VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    836

llarsx

Getting the hang of it
Joined
May 7, 2018
Messages
215
Reaction score
17
I have gone wild in all the various alternative google result and am very happy to get help here. Thank you again catcamstar.

I had already installed the one from you link in my Android mobil, but look for a Windows 10 - solution (app). I of course only need a simple home-made vpn.

Where can I find it?
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
I have gone wild in all the various alternative google result and am very happy to get help here. Thank you again catcamstar.

I had already installed the one from you link in my Android mobil, but look for a Windows 10 - solution (app). I of course only need a simple home-made vpn.

Where can I find it?
Here you are: https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.6-I602.exe (from Community Downloads | OpenVPN which is thé official OpenVPN website btw). You can't configure lots of things in it, it can autostart with windows, you load your .ovpn file created on your router/openvpn server and off you go!
Good luck!
CC
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
I've got the Open VPN app to work fine on several android devices, setting up the VPN on my home router, and I can access my Blue Iris server using the Blue Iris app via the VPN from anywhere that way.

I can also use UI3 on various PCs while on my LAN at home.

Now I want to be able to use UI3 from a remote PC, via the VPN. To that end, I installed Open VPN on one remote PC, and it successfully connects to my VPN. Or says it does.

However, I do not know how to actually access devices (cameras, my Blue Iris server PC, etc.) through this tunnel. I have my home network on a different subnet than the remote PC's LAN to avoid having any conflict. Yet I guess I either have something configured wrong on my home VPN side, or I just don't know how to enter an IP address on the (theoretically connected) remote PC so I can have remote access to my home LAN.

Is there a specific place in the documentation where this type of setup, and the methods to use it are described?

I used Randy's guide to set up the VPN at home.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
How do you access the blue Iris PC when you on the local home network remotely. Like from an Android tablet, another pc, what IP address.
Is the blue Iris PC on your main network and your subnet both ?

Remotely After you connect via VPN, on a web browser enter the blue Iris PC IP address and UI3 port number.
 

Eric W.

n3wb
Joined
Sep 27, 2018
Messages
6
Reaction score
2
Location
USA
Take a look at my instructions
NetGear R7800 - OpenVPN

Sounds like you need the smart_phone.ovpn file, which you have to download from the router.
Thanks randytsuch!
I found where to download the config file from my router. I'm trying to setup the VPN on my computer before my phone, just so I get more familiar with it.

- I imported the file to OpenVPN
- When I try to connect I get an error message...

"Connecting to management interface failed.
View log file for mail details"

- I viewed the log file and got this...

"Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
Options error: --cert fails with 'client.crt': No such file or directory (errno=2)
Fri Oct 26 19:13:56 2018 us=635796 WARNING: cannot stat file 'client.key': No such file or directory (errno=2)
Options error: --key fails with 'client.key'
Options error: Please correct these errors.
Use --help for more information."

- I read the 'OpenVPN client setup instruction' provided by my router and did everything in there, but I'm still getting the same error message.

Please let me know if there is anything I'm doing wrong.
I can post screen shots if that would make it easier.
Thank you
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
How do you access the blue Iris PC when you on the local home network remotely. Like from an Android tablet, another pc, what IP address.
Is the blue Iris PC on your main network and your subnet both ?

Remotely After you connect via VPN, on a web browser enter the blue Iris PC IP address and UI3 port number.
This wasn't working for me. In a browser, on the remotely connected machine, when I entered an IP address for a camera or the Blue Iris server on my home network, I just got the typical error message that one gets for an unreachable IP address:

"The connection has timed out

The server at 192.168.XXX.XXX:81 is taking too long to respond."


So last night, I altered some settings in my Asus router's Open VPN setup. I switched to 2048 bit encryption (which, I doubt had anything to do with this at all). And I enabled access to both the LAN and The Internet where before I was only enabling access to the LAN. I thought this would just affect surfing through the VPN, but I now think changing that setting fixed the problem. Because now I can see my Blue Iris UI3 by simply typing its IP address and port into a browser at work when that PC is logged into my VPN. I'm not sure why that setting would affect me using this on a PC remotely, but not when using the Blue Iris app on my phone, but that's all I changed.

