Here i am.
Make some other test on the Core system: every attempt to establish a semi automatic SSH connection to the Scale main system still fail with the same TLS error; trying the manual way, the SSH connection seems established (both hostname and ip), i can retrieve the remote host key, but every attempt to access to datasets setupping the task fail with an autentication error.
I have already tried to reseat all keypars on both system, trying generating new ones, tried to upload directly the txt on the admin user, tried to use one generate from the Core to the Scaleā¦ but nothing change there.
With the other Scale system, pratically i do same operations. And every attempt to create the task (nor manual or semi automatic) end with the Access denied to replication.list_datasets error.
Found this thread too, im not using tailscaleā¦ but im using wireguardā¦ despite was using it before the upgrade too, i tried disabling it and still no change.
The SSH user youāre connecting as needs permission to execute zfs commands.
The easiest option is to add ā/usr/sbin/zfsā to the Allowed sudo commands with no password fields in the user settings:
You need to do this on the on the machine that you designated as On a Different System in the replication settings. The user that you need to change is the one that you configured in the SSH Connection settings.
Please note that doing this does give the user full access to the entire system. But that is also what the semi-automatic option does.
Then make sure you activated the Use Sudo For ZFS Commands setting in the replication task.
Allow all sudo commands and Allow all sudo commands with no password already checked, so i canāt add specific command (should be unecessary in this case?).
Iām starting to see something changing. At least for the other Scale system.
I enabled the root account (inherited from Core, disabled according to the migration path guide), create the SSH connection with itā¦ and it worked as expcted.
So the things are simple
import Core config delete the truenas_admin prebuilt user, other prebuilt groups, and this break something. If yes, i canāt understand how im the only one impacted and no one else on the forum report this problem
i have made some mistake on setup the new admin. Iām just giving him everything possibil, following the guide, those steps not seems fancy or hard.
actually i have recreated the truenas_admin group too, with same GID, nothing change
Iām back in charge
I have opened a dedicated thread for this account problem, iām surely missing something obvious, but at leaste i can pull replicate with an account.
If i can if I can take advantage of your network experience, as i mentioned in the first post, the goal is to put this small EEL nas at my parents home, pull data from my NAS, and have a pratically free offsite backup. And why not, do the same in the opposite way.
Both machine have WG-easy-Wireguard, with a simple forward from UDP to the respective NAS, so i can access both location outside my lan.
Is possible somehow use same strategy for a replication task? So the VPN will be used only for this specific task
Expose SSH to the WAN. SSH is mostly considered safe if configured correctly (disable password auth, key auth only).
Setup a Site-to-Site VPN on both routers. This is pretty easy if you have the hardware for it.
IN ALL CASES: Setup both of your firewalls to /only/ accept connections from the other router. If you have a fixed ip - use that. If you have a dynamic ip use
a dyndns provider (and hope your firewall supports DNS). Or use IP-ranges from your ISP. As a last resort use GEO-IP. But in any case, please do restrict ip ranges - it will block so many attacks.
You did mention having wireguard, Iām not sure how to easily do it via that.
Expose SSH scare me, honestly, but i agree that will be for sure the easiest way to achive that. Iām out of my comfort zone, im more concerned about do some errorā¦ i will keep that option as really last one.
Site-so-Site VPN will probably do the job well too, but you pointed well
both router are very basic, both Zyxel, mine is a VMG8823-B50B. I donāt think is capable of that but i will document.
And off course i have dinamic IP on both, and IP range are veri variable (sometimes 151.x.x.x. other times 31.x.x.x.x). But i already use duckdns for this, with theyr api i can update my ip easily