QNAP, SFTP, QuFTP, SSL Certs, and Everything Else

OK, I need a little bit of help here. I’ve been using Duplicacy (paid user) to update critical files from my Unraid server to a OneDrive account. Now, I purchased a QNAP NAS which is going to be deployed at a remote location (it is currently on my home network just to get things up and running).

I cannot for the life of me figure out what Duplicacy wants for keys and credentials when setting up a SFTP share. I tried watching this video: https://www.youtube.com/watch?v=KkjvfTxmYUM&t=16s and still can’t get things to work.

The QNAP QuFTP service works fine when I connect to it via FileZilla, but when I follow this guys instructions to the T I still get the error “Failed to create the sftp client: ssh: handshake failed: EOF” Any help would be huge! Thanks.

What version of duplicacy GUI? What version of the Duplicacy CLI?

Can you connect to that storage with Duplicacy CLI using sftp backend? Do you get the same error? Does it work with sftpc backend?

Actually, to save time, just try the sftpc in the gui first. Maybe it will be sufficient.

I’m using version 3.1.0.

CLI…command line interface? I have not tried anything from the Command Line, I’ve only been trying in the GUI.

Actually…when I switch the port from the SFTP service to the SSH service I can see the public directory in the QNAP NAS using my username and password, but I cannot access the share I specifically created for backups.

Hmmm. SFTP works over SSH, unless it’s explicitly configured to use different port. Ssh port shall work, in fact, you shall not need to specify port at all, default shall do.

That could be a quirk of ssh server on the NAS. Since you can access that folder and write data there with FileZilla, permissions must be ok; try using absolute path with duplicacy (this is in fact a necessity with Synology; perhaps qnap now needs similar trickery)

Instead of

sftp://user@host/path/to/folder

use (note //)

sftp://user@host//path/to/folder

And specify absolute path on the nas, e.g. /mnt/pool1/dataset, I don’t know where does qnap mount the storage

When you’re adding a new storage, under “Storage configuration/SFTP” it asks for 5 things.
Server: I’ve been using the local IP address and port ‘192.168.39.114:21’ (I realize that when it gets deployed I’m going to have to use the DDNS address and that may open up a new can of worms, but one problem at a time)
Username: my default username is admin privileges
Password: my password for that username (this password seems to work when I change the port to the ssh port of 22 which allows me to see but not really use the default public share. The YouTube tutorial I linked to earlier says the password will need to change to the encrypt private key???)
Key File: I have no idea what Duplicacy is looking for here. I can easily download the Qnap private SSH key, and directed the key file to the SSLprivatekey.key file that is created, but it doesn’t seem to like what I’m giving it.
Directory: If everything works…I should be able to see the directory that I want to use for my Duplicacy storage, and yet can’t.

With ssh you can either use key based authentication (preferred over the internet) or password based authentication, among other things. You should not download qnap’s keys. Instead, you shall generate key pair (with sshkeygen), keep private key secure on your duplicacy machine, and send public key to the qnap with ssh-copy-id command (this will write it to authorized_keys file and configure correct permissions — if your .ssh folder permissions on the NAS are misconfigured ssh/sftp won’t work).
Or use password based authentication. Leave key text box empty.

This is wrong port. Port 21 is ftp. You want port 22(ssh/sftp). Or omit it altogether, to use the default 22.

I would not trust random YouTube tutorials, but I did not watch it.

Elaborate here. If you see the share, that means authentication works. Why can’t you use the share?

If you can see one share but not the other, it’s qnap server problem, but you can workaround it by configuring any share, then stop duplicacy and edit ~/.duplicacy_web/duplicacy.json to replace what you have configured in the ui with the sfp with correct absolute path, as described in the previous message.

This is where I’m getting port 21 from. When I use port 22, I can access, but I can’t see any of my shares (except for @recycle). I’ve tried it with both SSL/TLS on and off…still no difference.

image1459×749 39.8 KB

Again, ftp is not the same as sftp. It’s entirely different service. Duplicacy does not support ftp, so that first part of the page is irrelevant.