Anyhow, it's working the way I expected now, for whatever that's worth.
 

llarsx

Getting the hang of it
Joined
May 7, 2018
Messages
215
Reaction score
17

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
So last night, I altered some settings in my Asus router's Open VPN setup. I switched to 2048 bit encryption (which, I doubt had anything to do with this at all). And I enabled access to both the LAN and The Internet where before I was only enabling access to the LAN. I thought this would just affect surfing through the VPN, but I now think changing that setting fixed the problem. Because now I can see my Blue Iris UI3 by simply typing its IP address and port into a browser at work when that PC is logged into my VPN. I'm not sure why that setting would affect me using this on a PC remotely, but not when using the Blue Iris app on my phone, but that's all I changed.
That setting you switched is called "redirect-gateway" setting in OpenVPN terminology, which means that ALL traffic from your vpn client endpoint WILL go through the vpn tunnel, regardingless of local instituted routers/gateways. Downside is that all your network traffic goes straight into the tunnel, and you'll surf with the IP address from your home ISP WAN. Which means, you "pay" twice the bandwidth (inbound plus outbound = times 2). However, what you have encountered here, is that the VPN server is thén in charge of all routing, hence you have 100% probability in reaching your BI server, because that one is residing on your home LAN.

Hope this explains!
CC
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Thanks randytsuch!
I found where to download the config file from my router. I'm trying to setup the VPN on my computer before my phone, just so I get more familiar with it.

- I imported the file to OpenVPN
- When I try to connect I get an error message...

"Connecting to management interface failed.
View log file for mail details"

- I viewed the log file and got this...

"Options error: --ca fails with 'ca.crt': No such file or directory (errno=2)
Options error: --cert fails with 'client.crt': No such file or directory (errno=2)
Fri Oct 26 19:13:56 2018 us=635796 WARNING: cannot stat file 'client.key': No such file or directory (errno=2)
Options error: --key fails with 'client.key'
Options error: Please correct these errors.
Use --help for more information."

- I read the 'OpenVPN client setup instruction' provided by my router and did everything in there, but I'm still getting the same error message.

Please let me know if there is anything I'm doing wrong.
I can post screen shots if that would make it easier.
Thank you
I'm pretty sure you missed some (important) steps in these instructions ;-) "No such file or directory" means that the ca.crt and client.crt files are NOT found on the device you are playing with. On a PC, you can simply copy these files over (in the right directories that is), but my personal advice is to create a "self containing" .ovpn including all certificates. Why? Because then you can import these properly on iOS/Android and you don't have to mess with file transfers etc.

If you want to go that way, have a look at this example (random google result, there are tons of tutorials on this too): Embedding Certificates into OpenVPN Config

Good luck!
CC
 

llarsx

Getting the hang of it
Joined
May 7, 2018
Messages
215
Reaction score
17
Security hole in mail from my camera.

I just discovered that the extern ip from the router where the camera is can be seen in "properties" in the received mail. This may be the reason why my camera has been hacked. Everyone knowing my extern ip can reach the router and try the most common ports.

Is there any way I can avoid this? Using routervpn seems not the solution, but I may be wrong.

I have of course tried several mailservers and mailprogram, but all have the extern ip in the mail I receive.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Security hole in mail from my camera.

I just discovered that the extern ip from the router where the camera is can be seen in "properties" in the received mail. This may be the reason why my camera has been hacked. Everyone knowing my extern ip can reach the router and try the most common ports.

Is there any way I can avoid this? Using routervpn seems not the solution, but I may be wrong.

