Part 5 - Relocating Offsite#

If you haven’t already, complete Part 4 - Hyper Backup Configuration and Local Seeding before continuing. With a full backup on the rsyncd server, this part covers moving the server offsite and routing Hyper Backup through a proxy VM.

What We Are Doing#

There are four pieces of work in this part:

  1. Build a proxy VM on the home network. Enable BBR. Install Tailscale. Configure HAProxy.
  2. Install Tailscale on the rsyncd server.
  3. Physically move the rsyncd server to its offsite location.
  4. Update the Hyper Backup task to point at the proxy VM instead of the rsyncd server directly.

The order matters. Set up Tailscale before you move any hardware. Confirm end-to-end connectivity while everything is still on the LAN. That way if something is wrong you can fix it without driving anywhere.

This guide uses Tailscale MagicDNS so HAProxy can refer to the rsyncd server by hostname instead of IP. Make sure MagicDNS is enabled in your Tailscale admin console under DNS before continuing.

Step 1 - Proxy VM Setup#

The proxy server can live anywhere on your LAN, physical or virtual. Out of convenience, I run mine as a VM on Synology’s Virtual Machine Manager. Install Ubuntu Server, then continue below.

Enable BBR#

SSH into the proxy VM and run:

echo "net.core.default_qdisc=fq" | sudo tee -a /etc/sysctl.conf
echo "net.ipv4.tcp_congestion_control=bbr" | sudo tee -a /etc/sysctl.conf
sudo sysctl -p

Verify it is active:

sysctl net.ipv4.tcp_congestion_control
# Expected output: net.ipv4.tcp_congestion_control = bbr

Install Tailscale#

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Tailscale will print an authentication link. Open it in any browser and log in.

Configure HAProxy#

Install HAProxy:

sudo apt install haproxy -y
sudo nano /etc/haproxy/haproxy.cfg

Add the following. Replace rsync-server with the hostname of your rsyncd server as it appears in your Tailscale admin console:

frontend rsyncd_gate
    bind *:873
    mode tcp
    timeout client 1h
    default_backend rsyncd_offsite

backend rsyncd_offsite
    mode tcp
    timeout server 1h
    server offsite rsync-server:873 check

Enable and restart HAProxy:

sudo systemctl restart haproxy
sudo systemctl enable haproxy

Confirm it is running:

sudo systemctl status haproxy

How This Works#

The NAS sends its Hyper Backup job to the proxy VM’s LAN IP on port 873. HAProxy accepts that connection and opens a new one outbound to the offsite rsyncd over Tailscale. Two separate TCP sessions stitched at layer 4. The long-haul leg to the offsite server originates from the proxy VM, not from DSM, so it benefits from BBR.

The NAS never touches the internet directly. From Hyper Backup’s perspective, it is just talking to a local rsyncd server.

Step 2 - Install Tailscale on the rsyncd Server#

SSH into the rsyncd server and run:

curl -fsSL https://tailscale.com/install.sh | sh
sudo tailscale up

Authenticate when prompted.

Confirm the machine registered under the expected hostname:

tailscale status

The hostname shown here is what HAProxy will use to reach this server. It defaults to the system’s hostname. If it does not match what you put in haproxy.cfg, either rename the node in the Tailscale admin console or update the HAProxy config and restart the service:

sudo systemctl restart haproxy

Verify End-to-End Connectivity#

From the proxy VM, test that HAProxy is correctly forwarding to the rsyncd server over Tailscale. Replace <proxy-vm-lan-ip> with the proxy VM’s own LAN IP:

rsync rsync://synology@<proxy-vm-lan-ip>/backup

Enter the password when prompted. You should see a listing of the files already seeded in Part 4. If you do, HAProxy is correctly forwarding to the rsyncd server through Tailscale.

Do this test while the rsyncd server is still on the LAN. It confirms the proxy path works before you physically move anything.

Step 3 - Move the rsyncd Server Offsite#

Shut down the rsyncd server cleanly:

sudo shutdown -h now

Unplug it and move it to its offsite location along with the USB hard drive. Plug it in, connect it to the network, and power it on.

When it boots, a few things should happen automatically:

  • The USB hard drive mounts via the fstab entry from Part 2.
  • rsyncd starts automatically because it was enabled in Part 3.
  • Tailscale reconnects using the credentials from Step 2.

Verify each of these from the proxy VM:

# Tailscale sees it
tailscale status

# rsyncd is reachable through HAProxy
rsync rsync://synology@<proxy-vm-lan-ip>/backup

If the listing comes back the same as when the server was on the LAN, the move was successful.

Step 4 - Update Hyper Backup#

Open Hyper Backup on the NAS. Find your existing backup task (the one from Part 4) and edit its settings.

Change the Server name or IP field from the rsyncd server’s LAN IP to the proxy VM’s LAN IP. Leave everything else alone.

Save the task. Run it manually to confirm it works end-to-end.

Upload Speed Cap Now that the backup is running over your residential internet connection, consider setting an upload speed limit in Hyper Backup’s settings to prevent it from saturating your uplink.

Verify the First Incremental Backup#

The first run after relocation will be a normal incremental, not a full backup. It should be small and quick, transferring only changes since the seed.

Test a restore from the offsite destination. Before trusting this setup long term, confirm you can restore at least one file now that the server is offsite.

Local Restore Tip: If you need to restore a large amount of data, bring the rsync server back onto your local network and update your Hyper Backup job to point to its local IP address. This avoids the bandwidth and time constraints of restoring over the internet.

Backward Part 4 - Hyper Backup Configuration and Local Seeding