You probably need to enable sftp:

Is this standard qnap configuration page or is it a third party app?

I would assume qnap already has built-in ssh server running (because this is off and yet you were able to connect on port 22), so nothing else is needed, except perhaps the workaround with absolute paths described in the previous message.

If this is indeed a third party app, and not a wnap built in one — you can either not enable sftp in it, and use qnap built in server, or enable it on a different (other than 22) port and use that with duplicacy. Perhaps this server will work better.

@saspus Yep! You’re right! I thought the QuFTP service I thought was Qnaps branding on their SFTP interface but apparently it isn’t. I used port 22 and my login credentials and was able to access the storage, but the share and the path I needed didn’t show up in the Duplicacy interface. I copy and pasted the path I wanted from Filezilla though and whammo…Everything worked as it should and I was able to make a backup to my Qnap.

Now, I haven’s set up a certificate yet or tried connecting to the NAS via DDNS, which I’m sure will be another headache, but for now I’m viewing this is a big first step.

So, a little update, I got SFTP working now with an encrypted SSH key. I used Putty Keygen to generate a ECDSA key and FileZilla to make a authorized_keys file inside of the .ssh directory (the qnap terminal didn’t seem to have nano installed). Pointed Duplicacy to a exported private key and BOOM! Success

Now my last hurdle is going to be accessing everything once I deploy it off-site. I’m guessing I could use the public IP and forward port 22? But I know the remote site doesn’t have a static IP so what would you recommend? I use some cloudflare tunnels to point to some containers in my UnRaid server using a domain I own…could that be an option here with Qnap? Qnap has their own cloud service that allows for easy remote access, but I can’t get it to work with Duplicacy.
Also, when you create a storage in Duplicacy, is there a way to edit it after the fact, or do I need to delete it and re-create it? Will Duplicacy automatically find my backups and re-integrate them?

Great!

DDNS. Since you already use cloudflare, you can use inadyn to keep A record on your cloudflare domain updated.

It’s probably not a good idea to push a lot of data through the cloudflare tunnels, unless you are on paid plan.

Another option is Zerotier. Install on all machines that need to connect and use mDNS names instead of IP addresses. This could be even better as you don’t have to expose your sever, forward ports, manage DDNS, etc. this is especially great if there is one or few users: ddns and port forwarding is more suitable for hosting public services, which this isn’t.

I’ve been using Zerotier for a very long time, very successfully.

Yes, delete and recreate with the same name, so that schedules continue working.

Or you can edit ~/.duplicacy_web/duplicacy.json.

I would recreate in the UI — otherwise what’s the point of using ui if you still going to be messing with files.

@saspus your intellect is really something of a wonder to me! Thank you so much.

So, the Qnap has a DDNS service built in. It uses the address of <device_name>.myqnapcloud.com
I forwarded port 22 in my router, and can access SSH via Putty and SFTP via FileZilla no problem. However when I put that address into the “server” section of Duplicacy I get the following error:
“Failed to create the sftp client: ssh: handshake failed: The host key for ‘xxx.xxx.xxx.xxx:22’ has changed”

It’s pointing in fact to my IP address, and I’m thinking it should in theory work, right? I’ve tried both using my password and my certificate with passphrase.

No problem, I just happened to have dealt with a handful of services folks are using…

You would need to delete the known_hosts file, or nuke entire .duplicacy_web/repositories folder.

That file contains ssh host signatures and if that changes ssh refuses to connect as a security measure

FOUND IT!!!

In a UnRaid docker its located at “/cache/localhost/all/.duplicacy/known_hosts”

I deleted that file, re-created the storage item using Qnap’s DDNS address, and I am in business!! Using an encrypted SSL key, and so far seemingly without errors. We should collaborate to make a YouTube tutorial