VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    836

xtropodx

Getting the hang of it
Joined
Apr 30, 2017
Messages
139
Reaction score
40
Just put it on my Pi and forwarded the port (is there no security risk forwarding the port?)...
I was of the understanding that port forwarding should be avoided, hence VPN? As you're basically opening up an area of your network via this device by which anyone can potentially access. It's even stated in the very first post here to never forward ports, though to cameras & NVRs but concept would be same. Unless the device is not connected to the internet at all & is isolated somehow?
 

pbc

Getting comfortable
Joined
Jul 11, 2014
Messages
1,024
Reaction score
156
I was of the understanding that port forwarding should be avoided, hence VPN? As you're basically opening up an area of your network via this device by which anyone can potentially access. It's even stated in the very first post here to never forward ports, though to cameras & NVRs but concept would be same. Unless the device is not connected to the internet at all & is isolated somehow?
I thought so as well... But I don't see how else to have Wiregaurd work. So I must be missing something. Maybe it's okay if the RPi is only used for that singular purpose?? Ie since it is a dedicated device?
 

biggen

Known around here
Joined
May 6, 2018
Messages
2,539
Reaction score
2,765
Port forwarding is fine if you are forwarding to a secure application/process like a VPN, webserver, etc... Ideally, the device you are forwarding to would also be in a DMZ to further limit exposure.

Port forwarding to a Chinese camera where security isn't even an afterthought is an extremely poor idea. Even port forwarding to Blue Iris should be avoided since we don't know how secure his code is. At least with Wireguard, its open source so its well vetted by the community at large.
 

sebastiantombs

Known around here
Joined
Dec 28, 2019
Messages
11,511
Reaction score
27,690
Location
New Jersey
The port being forwarded to a VPN, like Wireguard, is pretty safe since the only way to access anything the hacker would need to break a 64, 128 or 256 bit encryption key.
 

pmcross

Pulling my weight
Joined
Jan 16, 2017
Messages
371
Reaction score
185
Location
Pennsylvania
For those using WireGuard, do you have any trouble with iPhones connecting automatically when switching from WiFi to cellular? I've attempted to use OpenVPN, but the auto connect was too unreliable when leaving the house. Just wondering what other's experience is.
 

biggen

Known around here
Joined
May 6, 2018
Messages
2,539
Reaction score
2,765
You won't have any trouble whatsoever with Wireguard and moving between Cellular and Wifi. Wireguard doesn't keep an open connection like OpenVPN does. When your phone needs to send data over Wireguard, it just sends it as normal and Wireguard takes over to encrypt it and send it on its way to the Wireguard VPN server. It is not "chatty" at all and never sends anything on its own.
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
40
Reaction score
12
Location
Live Oak, FL
After hours of reading this thread and others on IPCT, Youtube vids, and enough Google searches to trigger Googles "Suspicious Network Activity" Captcha I think (?) I have a slight grasp on things.

Please correct me if I'm wrong, if I want to gain access to my NVR using the native (NVR manufacturer) app theoretically the connection the app creates would work as long as I have OpenVPN on (connected?) on my iOS device? And the feed (connection) to my NVR would still remain encrypted (secure)?

I think what it sounds like I need to do is go with a physical setup like this, ISP Modem > ASUS Router (with OpenVPN setup) > NVR? And in the ASUS firewall settings block all inbound and outbound traffic for the cameras IP addresses. Then install OpenVPN on the iOS devices I want to use to access the NVR. Sounds like I may also have to setup a DDNS to get a static IP for the VPN to work?

Do I also block the NVR's IP? Or does this block the VPN? I still need to familiarize myself with actually setting up the VPN, port forwarding etc, I'm just making sure I have the basic principal down (ASUS w/OpenVPN / Block Camera IPs / Setup VPN to NVR / Install OpenVPN on my iOS Device = ability to use app to access the NVR while securing the NVR & Cameras from the outside world).
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
I'm just making sure I have the basic principal down (ASUS w/OpenVPN / Block Camera IPs / Setup VPN to NVR / Install OpenVPN on my iOS Device = ability to use app to access the NVR while securing the NVR & Cameras from the outside world).
Basically right with a few clarifications...

You don't really set up the "VPN to NVR." The VPN runs (as you said) on the router and it provides a secured encrypted connection to your entire local network. Think of it as a secured gateway into your local network. It effectively makes your IOS device a client on your local network over the WAN. So you don't really set up anything to the NVR as far as the VPN is concerned (you may need to for the NVR's app). You set up a connection from your VPN client to your VPN server (running on your router) which routes you into you local network and you the access things (NVR or others) in the same way that you would if on your local net.

