Switching from VPN to Port Forwarding.

nuraman00

Getting the hang of it
Aug 6, 2017
333
14
I had a VPN set up for my cameras since 2018. However, recently OpenVPN has recently complained that the HMAC Authentication wasn't secure enough. I tried changing it from SHA1 to SHA256, but same error, after exporting the new .opvn file.

Next, I tried configuring port forwarding.

I did it for ports 80 and 37777.

However when I go to my gdmss app and switch to mobile data on my phone, it won't connect.



Any suggestions?

How can I remotely view my cameras again, either via a correct VPN configuration, or port forwarding?

My router is an Asus RT-AC86U.
 
Not that you should be using port forwarding, but... you know when using port forwarding outside of your home network (mobile data, no wifi) you will need to use the external WAN IP address of your home to reach the NVR, NOT 192.168.50.X which you can't reach from outside your Wifi...
 
  • Like
Reactions: bp2008
I'd suggest using wireguard instead of OpenVPN then. Asus routers support it basically the same, though you may need to update the router's firmware.

Since you are using a hardware NVR appliance, port forwarding to it is very risky.
 
I'd suggest using wireguard instead of OpenVPN then. Asus routers support it basically the same, though you may need to update the router's firmware.

Since you are using a hardware NVR appliance, port forwarding to it is very risky.

I can't update my router's firmware. If I tell it to check for updates, it says it can't connect to the Asus server.

If I manually download the firmware and try uploading it from the manual firm upgrade screen, it says the update is unsuccessful.



Do I need to change any VPN settings on my router from what I already have? Or can I install Wireguard and upload the .ovpn file?

These are the settings I have:



I was also able to remotely connect in gdmss using P2P setup. I turned off port forwarding after that worked.
 
I really don't know what settings change it would take to get rid of the warning you have now.

Funny that the firmware update won't work. Maybe you got a firmware file for a different hardware revision.

This thread may have a solution to make openvpn work again: Asus OpenVPN Insecure Hash.

I'd also probably want to use 2048 bit encryption and change the encryption cipher to something with "256" in the name but then you'd need to generate new certificates and basically set up from scratch and I doubt it would help your current issue. Just something I'd change if it was me.
 
I really don't know what settings change it would take to get rid of the warning you have now.

Funny that the firmware update won't work. Maybe you got a firmware file for a different hardware revision.

This thread may have a solution to make openvpn work again: Asus OpenVPN Insecure Hash.

I'd also probably want to use 2048 bit encryption and change the encryption cipher to something with "256" in the name but then you'd need to generate new certificates and basically set up from scratch and I doubt it would help your current issue. Just something I'd change if it was me.

How do I generate a new certificate? I don't remember how I did it in 2018.

I also saw this on how to update new firmware. I might try it if it looks like it's not going to need a factory reset of the router.


But I'm not sure updating the firmware will help, if the problem is that I need to generate a new certificate.

Also, does it look like my router currently supports Wireguard? Could I use the settings I showed you?
 
It is unclear to me if updating firmware will help. Asus's website says:
WireGuard® is only supported on the firmware version later than 3.0.0.4.388.xxxxx

That is higher than anything available for RT-AC86U so you can't use wireguard on it even if you update.

Whether an update would help with the OpenVPN situation or not, I have no idea. Maybe that would give you a new HMAC Authentication open, maybe it wouldn't. You can probably just turn off the warning as mentioned in that thread I linked, and undo your port forwarding and P2P access, and call it a day.
 
It is unclear to me if updating firmware will help. Asus's website says:


That is higher than anything available for RT-AC86U so you can't use wireguard on it even if you update.

Whether an update would help with the OpenVPN situation or not, I have no idea. Maybe that would give you a new HMAC Authentication open, maybe it wouldn't. You can probably just turn off the warning as mentioned in that thread I linked, and undo your port forwarding and P2P access, and call it a day.

Upon checking again, you are correct about the latest firmware version for the RT-AC86U.

I re-checked which firmware I had downloaded yesterday. It was the RT-AX86 Series_3.0.0.4_388_24231.

Just now, I went here:


This firmware has RT-AC86U_3.0.0.4_386_51915 as the latest. I must have downloaded the firmware for the wrong model, yesterday.

I tried this one now.

I was able to update the firmware.

As soon as I did, and I logged back into the admin console for the router, it said my certificate was renewed.

This firmware even has button to renew certificate! (But it already did it when I logged back into the router, after the firmware upgrade).

