URBackup Server behind LAN via Cloudflare Tunnel

Hey Forum!

Help me a little please, because I don’t know if I’m doing it right or not. Probably not since it is not working…

  • We have several VPS and developer workstations around the world we wish to backup
  • We have one office with a LAN and on this LAN, we have a backup serrver.
  • On this backup server, I’ve hosted a URBackup Server accessable by the internal IP:PORT in the browser
  • Accessing the server from the outside world, I’ve set up a Cloudflare Tunnel to the proper internal IP:PORT and now it is accessaable via backup.mycompany.hu
  • With Cloudflare Tunnel the IP address of the server (both the internal and public) are masked and given a random IP always, but the domain is always reachable.

Now I don’t know if the clients can connect to the server via the domain name if it is “just” a cloudflare tunnel domain. So I was thinking about setting up the clients to connect straight to the public IP of the office. So, on my firewall I’ve forwarded the two ports required by URBackup towards the backup server.

My questions are:

  • How do I set up the clients to be internet servers? In the logs of the client I get: internet server not configured.
  • The client was installed by a bash script created by the server. I think it has the URL for connection instead of the public IP address of the server. Where can I check where does the client want’s to go?

Content of my /etc/default/urbackupsrv is:

# Defaults for urbackupsrv initscript
# sourced by /etc/init.d/urbackupsrv and /lib/systemd/system/urbackup-server.service
# installed at /etc/default/urbackupsrv by the maintainer scripts

# This is parsed as a key=value file

#Port for FastCGI requests

#Enable internal HTTP server
#       Required for serving web interface without FastCGI
#       and for websocket connections from client

#Port for the web interface
#(if internal HTTP server is enabled)

#Bind HTTP server to localhost only

#Bind Internet port to localhost only

#log file name

#Either debug,warn,info or error

#Temporary file directory
# -- this may get very large depending on the advanced settings

#Tmp file directory for sqlite temporary tables.
#You might want to put the databases on another filesystem than the other temporary files.
#Default is the same as DAEMON_TMPDIR

#Interfaces from which to send broadcasts. (Default: all).
#Comma separated -- e.g. "eth0,eth1"

#User the urbackupsrv process runs as

Content of a /etc/default/urbackupclient is:

# Defaults for urbackup_client initscript
# sourced by /etc/init.d/urbackupclientbackend
# installed at /etc/default/urbackupclient by the maintainer scripts

# This is parsed as a key=value file

#logfile name

#Either debug,warn,info or error

#Max size of the log file before rotation
#Disable if you are using logrotate for
#more advanced configurations (e.g. with compression)

#Max number of log files during rotation

#Tmp file directory

# Valid settings:
# "client-confirms": If you have the GUI component the currently active user
#                    will need to confirm restores from the web interface.
#                    If you have no GUI component this will cause restores
#                    from the server web interface to not work
# "server-confirms": The server will ask the user starting the restore on
#                    the web interface for confirmation
# "disabled":        Restores via web interface are disabled.
#                    Restores via urbackupclientctl still work

#If true client will not bind to any external network ports (either true or false)

Thanks for the help in advance !

I don’t run backups over internet, but since no answers, let me be your wall to bounce your ball off.

Not sure how that cloudflair service works, if it tunnels into your lan giving it a local ip you probably dont run internet mode, won’t the server detect the clients if you tunnel into your lan?

Have you set up the clients as internet/active clients or local/passive clients in the urbackup gui?

Don’t you have to manage each client in the server settings if you are running both active and passive clients?

Again, i don’t KNOW this, this is just to maybe give you ideas on how to solve it.

Thanks for the reply. I was just coming back to post the answer, I’ve figured out (do not laugh, but ChatGPT helped).

Cloudflare Tunnel does not work like that. It is similar to VPN, but instead of creating a virtual network interface to connect the server to the LAN, it is working more like TeamViewer, setting up a direct connection between two services. I had to install and run via docker a service with a proper token and then, Cloudflare forwards the connection directly to the device, I’ve set up. It is a neat thing. In private, I’m using it to access my NAS from anywhere.

So after reading and trying, I decided to ask ChatGPT. It pointed out a config file for me, that I had to edit. After that it was all clear. The file I was unaware of was /usr/local/var/urbackup/data/settings.cfg. This contained the information how to access the backup server as an internet server. Setting it up was a piece of cake. After it, I sadly realized, Cloudflare Tunnel does not allow to forward communication without a token, so I had to set my offices public IP as the internet server IP address, and create firewall rules to forward all communication on the URBackop ports towards the backup server in the LAN.

After I’ve done all this, the backup process began as it should be. Funny how I’ve been working on bash scripts for weeks, trying to achieve an extremely similar result to URBackups sollution and I even almost got it. Then I’ve found URBackup and I was like… eh… there goes a few weeks of work out the window :sweat_smile:

So Cloudflare Tunnel is only good to reach the WebUI without messing with the firewall settings. URBackup needs to point directly towards the server (could be via a proxy according to the settings, but Cloudflare is changing the IP behind the domain always and as I’ve said, it does not allow communication without the token. That is strictly set for HTTP and HTTPS by their side)

1 Like