I have of course tried several mailservers and mailprogram, but all have the extern ip in the mail I receive.
first of all why are you sending your camera images to people who would hack your camera.
Second, if you use gmail, it does not provide your ip.
Third, if you use vpn, who cares, they wont be able to break it.
 

llarsx

Getting the hang of it
Joined
May 7, 2018
Messages
215
Reaction score
17
first of all why are you sending your camera images to people who would hack your camera.
Second, if you use gmail, it does not provide your ip.
Third, if you use vpn, who cares, they wont be able to break it.
OK, I only send to my self, but somebody can "sniff" mails and you have right about gmail. I had not checked them as I try to avoid google and everything connected to them. May be I have to reconsider.
I agree in "who cares".
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
OK, I only send to my self, but somebody can "sniff" mails and you have right about gmail. I had not checked them as I try to avoid google and everything connected to them. May be I have to reconsider.
I agree in "who cares".
lol, if someone is sniffing your emails you are fucked anyway...as I tell folks who ask me about this "Who the hell do you think you are that someone will go through all that trouble to target YOU"
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
lol, if someone is sniffing your emails you are fucked anyway...as I tell folks who ask me about this "Who the hell do you think you are that someone will go through all that trouble to target YOU"
It does not have to be that personal to be felt targetted, I've read a couple of cases where people are "ignorant" on fake Wifi hotspot, and not one but all mobile traffic got sniffed away (and peoples Instagrams were reverse engineered). Also is it possible to sniff email content inside network? talks on how tricks with security certificates can be played on corporate networks. Indeed you are right, if someone plays this trick on you, you are definitely on someones death list :)
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
It does not have to be that personal to be felt targetted, I've read a couple of cases where people are "ignorant" on fake Wifi hotspot, and not one but all mobile traffic got sniffed away (and peoples Instagrams were reverse engineered). Also is it possible to sniff email content inside network? talks on how tricks with security certificates can be played on corporate networks. Indeed you are right, if someone plays this trick on you, you are definitely on someones death list :)
You have to be really paranoid to think someone would target you in this way....your link would simply not work when using gmail..more likely the admin has a screen capture application installed on the pc.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
OK, I only send to my self, but somebody can "sniff" mails and you have right about gmail. I had not checked them as I try to avoid google and everything connected to them. May be I have to reconsider.
I agree in "who cares".
Nobody needs to "sniff" an email itself to see your PUBLIC IP address. The destination address/origin IP is part of the header/routing info for the email. It's visible to every routing/relay point along the way, logged in multiple locations, etc. Using Gmail would keep that particular stream of mail away from your net but makes no difference since your outside IP still will be scanned whether you're getting email or not. Virtually every single public IP address on the net is scanned for vulnerabilities on a continual basis these days. Nobody needs to be targeting you/your IP in particular. That's the far more likely case for any intrusion of your cams and the primary reason to use a VPN coming into your own network to block any other in-coming access and exposed ports/devices.
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
That setting you switched is called "redirect-gateway" setting in OpenVPN terminology, which means that ALL traffic from your vpn client endpoint WILL go through the vpn tunnel, regardingless of local instituted routers/gateways. Downside is that all your network traffic goes straight into the tunnel, and you'll surf with the IP address from your home ISP WAN. Which means, you "pay" twice the bandwidth (inbound plus outbound = times 2). However, what you have encountered here, is that the VPN server is thén in charge of all routing, hence you have 100% probability in reaching your BI server, because that one is residing on your home LAN.

Hope this explains!
CC
In my router, the "switch" I changed is called:
"Client will use VPN to access"
and the two choices are:
"Local network only" and "Internet and local network".



My interpretation of that switch's function was to select whether or not VPN clients, when connected, would have access only to the Local Area Network of the VPN server, OR have access to that, as well as to the internet connection used by the router (VPN server).

So my understanding seems to match what you've described.

The home network that is served by this Asus router and thus, it's VPN, gets its internet connection via a cable modem, and we've got unlimited data, with 100Mbps speed down, and 10Mbps speed up. So what I was thinking was that when we're out and about, and perhaps on a non-secure public WiFi system (hotel, airport, etc.) we could switch on the VPN client in our phone, tablet, etc., connect to our home VPN, and be able to surf or conduct business securely via the VPN encryption (and using our home network's internet access).