Said more simply, it makes your IPhone work from anywhere over the Internet as it would if it were on your internal WiFI.

So it depends on how the NVR's app works. However it would work on your local network is how you'd set that up. e.g., If there's a place for an IP address, then you'd use the local IP address. Some work using a P2P-type setup which will be another thing.

Yes, you'd need to set up DDNS but it doesn't get you a static IP address. It gives you a 'static' host name which will be resolved to a potentially changing (dynamic) IP address. The DDNS service will point that host name to the current IP address for your router, you'll reference the host name, DNS servers will resolve the host name to your current IP address.

On the Asus you can't access a blocked device over the VPN. When on the VPN you don't truly have a local IP. You have a (usually) 10.10.x.x external address that is routed to a local address. The router sees that as coming from outside and blocks it. So, no, don't block the NVR. You can block the cams. If you need to access one directly for some reason from outside, then you can access the router, unblock it temporarily, do whatever, then block it again. (Technically you can access blocked devices but it requires some non-trivial command lines changes so not as normally done using the router's web interface).
 
Last edited:

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
40
Reaction score
12
Location
Live Oak, FL
You don't really set up the "VPN to NVR." The VPN runs (as you said) on the router and it provides a secured encrypted connection to your entire local network. Think of it as a secured gateway into your local network. It effectively makes your IOS device a client on your local network over the WAN. So you don't really set up anything to the NVR as far as the VPN is concerned (you may need to for the NVR's app). You set up a connection from your VPN client to your VPN server (running on your router) which routes you into you local network and you the access things (NVR or others) in the same way that you would if on your local net.

Said more simply, it makes your IPhone work from anywhere over the Internet as it would if it were on your internal WiFI.
@Mike A. Thanks! as I read some more last night that concept began to dawn on me. And I began to understand the whole premise more.

On the Asus you can't access a blocked device over the VPN. When on the VPN you don't truly have a local IP. You have a (usually) 10.10.x.x external address that is routed to a local address. The router sees that as coming from outside and blocks it. So, no, don't block the NVR. You can block the cams. If you need to access one directly for some reason from outside, then you can access the router, unblock it temporarily, do whatever, then block it again. (Technically you can access blocked devices but it requires some non-trivial command lines changes so not as normally done using the router's web interface).
Is this just specifically with the ASUS? Or OpenVPN? Would it be better to go with a Ubiquiti router? That way I can also block inbound and outbound access to the NVR.

Here's how I plan on setting up my physical network devices;

Screen Shot 2020-10-03 at 1.44.39 PM.png

Any apparent issues here? Would information still be able to circumvent the firewalls (and VPN) setup in Router A and get to the NVR and Cameras? I don't believe that my ISP Modem/Router Combo has VLAN functionality, but my current router (Router B) does. But I think I'm avoiding the need to separate the Cameras and NVR on VLAN by physically separating by placing them on their own route, correct?

If I understand correctly if I were to keep Router A disconnected from the internet all together (never plug it into the ISP Modem/Router) that I would still be able to access the NVR from the app on my phone as long as I connected to that Wifi Network? And that would physically secure them, but I wouldn't be able to access the NVR when not at home and connected to the Router A Wifi network.

Still reading all the many pages on this thread and learning as I go.

Thanks again!
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
Is the ISP Modem router running as a modem and router or only a modem ? if a modem how are you going to combine the signals ? Where is the DDNS going to run ? As a note running multiple routers on a home network is just asking for problem.
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
40
Reaction score
12
Location
Live Oak, FL
Is the ISP Modem router running as a modem and router or only a modem ?

The ISP Modem Router is currently running as both a modem and wifi router. It's broadcasting out it's own WiFi network, it's extremely slow though. Standing beside it I only get around 30Mbps download. It has a few devices wired directly into and one or two devices that are nearby that don't require a super high speed connection on it's WiFi network. Since the WiFi range of the ISP Modem/Router is horrendous I have a second WiFi router wired into the ISP Modem. It creates it's own WiFi Network separate from ISP Modem/Router. And on this WiFi network I get speed around 110Mbps download.

if a modem how are you going to combine the signals ?
Combine signals? Right now I have the to router running as separate WiFi networks.

Where is the DDNS going to run ? As a note running multiple routers on a home network is just asking for problem.
I haven't gotten as far as learning how to setup the DDNS yet, still reading through the pages and pages of posts on this thread. Suggestions?

