# Proxmox Backup Server on a Hetzner arm64 debian 12 VPS

Tags: proxmox debian homelab linux selfhosting hetzner

Reading time: 3 minutes

Description: Installing Proxmox Backup Server on an arm64 VPS from Hetzner using a storage box as datastore and connecting it with a site-to-site VPN.

Thanks to:
https://github.com/wofferl/proxmox-backup-arm64

# Wireguard setup

sudo apt install wireguard

wg genkey | sudo tee /etc/wireguard/privatekey | wg pubkey | sudo tee /etc/wireguard/publickey

in /etc/wireguard/network.conf

 1
 2
 3
 4
 5
 6
 7
 8
 9
10

[Interface]
PrivateKey = <private key of the VPS>
Address = <address of the VPS in the VPN network>

[Peer]
PublicKey = <public key of the VPN server>
PreSharedKey = <optional - pre shared key>
Endpoint = <VPN server endpoint ip:port>
AllowedIPs = 10.0.0.0/8
PersistentKeepalive = 25

• AllowedIPs = 10.0.0.0/8 - route all traffic from 10.x.x.x addresses trough the VPN

• PersistentKeepalive = 25 - send a keepalive signal every 25 seconds

• systemctl enable --now wg-quick@network - connect the VPN after the system starts

# Proxmox Backup Server

• sudo apt install dpkg-dev curl
• wget https://github.com/wofferl/proxmox-backup-arm64/raw/main/build.sh
• chmod +x build.sh
• cd packages
• sudo apt install ./libjs-extjs_*_all.deb ./libjs-qrcodejs_*_all.deb ./libproxmox-acme-plugins_*_all.deb ./pbs-i18n_*_all.deb ./proxmox-backup-docs_*_all.deb ./proxmox-backup-server_*_arm64.deb ./proxmox-mini-journalreader_*_arm64.deb ./proxmox-widget-toolkit_*_all.deb ./proxmox-termproxy_*_arm64.deb ./pve-xtermjs_*_all.deb

# Storage box setup

## SSH Key setup

• create an SSH key with ssh-keygen -t ed25519
  • leave the password empty
• add the key to the storage box with ssh-copy-id -i <path to your key> -p 23 -s uXXXXX@uXXXXX.your-storagebox.de
  • make sure you can connect to your storage box with ssh uXXXXX@uXXXXX.your-storagebox.de -p 23 -i <path to your key>

## Connecting the storage box

• create mount point for the storage box
  • for example mkdir -p /mnt/storagebox
• in /etc/fstab add uXXXXX@uXXXXX.your-storagebox.de:/home /mnt/storagebox fuse.sshfs port=23,uid=34,gid=34,umask=007,nosuid,nodev,_netdev,rw,reconnect,allow_other,IdentityFile=<path to your ssh key>,sync_readdir,dir_cache=no,no_readahead,sshfs_sync,max_conns=1 0 0

Note that uid and gid are set to 34. This is a hard requirement since PBS accesses the datastore with the backup user (having uid and gid 34).

• mount the storage box with mount -a
• test read and write permissions

# Configuring the remote sync

## Creating the datastore (with some trickery to get around sshfs restrictions…)

• create a temporary datastore on the VPS itself (not on the mounted storage box!)
  • for example in /mnt/datastore
• stop PBS with systemctl stop proxmox-backup proxmox-backup-proxy
• move the datastore on the filesystem to the storage box using mv /mnt/datastore /mnt/storagebox/
  • ignore the “preserver ownership .. permission denied” error
• wait a bit this takes some time even with an empty datastore
• change the path to the new destination (/mnt/storagebox/datastore) in the datastore entry (/etc/proxmox-backup/datastore.cfg)
• after moving and changing the config, restart the PBS using systemctl start proxmox-backup proxmox-backup-proxy
• check if the datastore appears in the web ui

## User setup

• create a new user for your PBS you want to sync FROM (reffered to as A in the following text)
• create a new user for your PBS you want to sync TO (reffered to as B in the following text)

## Permission setup

• on the server your want to sync FROM:

  • create a new user permission for user B with:
    • Path: /datastore/<datastore to sync>
    • User: B
    • Role: DatastoreBackup
  • and another one with:
    • Path: /remote
    • User: B
    • Role: RemoteSyncOperator

• on the server you want to sync TO:

  • create a new user permission for user A with:
    • Path: /datastore/
    • User: A
    • Role: DatastoreBackup

## Remote setup

• add a new remote on the server you want to sync TO with:
  • Remote ID: <arbitrary ID>
  • Host: <ip or domain of the server to sync FROM>
  • Fingerprint: <fingerprint of the server to sync FROM>
  • Auth ID: A
  • Password: <password from user A>

## Sync Job setup

• [optional]: create a namespace on the datastore you want to sync TO
• in the datastore on the server you want to sync TO:
  • add a new Sync Job with:
    • Local Namespace: <either Root to sync directly into the datastore or any existing namespace>
    • Local Owner: A
    • Source Remote: <remote created above>
    • Source Datastore: <datastore to sync FROM (dropdown should list available ones from the server you want to sync FROM)>
    • Source Namespace: <namespace to sync FROM>
• test with the button Run now