Month: November 2025

Offsite backup with Unraid, Tailscale, Backrest/Restic and Tailvault

nguyenquyhy Leave a comment

Restic and its companion UI Backrest already allow you to back up to many different locations. However, getting it setup to back up from one Unraid NAS to another might not be straight forward. Here I will go into details on the steps I have used to to make it work.

The goals of this setup are:

  1. Sender will use Backrest while receiver will use Tailvault app in Unraid.
  2. Both apps will have Tailscale integration enabled, and connectivity will be via Tailscale.

Tailvault is a very simple Alpine container that enables SFTP. However, Restic doesn’t support SFTP with password, hence the need for additional setup for key pairs between the 2 containers.

  1. Generate a keypair with PuTTYgen, choose EdDSA and Ed25519
    • After the pair is generated, click Conversions >Export OpenSSH Key and named it id_ed25519
    • The public key can be copied from the box “Public key for pasting into OpenSSH authorized_keys file:”
  2. Install TailVault app in the Community Store with the following modifications:
    • Repository: nguyenquyhy/tailvault:latest
    • Remove SFTP_PASS
    • Add SFTP_PUB_KEY. Use the public key in step 1 as value.
  3. Open TailVault container log and login to Tailscale using the link in log
  4. Open appdata/TailVault and download ssh_host_ed25519_key.pub
  5. Install Backrest app in the Community Store with Tailscale enabled
  6. Open Backrest container log and login to Tailscale using the link in log
  7. Create known_hosts file on your computer with the following content:
    • <tailvault domain from Tailscale> <content from ssh_host_ed25519_key.pub in step 3>
    • e.g. tailvault.abc.ts.net ssh-ed25519 AAAAAAAAAAAAAAAAAAAAAAAAAAAAAA root@aaaaaaaaa
  8. Upload id_ed25519 from step 1 and known_hosts from step 5 to appdata/backrest
  9. Select id_ed25519, click Permissions, change Group and Other to No Access
  10. Edit backrest app in Unraid’s Docker and add the following:
    • Path:
      • Name: Private Key
      • Container Path: /root/.ssh/id_ed25519
      • Host Path: /mnt/user/appdata/backrest/id_ed25519
    • Path:
      • Name: Known Host
      • Container Path: /root/.ssh/known_hosts
      • Host Path: /mnt/user/appdata/backrest/known_hosts
  11. Open backrest URL
  12. Add repo. For Repository URL, use sftp:<username set in step 2>@<tailvault domain from Tailscale>:/backups