As a note running multiple routers on a home network is just asking for problem.
For security reasons or other issues? The modem is ISP provide. I guess I could turn off it's own WiFi network, I don't really use it except for a few devices nearby and to clear up my second network of traffic that I need to reach the far ends of my house. But even that isn't cutting it. I attempted to setup a Mesh Network and no matter what I did the access point I installed on the floor opposite of the Main Router would run at 100Mbps+ for a few moments and then drop into the teens no matter what I tried. I finally settled with just running the one WiFi 6 router (in addition to the ISP Modem/Router) and settle for 30-40Mbps when not near the router.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
Your second router is NOT a router it is access point. it is not routing anything, it is providing a wifi connection into your network. If you are using to wifi devices to "access" the internet. if not set correctly they will interfere with each other. Are you use 2.4 GHz or 5 GHz or both ? What are the channel numbers set to for each on al your "router devices"

provide the mae and model number of
1) ISP modem/router
2) the access point "router A"
3) the access point "router B"
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
40
Reaction score
12
Location
Live Oak, FL
Your second router is NOT a router it is access point. it is not routing anything, it is providing a wifi connection into your network. If you are using to wifi devices to "access" the internet. if not set correctly they will interfere with each other. Are you use 2.4 GHz or 5 GHz or both ? What are the channel numbers set to for each on al your "router devices"

provide the mae and model number of
1) ISP modem/router
2) the access point "router A"
3) the access point "router B"

@SouthernYankee sent you a DM
 

CaseyJones

Young grasshopper
Joined
Sep 28, 2020
Messages
40
Reaction score
12
Location
Live Oak, FL
Any disadvantages to running OpenVPN/WireGuard on a Pi vs on a router like an Edgerouter X? The router I have now has OpenVPN installed (available/capability?) but I'm looking to upgrade to a UniFi system and would like to use the USG over the Edge. Seeing as adding OpenVPN/WireGuard appears to be simpler to do on a Pi using PiVPN Project I'm thinking about going that route.
 

spile

Young grasshopper
Joined
Jun 11, 2020
Messages
53
Reaction score
18
Location
MIdlands UK
Any disadvantages to running OpenVPN/WireGuard on a Pi vs on a router like an Edgerouter X? The router I have now has OpenVPN installed (available/capability?) but I'm looking to upgrade to a UniFi system and would like to use the USG over the Edge. Seeing as adding OpenVPN/WireGuard appears to be simpler to do on a Pi using PiVPN Project I'm thinking about going that route.
Cost factor?, Additional Ethernet and Power?...
As for simplicity, I found the RPI installation straight forward.
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
5,170
Reaction score
5,320
Location
Houston Tx
Setting you a OpenVPN on the router, if you have a supported router is simple, So there is not additional cost of a PI device, There is one less device to maintain.

I use the stock ASUS router, it took about 1 hour to get it set up, and get BI app up and running on my Android phone connected remotely.
 
Last edited:

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,223
Reaction score
465
Setting you a OpenVPN on the router, if you have a supported router is simple, So there is not additional cost of a PI device, There is one less device to maintain.

I use the stock ASUS router, it took about 1 hour to get it set up, and get BI app up and running on my Android phone connected remotely.
yes same....

see here:

from above link go here:

Very simple
 

pbc

Getting comfortable
Joined
Jul 11, 2014
Messages
1,024
Reaction score
156
Hmmm..received an email from my ISP about apparently my network being infiltrated by the Mirai virus. I think it was likely when I was upgrading an old router to DD-WRT this past weekend as the date of the scan which showed the virus happened to be the same day I was upgrading that old router (and had to open up a telnet port while doing it).

Can't seem to find a Mirai scanner which is frustrating, since technically it can be on any IoT device that runs Linux.

I ran a scan on my Dahua and Hik cameras (which are all connected to my network via POE Switch and I only use Wiregaurd to access them from outside my network), is this normal for these ports to be "open"?

Dahua:
Discovered open port 80/tcp on 192.168.1.63
Discovered open port 554/tcp on 192.168.1.63
Discovered open port 8086/tcp on 192.168.1.63
Discovered open port 1935/tcp on 192.168.1.63

Hik
Discovered open port 80/tcp on 192.168.1.62
Discovered open port 443/tcp on 192.168.1.62
Discovered open port 554/tcp on 192.168.1.62
Discovered open port 8443/tcp on 192.168.1.62
Discovered open port 8000/tcp on 192.168.1.62

Probably deserves it's own thread...but figured I'd check here first. Probably not my cameras at all and hopefully now that the router is upgraded and PW changed it's not an issue anymore.

Hard to believe no scanner exists for it!?
 

biggen

Known around here
Joined
May 6, 2018
Messages
2,539
Reaction score
2,765
80 is the web port and 554 is the RTSP port so yes on those. 8086 is a non-standard/registered so can be used for anything. Not sure what 1935 is. Probably something Dahua dependent.
So you don't have any port open on your firewall other than to allow connections to your Wireguard server?
 
Top