I’m not sure if that would work but I’m not totally comfortable allowing the backup server to connect to the off-site storage; I’d much prefer that the connection run the other way. Allowing inbound connections to the off-site storage increases the attack surface of that system.
My current solution is to have a cronjob that runs regularly chmod’ing everything in the repository to 750.