks. I'm a bit unsure if I really want to try that tool. No real documentation, mostly made for Windows, hardly any users, very few commits in the past years, old github issues mentioning that updating OPNsense breaks it and no alerting if the backup fails. But thanks, I will keep it in mind as last resort.

Quote from: troplin on September 29, 2024, 09:55:17 PM
What brandof NAS are you using? I'm running a git server on my Synology, and using that as backup. There's an official Synology package for that (I'm using a different one but it shouldn't matter).

My NAS is running Open Media Vault (plus rclone), currently on a Pi 4. I'm planning to merge multiple Pi running different services (e.g. Home Assistant) into a single Mini-PC with Proxmox. And as my needs for smb are very, very limited, I'd probably replace Open Media Vault by simply enabling samba in Proxmox. I just use it for storing backups and syncing these to the cloud.

So there's really not the shell script people are using for local backups? How strange.

You dont even need a script, its as little as a single command to copy spmething betweeb unix like systems.

scp source destination
https://man.freebsd.org/cgi/man.cgi?query=scp&sektion=1

e.g.

scp root@192.168.1.1:/conf/config.xml .


This one logs in via ssh and copies config.xml to the current directory (.). Just put some datetime variable into there, use ssh keys, and put that line into a cronjob and you are essentially done.

E.g


scp root@192.168.1.1:/conf/config.xml /opt/backups/opnsense_config_$(date).xml


As cronjob (mind that you need SSH key authentication set up for automation. Your Raspberry Pie needs to log into the OPNsense unattended)


0 1 * * * scp root@192.168.1.1:/conf/config.xml ~/config_$(date +"%Y%m%d").xml >/dev/null 2>&1
Hardware:
DEC740

Quote from: Monviech on September 30, 2024, 06:58:11 AM
This one logs in via ssh and copies config.xml to the current directory (.). Just put some datetime variable into there, use ssh keys, and put that line into a cronjob and you are essentially done.
Thanks a lot! The only question left is how to get alerted if something goes wrong. I had this exact issue with an automated Home Assistant backup to my NAS a while back—when I changed the NAS's IP address, the scheduled backups from Home assistant to it stopped working. Since there was no alert in place, I didn't notice for weeks. Luckily, I caught it by accident and fixed it before anything happened.

That's exactly what I'm trying to avoid this time. I was hoping there's a script that includes error notifications so I don't miss any issues in the future.

If your NAS system is configured to send email, then failing cron jobs should generate a mail with the error message.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Patrick M. Hausen on September 30, 2024, 09:47:28 AM
If your NAS system is configured to send email, then failing cron jobs should generate a mail with the error message.
Thanks, I'll look into that. Until now, I thought it was the system's job to push the data to the backup destination and send an alert if something went wrong. That made sense to me, since the system knows what needs to be backed up and can pick the best time when files aren't being modified.

But you're all suggesting it's actually the backup destination's responsibility to pull the data and manage alerts if something fails. This is quite different from what I expected, and the opposite of what I've experienced with OpenMediaVault and Home Assistant, which are the only two services I'm currently running. I'm also surprised, as I assumed backup destinations in general (and especially cloud-based ones) are passive and just store data.

You can decide who has responsibility.

There are many different ways to reach the same goals.

You could even use the API of the opnsense to pull a backup, which would be more secure than SCP since you do not need elevated rights.

https://docs.opnsense.org/development/api/plugins/backup.html

In german but just as reference:
https://andersgood.de/kurz-notiert/opnsense-per-api-verschluesseltes-backup-der-konfiguration-anlegen
Hardware:
DEC740

Quote from: aleco on September 30, 2024, 11:29:45 AM
I'm also surprised, as I assumed backup destinations in general (and especially cloud-based ones) are passive and just store data.
You are correct. But then you have to live with the push targets OPNsense offers.

Pulling via SSH gives you a "no additional infrastructure necessary" way to achieve the same. And my impression was that was your primary concern.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

Quote from: Monviech on September 30, 2024, 11:48:45 AM
You could even use the API of the opnsense to pull a backup, which would be more secure than SCP since you do not need elevated rights. [...] In german but just as reference:
https://andersgood.de/kurz-notiert/opnsense-per-api-verschluesseltes-backup-der-konfiguration-anlegen

Oh yes, that's very helpful, thanks. The page you linked mentions monit, so I will look into that too.

Quote from: Patrick M. Hausen on September 30, 2024, 11:58:20 AM
Pulling via SSH gives you a "no additional infrastructure necessary" way to achieve the same. And my impression was that was your primary concern.

That's right, my main goal is simplicity. But I also have the secondary goal of understanding the common logic behind it, as it affects how I think about setting things up in the future.

IT isn't my profession, and ideally, I won't log into OPNsense frequently. I see network services as "set up and forget." So I can already picture myself scratching my head trying to remember where the backup is configured in a few months (or years). I will try to find the configuration somewhere in OPNsense GUI, then I might google for it and find this thread, to finally remember that the logic is actually on a different server. :)

Quote from: aleco on September 30, 2024, 12:15:42 PM
Quote from: Monviech on September 30, 2024, 11:48:45 AM
You could even use the API of the opnsense to pull a backup, which would be more secure than SCP since you do not need elevated rights. [...] In german but just as reference:
https://andersgood.de/kurz-notiert/opnsense-per-api-verschluesseltes-backup-der-konfiguration-anlegen

Oh yes, that's very helpful, thanks. The page you linked mentions monit, so I will look into that too.
But it's also "pull" and needs a script that runs on the server that stores the backup, not on OPNsense.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)

I've been trying to set up config backups to my nas via ssh, and I'm running into an issue where the public key is being wiped after reboot. Seems the .ssh folder isn't persistent across reboots.