Ok, I was able to import this profile into OpenVPN and connect on my tablet. I will try on my phone later today, need to leave soon.

I turned off port forwarding.

Question: What is more preferable, OpenVPN using "legacy" security (which is medium level), or P2P?

What about using OpenVPN using the lowest security, or P2P (in case I had to make a choice between these two?)
 
  • Like
Reactions: bp2008
Question: What is more preferable, OpenVPN using "legacy" security (which is medium level), or P2P?

What about using OpenVPN using the lowest security, or P2P (in case I had to make a choice between these two?)

Good question. Nothing is perfect, but I'd still trust OpenVPN with weak configuration far more than I'd trust the P2P option.

With the P2P route, you are letting your NVR connect to someone else's servers and you can't know what kind of risks that opens you up to. There could be vulnerabilities in the P2P service that a hacker can exploit with little effort to access your system (along with those of many other people). Or the manufacturer could access your system through backdoors they put into it.
 
Good question. Nothing is perfect, but I'd still trust OpenVPN with weak configuration far more than I'd trust the P2P option.

With the P2P route, you are letting your NVR connect to someone else's servers and you can't know what kind of risks that opens you up to. There could be vulnerabilities in the P2P service that a hacker can exploit with little effort to access your system (along with those of many other people). Or the manufacturer could access your system through backdoors they put into it.

Why is it called P2P if there's another server involved? What is the other server involved? Would it be a Dahua server, in my case, if I had used it? Since Dahua is my camera manufacturer.

Just asking so I understand what exactly P2P does, even if I'm not using it.
 
Don't think some have a good understanding how normal P2P works... Please note this info is for Normal DVR/NVR and IP Cameras connection using P2P and not some Cloud based system that isn't the same as a Normal P2P setup..

Normal CCTV Ip camera or DVR/NVR using P2P Peer-to-Peer connection from a cell phone app or even Desk Top Management app by establishing a direct connection between the Camera/DVR/NVR and the remote device without needing a central server. This allows for remote access to the cameras or recorders feeds without complicated network configurations. The App Facilitates the connection by coordinating between the devices using a unique ID or QR codes to establish a secure link...

Cloud-based P2P differs from traditional P2P in that it leverages cloud infrastructure to facilitate connections between devices that communicate through a centralized cloud server, which manages the P2P connections. This approach may have limited benefits, However, it also introduces potential privacy and security concerns due to reliance on 3rd party cloud services where your footage is being stored sometimes even longer then you expect it to be. Even though you are only able to access footage for 2 weeks that server might store a month or even more.

Any VPN or software based tunnel system has some risk into data mining where it has the ability to grab your plain text input for user and password and stores that data. Any time there is something 3rd party between your camera or DVR/NVR and your phone app you are adding another layer of risk..

Normal P2P between your camera and app for that company is the best secure option.
 
  • Wow
  • Sad
Reactions: TonyR and looney2ns
Normal CCTV Ip camera or DVR/NVR using P2P Peer-to-Peer connection from a cell phone app or even Desk Top Management app by establishing a direct connection between the Camera/DVR/NVR and the remote device without needing a central server.
So you're saying that an IP cam on your LAN at home connects DIRECTLY to your cell phone which could be 30 miles away on a cellular network with no managing server in between the two? :wtf:

I'm not talking about a "normal" P2P (your term), I'm talking about what happens when Bubba buys a cam on Amazon, takes it home and scans a QR code with his smartphone.

You better tell Reolink they're doing it wrong:

Reolink-P2P.jpg
 
Last edited:
  • Like
Reactions: looney2ns
Buy a new ASUS router as they only give newer firmware supports Wireguard to AX routers .
Wireguard is much better ! Less settings and much faster to connect and also more stabile for mobile use.
If I connect my phone its still connected after a week... during changes of the networks, wifi/4G/5G/wifi again
 
Awesome Reolink adds in text to freak people out lol.. Tell you what look at the image you uploaded.. Your camera in that picture is the P2P Server. While they then show 3 computers in the middle as P2P Server that is a Server that is setup to detect 2 things. Your P2P Server Read State from your camera or DVR/NVR and the second thing it is designed for is listening to the Ping from your software. Once it gets the PING Look at the bottom of your image now.. NETWORK Connection... What does it show? Your computer and or app from phone connected to the computer.. In a normal P2P there is no Middle man while stream is connectd only your phone and IP camera or DVR/NVR..

