Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


Using a storage VPS as a Time Machine (Mac OS) backup volume
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

Using a storage VPS as a Time Machine (Mac OS) backup volume

Buried deep in the HostHatch thread there was a little interest in setting up a storage VPS as a Time Machine backup destination. So I took some notes on how I did it. My solution uses SMB running in a Docker container via a Wireguard VPN tunnel. It's working for me on a 2014 iMac running Big Sur, Debian 10 on the server.

Install Wireguard on server, here using @Nyr's installer. As root:

wget https://git.io/wireguard -O wireguard-install.sh
bash wireguard-install.sh

Enter your desired port. This example uses 54321; you can use anything you want.
Enter a VPN user name. This user name is just used to name the generated Wireguard config file.

Install failed for me on a clean Debian 10 KVM VPS at first - the kernel module failed to build. Had to install linux-image-amd64 package, reboot, apt-get upgrade again. No idea if any extra shenanigans would be required for OpenVZ.

Open WireGuard port on your server firewall if you're using one.

ufw allow 54321

Install WireGuard on Mac from App Store
New Empty Tunnel...
Enter server name, tick On-Demand - Ethernet / Wi-Fi as appropriate. You'll probably want to select at least one of these to auto-connect on login / boot.
In the config section, replace the entire existing configuration with the contents of <VPN user name>.conf generated on the server by wireguard-install. It should be found in the directory from which you ran the script.
Comment out (#) or delete the DNS line from the [Interface] section.
Change AllowedIPs in the [Peer] section to be the same as the Address in the [Interface] section. This should prevent anything but traffic to/from the VPN subnet from using the tunnel.

Set up SMB server on VPS

(as root)
This assumes you have a non-root user to run the Docker container.

apt install docker docker-compose
usermod -aG docker <docker user>

Technically you might not need docker-compose for this simple setup. But you'll use it for lots of Docker tasks eventually so might as well install it.
If you have an existing shell you'll need to log out and log in as to pick up the group change.

(as docker user)
Pick a directory to store your backups (/host/path/to/backupdir in the example below). If this directory doesn't exist, docker will create it for you when you first run the container. This assumes you want to store the backups as a bind mount owned by your docker user on the host. You could instead use a Docker volume with different -v syntax, and the TM_UID / TM_GID wouldn't have to match your Unix user.

The container creates an SMB user "timemachine". You could change this with the TM_USERNAME environment variable. See https://github.com/mbentley/docker-timemachine for lots more details on configuration options. There is a fair bit of voodoo involved in getting Time Machine to play nice with Samba so I didn't mess with much. These settings worked for me at the time of posting.

docker run -d --restart unless-stopped \
  --name timemachine \
  --hostname timemachine \
  -p 10.7.0.1:445:445 \
  -e CUSTOM_SMB_CONF="false" \
  -e CUSTOM_USER="false" \
  -e DEBUG_LEVEL="1" \
  -e HIDE_SHARES="no" \
  -e EXTERNAL_CONF="" \
  -e MIMIC_MODEL="TimeCapsule8,119" \
  -e TM_USERNAME="timemachine" \
  -e TM_GROUPNAME="timemachine" \
  -e TM_UID=$(id -u) \
  -e TM_GID=$(id -g) \
  -e PASSWORD="yoursupersecretpassword" \
  -e SET_PERMISSIONS="false" \
  -e SHARE_NAME="TimeMachine" \
  -e SMB_INHERIT_PERMISSIONS="no" \
  -e SMB_NFS_ACES="yes" \
  -e SMB_PORT="445" \
  -e SMB_VFS_OBJECTS="fruit streams_xattr" \
  -e VOLUME_SIZE_LIMIT="1 T" \
  -e WORKGROUP="WORKGROUP" \
  -v /host/path/to/backupdir:/opt/timemachine \
  -v timemachine-var-lib-samba:/var/lib/samba \
  -v timemachine-var-cache-samba:/var/cache/samba \
  -v timemachine-run-samba:/run/samba \
  mbentley/timemachine:smb

Note the 10.7.0.1. Docker bypasses existing firewall rules e.g. ufw. Without that, port 445 would be exposed to the Internet no matter what ufw says. In my case I only want to expose it through the tunnel, so we have to tell Docker to only listen on that one address. This address should be the server's address on the VPN subnet, i.e. the address that appears under "[Interface] Address" in /etc/wireguard/wg0.conf.

Back on the Mac, in Finder, Cmd-K to connect to server.
Enter server address of smb://10.7.0.1
Enter username = timemachine, password = yoursupersecretpassword from above.
You should now be able to go to System Preferences / Time Machine and see your server (e.g. "TimeMachine on 10.7.0.1") as a backup destination. You probably want to set encrypted backups since this is the Internet after all.

To have this all work automatically after a reboot, you'll have to enable the VPN On Demand checkboxes for Ethernet and/or Wi-Fi in the Wireguard tunnel config, so the tunnel is always available.

That covers the backing up part. Restoring is a different ball game. Simple restores of individual files or folders using the Time Machine interface should "just work" (TM) if everything is operational. Restoring from a complete failure or to a new computer is more tricky since we used the VPN tunnel. I can think of a few options.

1) Clean install macOS with a temporary user account, install Wireguard and set up tunnel, mount SMB share via tunnel, then run Migration Assistant to copy apps and user data from the existing backup. This has the advantage of not needing additional hardware, but doesn't restore the OS portion of the backup, only the apps and user data. And I believe you'd lose the ability to go back into the old backup to retrieve specific versions of files if you need that.

2) Change the docker config to listen on the public IP address and connect to the SMB share without the tunnel. This should be OK for short term use - SMB security isn't that bad nowadays. You should be able to connect to the network share (using the timemachine / yoursupersecretpassword from earlier) directly from the restore step where you pick the backup disk. Advantage - no extra hardware required. Disadvantage - exposing your SMB server to the Internet.

3) On a separate computer, or on the clean install as in #1, mount the SMB share via the tunnel, or copy the backup directory from the server some other way (e.g. scp). Copy the Backups.backupdb from within the .sparsebundle to the root level of a local external hard disk formatted HFS+. Plug that disk into the Mac and restore from that.

4) If you have a separate computer on your LAN that is already set up as a Time Machine backup destination, you could do something there that set up the tunnel and mounted the server via NFS or SMB and re-shared it to the Mac using whatever protocol you already had in place (AFP or SMB). This might actually be a "cleaner" long term solution from the Mac's point of view - no Wireguard involved at all. Disadvantage - if it's a portable Mac, you couldn't back up or restore from outside your LAN.

I think #3 would be easiest for a bare metal restore, although personally I like clean installs every now and then anyway so I'd go with #1 if possible.

Also note that I am not an expert on any of this, so there may be better ways to do some or all of it. In particular, maybe the Samba configuration could be improved - it took many days to complete the initial 400 GB backup from my iMac. Suggestions are welcome.

Sign In or Register to comment.