Secure Data Backup with OpenVPN and TrueCrypt

Note: This article mentions TrueCrypt, which has since been discontinued. The content of this article might still be interesting conceptually, but please use alternative storage options to securely store your files.

 

Backing up data securely, mainly for private persons, is always a hassle. Having an external disk still does not prevent data loss in case of a robbery into the house or while taking the disk and the laptop out of the house at the same time… the usual paranoia.

However, fast internet connections allow backup to internet services (there are tons of online backup solutions available) or to other private persons. Taking the 2nd the issue is usually (1) how do I securely get my data to the other person’s computer and (2) how do I make sure my data are stored securely.

Secure Backup – Tools

My solution uses quite a simple, but very effective approach. Taking OpenVPN as secure connection over internet, having robocopy (or a similar sync-tool) synchronizing the files and storing the backup files in a TrueCrypt container.

OpenVPN – Setup over a broadband connection

Generally, the installation guidelines can be found in the HowTo-Section of the OpenVPN Website. However, sometimes it’s easier to have shorter guidelines as described in the following procedure:

  1. Download OpenVPN (Community Edition) from the OpenVPN Website.
  2. Install the OpenVPN software on both computers.
  3. Decide one computer to be the server, the other the client to connect to the server.
  4. Now we need to create the keys. OpenVPN provides a easy-rsa directory in the installation folder. To do so, call the following .bat files:
    • init-config.bat
    • Now edit vars.bat and create a sub-directory called keys (also make sure the KEY_DIR in vars.bat has the name keys as well).
    • clean-all.bat
    • build-ca.bat (creates the CA certificate)
    • build-dh.bat
    • build-key-server.bat <MachineName> (builds the private key/certificate for the server)
    • build-key <MachineName> (builds the key files for the client, run this for every client you wish to connect to the server)
    • Eventually copy the following files to each of the clients (over a secure channel!): ca.crt, <MachineName>.crt and <MachineName>.key
  5. In the installation folder there’s a directory called sample-config with same example configurations for server or client respectively. Copy the client.ovpn for the client-computer and the server.ovpn for the server-computer to the config directory of the installation folder.
  6. Open the ovpn in a text editor and adjust it. Mainly the values for ca, cert, and key need to be adjusted on both, the server and the client configs.
    Example for ca.crt would be:
    ca “C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt”
  7. The server has the setting for dh (adjust this to point to the dh*.pem file created before) and server. Server specifies the VPNs private network. Make sure you use another network than the server or any clients are in (usually 192.168.0.x or 192.168.1.x). So take e.g. 192.168.123.0 with a subnet of 255.255.255.0. A correct value for the server parameter would then be:
    server 192.168.123.0 255.255.255.0
  8. Now access your broadband router (of the server’s computer). You need to configure the routing from the external public port to the computer/port where the OpenVPN server is running. Usually it’s called “virtual server” or “DMZ” in the router settings. There add the public port 1194 (standard) and set the internal computer/port to your server and Port 1194.
  9. The client additionally has the setting for remote. Set the Public-IP and Port of the server. Easiest to find that out is to go to www.whatismyip.com from the server’s computer. In case of dynamic IP-Addresses, this config would need to be adjusted before every connection or a service like dyndns.org can be used.
  10. Now start the server (either the windows service if you’ve installed¬†it as a service; otherwise the openvpn-gui.exe is a handy tool).
  11. Now start the client. It should connect and you’re in the same network as the server (which you should be able to ping). If not, try to test the command “telnet <remote-ip-address> <remote-port>”. If it connects, then the server is running correctly and the error will be in the client-config. If it does not connect, the server is not yet running correctly.

TrueCrypt and Robocopy – simple but efficient backup

As mentioned before, the data are “out of the house”, so storing them securely is highly recommended. There are tons of disk-encryption tools on the market. Due to ease of use and it’s high reputation I’m recommending¬†TrueCrypt (open source software and therefore free to use).

Same is for copying. Robocopy, a tool in the Windows 2003 server tools of Microsoft, is easy and free to use as well.

  1. Download TrueCrypt and Robocopy.
  2. Create a TrueCrypt container using the GUI Wizard on the disk where you’ll store your backup files. Keep the passwords or keyfiles used secretly to you.
  3. Connect to the OpenVPN server as described above and make sure the VPN connection is correctly working.
  4. Mount the network share on the OpenVPN server (or actually any computer that’s in the same VPN) where the TrueCrypt container is located.
  5. Mount the TrueCrypt Container. Note, that this is only mounted locally on your computer and nobody on the other computer is able to view your data! Only the encrypted (and therefore useless) TrueCrypt Container.
  6. Synchronize your local files to the mounted TrueCrypt Container.
    The command I’m usually using is /E and /PURGE. This synchronizes two file systems, so also deletes unnecessary files on the target computer.
    robocopy.exe C:\MyFiles X:\backup\ * /E /PURGE /R:3 /W:3 /NP /LOG:backup.txt
  7. When done, unmount the TrueCrypt Container.
  8. Disconnect from the VPN connection.