Here is what I know.. Testing P2P on normal IP camera from Amcrest, Dahua, and Annke style P2P with normal lIP cameras NOT SMART HOME Cameras... Serial Number is Plain Text. Insecure... Password transmitted Encrypted. So if you are at Starbucks or some internet Cafe make sure your connection isn't being monitored by a camera over you so it can see your screen and keyboard while you type in your password... Why because with the SN of the device and the password anyone can make a connection to your device from anywhere... However with the SN only thing that you would be able to pull using wireshark is only part of the puzzle... They would also need info from a camera locating your Password being entered into the keyboard because that info is passed Encrypted that for my passwords anyway fail to get converted using a MD5 hash translator..

Why did I put in names of companies? Well because using old style Hikvisioin and even using todays Alibi Cameras I am not 100% happy about that P2P Why? Well because it Old Hik and current Alibi P2P required you to sign up on a Server for P2P access.. Now I am giving faith on the Alibi that it isn't really as bad it as feels seeing the type of Connection one has to make to gain access. Once setup the OP would have to share the device for another to even access it. However I don't like the fact that I have/had to make an account on a Server for P2P to function...
 
^^^
So if you are at Starbucks or some internet Cafe make sure your connection isn't being monitored by a camera over you so it can see your screen and keyboard while you type in your password... Why because with the SN of the device and the password anyone can make a connection to your device from anywhere... However with the SN only thing that you would be able to pull using wireshark is only part of the puzzle... They would also need info from a camera locating your Password being entered into the keyboard because that info is passed Encrypted that for my passwords anyway fail to get converted using a MD5 hash translator..
WTF does THAT have to do with P2P? :idk::lmao:
 
LOL,, Back door.. Yeah I have thanks.. Also use products that get updates on Firmware and things are patched when found.. Dahua says there is an Intermediary Server DUH I said that... Plus the link you posted really kind of backs up what I was saying lol..
Server goes down? LOL. I know how it works.. As I said, Ping, and Send, However no server then no way to confirm there was device to receive said push lol.. Not Rocket Science

About my moms Basement, Kiss off, POS my mom passed away in 06. At least my mother Educated me and taught me how to read and comprehend. Reality is POS like you are still nothing more then Internet Bullies and trolls...

WTF does that have to do with P2P? Really Dude Read it.. Lets see, DMSS, or some other desktop management on your laptop or tablet and you connect it is called Shoulder Surfing, FFS you hang with your Troll friends. Leave you all to giving people BS..

By the way I still have devices that are able to be hacked seeing they have not had any updates since 2014 or before. I have tested many devices... I also only put my devices on the internet with open ports for research.. Even using a password that I have openly posted and while I have had in some cases many attempts of entry. No one has.. Because the people that were trolling my devices are not versed in Social Engineering.. Now I will say something that would put my risk higher, Using things like others name of pets, children, spouse, addresses, birthdays, hobbies and friends are most valuable. Problem is I don't use just something when I want to remember a password, I use a method and don't use full context and I don't change letters for numbers and such..

Every camera I own I personally test all hardware before I ever put it on the internet. Burp, B*W** and other testing methods using Linux. Sure there are some things that I don't have access to that other do seeing they program firmware and other things with way more info then I have. But I have enough info to know that buying a New Camera from Dahua or Amcrest is safe to use P2P..

Love it when trolls only prove the point lol.. By the way do some research about what P2P is, It isn't something NEW
I guess he has never heard of backdoor vulnerabilities...

Or that Dahua themselves say there is an intermediary server....and thus why people don't get push notifications when the Dahua server goes down...but the same process applies regardless of manufacturer...

Most NVR’s have a mobile app that can connect via Peer-to-Peer (P2P). This setup uses an intermediary server to query the NVR, and request a port to be opened. Once that occurs, the Mobile app connects to the NVR.
 
Um, you said "Normal CCTV Ip camera or DVR/NVR using P2P Peer-to-Peer connection from a cell phone app or even Desk Top Management app by establishing a direct connection between the Camera/DVR/NVR and the remote device without needing a central server."

Now several of us have pointed out a middle server is needed and now you say that what we posted "really kind of backs up what I was saying lol.."

WTF - No it doesn't

You claim someone connects to their NVR directly with their phone without a "middle-man"... What part of intermediary server is not a central server????

And explain again why a push doesn't get received with the P2P server is down....

We here have done our research on P2P and know that you are trusting some unknown server with your data as it is "purposefully designed to punch through safety/control measures". You need to do some more research on what P2P is at it relates to these devices...
 
  • Like
Reactions: TonyR