All of that "internet traffic" would, as you point out, go both ways through our home internet connection, and I could imagine this, perhaps, slowing things down, but it won't cost us anything extra in our case. So this seems like a reasonable tradeoff, if I'm understanding it correctly.

What I don't understand is this:

When I had (as shown in the screen cap above) this selection set to "Local network only", I could not get my Open VPN client, on a computer at work, to connect to my Blue Iris server (PC). Yet after I switched that setting to "Internet and local network", it worked right away, with me making no changes on the remote (work) PC.

However, our phones have been able to connect to the Blue Iris server, using the Blue Iris app on the phones, when out and about, with the OpenVPN client switched on in the phones, all along.

It makes me wonder if there's something else I need to set correctly on the remote PC (in this case, a PC of mine at work) to assure that it will work the way our phones (using the BI app) do. That way, I can use either setting of the "redirect-gateway" setting.

I think I'll play with this more today. I'll set the home router's VPN to "local network only" again and see if it still works from the work PC this time.

Perhaps there are other configuration "switches" I could set in the client.ovpn file used by the work PC that would help it connect regardless of the home VPN server's "redirect-gateway" setting. Then again, maybe it was just a fluke, or I inadvertently changed something else that made it work. Further careful testing is probably warranted on my part.

Anyhow, thanks for your (and everyone's) time and help. Initially, I just wanted to try this all out. Now I want to understand it more thoroughly. So I appreciate all of the work everyone has put into this thread and the other resources on this site.
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
An update:

With the Router's OpenVPN Server's "Client will use VPN to access" setting switched to "Local network only", I am able to connect from the work PC now. So I'm not sure what changed, if anything to allow it to work "correctly " now. But it is working.

And here's an interesting thing:

I have the router set to block the individual cameras from the internet. When I'm home, connected to our LAN, I can still (of course) access the cameras' setup interfaces directly by entering their IP addresses into a browser. That's as it should be.

But when connected right now, through the VPN, from this remote (work PC) PC, I cannot access the cameras. So I have to think that the router blocks them even though I'm trying to access them via the VPN. I guess this feature is really intended to be used for "parental control", and it's smart enough to disallow that outside access even through the VPN.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
But when connected right now, through the VPN, from this remote (work PC) PC, I cannot access the cameras. So I have to think that the router blocks them even though I'm trying to access them via the VPN. I guess this feature is really intended to be used for "parental control", and it's smart enough to disallow that outside access even through the VPN.
That's how it will work. When on the VPN you don't actually have an internal 192.168.1.x (or whatever) IP. You have a 10.0.0.x address which is assigned on the VPN interface which then is routed over to an internal address on the router's internal network interface. So the router properly blocks that connection when you have that device blocked from the Internet. I'd have to dig for the exact commands but by accessing the router in terminal mode you can set up iptables to permit that traffic (somewhat complicated to do). Easier for most, you can just access the router's usual web interface through the VPN, toggle the setting off, do what you need to do on that cam/device, and then toggle it back on again.
 

J Sigmo

Known around here
Joined
Feb 5, 2018
Messages
997
Reaction score
1,333
That's how it will work. When on the VPN you don't actually have an internal 192.168.1.x (or whatever) IP. You have a 10.0.0.x address which is assigned on the VPN interface which then is routed over to an internal address on the router's internal network interface. So the router properly blocks that connection when you have that device blocked from the Internet. I'd have to dig for the exact commands but by accessing the router in terminal mode you can set up iptables to permit that traffic (somewhat complicated to do). Easier for most, you can just access the router's usual web interface through the VPN, toggle the setting off, do what you need to do on that cam/device, and then toggle it back on again.
That's exactly what I've just been doing. I wanted to try some different adjustments to the camera's Day/Night mode and IR Illuminator, etc., and I just unblocked it temporarily by logging into the router itself, then blocked it again when I was done.

I wish the Asus router would allow me to block more than 16 devices from the internet. At some point, I'll probably have to move the cams to a separate network that has no internet connection, and then I'll lose the ability to play with them remotely altogether, I suppose. Still, this is all pretty sweet!
 
Top