Synology Active Backup & VPNs

The problem: I want to use Synology Active Backup for Business (ABB) to backup all of my company's computers, but I have a lot of laptops and I don't want the backups to run if someone is on a mobile hotspot. The solution? PowerShell and a scheduled task.

Quick Link to Solution

Here's a scheduled task and the script that it runs📁.  Read on for more info on how it works, plus an alternative implementation.  I take no responsibilty if this messes up your computer, you should never run anything you download from random blogs.

Background

Synology ABB is a program that runs on a computer and coordinates with a Synology NAS to perform incremental, bare metal backups.  It works well and even allows restoring to different hardware.  For example, I can take a backup of a laptop and restore it to a virtual machine.

I've been trialing Synology's Active Backup for Business on a few computers, and wanted to do a wider roll out.  However, we travel for work, and use a VPN to connect back to the office.  The issue is that if you're traveling, you may be connected to a mobile hotspot.  Having ABB start a backup could easily burn through the monthly hotspot data allowance.

Solution

I discovered that you can make a scheduled task that runs on certain events, not just at certains time of the day.  Common events are things like "computer turned on" or "user logged out".  But you can also have a scheduled task trigger whenever a particular entry is logged by the system.  The log entry that I found worked the best is Network State Change, which is event #4004.

Note about events: I was initially going to use events 10000 and 10001 (connected and disconnected, respectively) which seems elegant but I found it unreliable.  When I started a VPN connection the 10000 event was logged (disabling ABB), but I'd never get a 10001 event when the VPN was disconnected, so the rule would never get disabled.  Using #4004 was more reliable.

I created a scheduled task that runs a script whenever the Network State Change event is fired. The script:

1. Checks if a particular network adapter, in my case one called OpenVPN, is up.
2. If the connection is up, it enables a firewall rule to block the ABB service.
3. If the connection is down, it disables the firewall rule.

To test that the script works, I connected to the VPN over a WiFi hotspot, and manually ran the script.  Here's a screenshot of it cutting off ABB's access to port 5510:

Note about PowerShell: I don't know much PowerShell, and I don't much care for it (too verbose, weird defaults, pretends to be wget and curl), but it's the only practical way to control Windows' subsystems.  I rewrote the script a couple times, but finally settled on one that does what I need it do do.  It's probably not idiomatic PowerShell.  Sorry that I used python_naming_conventions for my variables, iJustDon'tLikeCamelCase like PowerShell people do.

How To Install & Use

1. Download this ZIP file that contains the script and the scheduled task.
2. Extract it and move the folder named SynologyBackupControl to C:\Program Files.
3. Edit the script file's $adapter_name variable to match the name of your VPN adapter.
4. Open Windows Task Scheduler and import the Synology Backup - Toggle Firewall Rule (scheduled task).xml file.
5. Done!

If you choose to put the files somewhere else, you will have to update the scheduled task to point to the new path.

A Second Option

In the course of writing my script, I experimented with disabling the ABB service on the laptop instead of using firewall rules.  This works, but it makes the ABB interface throw up a scary looking message:

In contrast, blocking the ABB port doesn't pop up a dialog box, or recommend rebooting:

I decided to post the "disable the service" version too, because:

1. I put in the work.
2. It may help someone control a different service.

Here's the version that disables the Synology ABB service📁.