VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    836

Kitsap

Getting the hang of it
Joined
Jun 24, 2016
Messages
137
Reaction score
84
Location
Pacific Northwest
Hi, i would like to but a router which works on DSL and has a built-in vpn server (no need of wifi).
I wonder how can i be sure that this router has a vpn?
There is less and less DSL equipment on the market. Once you pick a model, download the manual from the manufacturer's web site and read it.

Netgear still makes one I know of. Amazon link here:
Not really a "basic" model. Read the section about key features. Be sure and check with your ISP for compatibility.
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.

Ollie

Young grasshopper
Joined
Aug 17, 2022
Messages
70
Reaction score
15
Location
Israel
There is less and less DSL equipment on the market. Once you pick a model, download the manual from the manufacturer's web site and read it.

Netgear still makes one I know of. Amazon link here:
Not really a "basic" model. Read the section about key features. Be sure and check with your ISP for compatibility.
Thanks.
Do you refer to AC1900 Nighthawk or to the AC1600 ? - are both have a built-in vpn server?
 
Last edited:
As an Amazon Associate IPCamTalk earns from qualifying purchases.

Ollie

Young grasshopper
Joined
Aug 17, 2022
Messages
70
Reaction score
15
Location
Israel
What about this; Tp-link TL-R605
I believe it can use as a vpn server?
If so, i believe it should be connected after my DSL router/modem?
ISP-> DSL modem/router -> vpn server -> nvr
Is this the correct setup?
 

Kitsap

Getting the hang of it
Joined
Jun 24, 2016
Messages
137
Reaction score
84
Location
Pacific Northwest
What about this; Tp-link TL-R605
I believe it can use as a vpn server?
If so, i believe it should be connected after my DSL router/modem?
ISP-> DSL modem/router -> vpn server -> nvr
Is this the correct setup?
Basically yes, BUT. The TP-Link TL-R605 is a router with a VPN server that can be enabled and configured. The TP-Link RL-R605 is connected downstream from your DSL modem/router. Not good to have two routers on the same LAN without some special configuration tweaks. You would need to be certain the DSL router/modem can be configured to disable the router and Wi-Fi function. That does not mean to just turn off the Wi-Fi, it means to disable the router function. Often this configuration is referred to as bridge mode with the combination device functioning as a modem only. There may be a configuration combination that would work with the DSL router/modem still functioning, but that is beyond the scope of this conversation.

Good luck!
 

Ollie

Young grasshopper
Joined
Aug 17, 2022
Messages
70
Reaction score
15
Location
Israel
Basically yes, BUT. The TP-Link TL-R605 is a router with a VPN server that can be enabled and configured. The TP-Link RL-R605 is connected downstream from your DSL modem/router. Not good to have two routers on the same LAN without some special configuration tweaks. You would need to be certain the DSL router/modem can be configured to disable the router and Wi-Fi function. That does not mean to just turn off the Wi-Fi, it means to disable the router function. Often this configuration is referred to as bridge mode with the combination device functioning as a modem only. There may be a configuration combination that would work with the DSL router/modem still functioning, but that is beyond the scope of this conversation.

Good luck!
Thanks!
 
Last edited:

Ollie

Young grasshopper
Joined
Aug 17, 2022
Messages
70
Reaction score
15
Location
Israel
Another question;
Is a camera or an nvr which placed remotly, but connected via a private vpn, is considered as a local network element?
(E.g. A home vpn client is connected to the office vpn server in where the camera/nvr are located
).
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Another question;
Is a camera or an nvr which placed remotly, but connected via a private vpn, is considered as a local network element?
(E.g. A home vpn client is connected to the office vpn server in where the camera/nvr are located
).
Yes and no. Generally, you can connect to it using a local IP address and otherwise access it as if it were on your local network. But it's not actually on your local network.

A a little into the weeds but the VPN routes traffic from the remote network internally through it's own IP address space (e.g., 10.0.0.0) which it then assigns a local IP address. The VPN manages routing and address translation across the three networks. You won't notice the distinction in most typical practical use but does make a difference in some cases. e.g., The firewall at the router typically sits ahead of the VPN and still considers that traffic external to your network. So whatever rules and other limitations may apply will affect that traffic.

As a practical example, if at your router/firewall you block external Internet access for a camera on your network, then by default as most work you then won't be able to access that camera over the VPN even if connected. The blocking rule at the router/firewall sits ahead of the VPN and still sees that traffic as external so it doesn't let it get through. In that case, you'd need to create an exception or otherwise change how routing of that traffic works in order to access it directly it over the VPN, or, leaving the block in place, access the camera's stream indirectly through some other system like Bi or another VMS that isn't blocked.
 

Ollie

Young grasshopper
Joined
Aug 17, 2022
Messages
70
Reaction score
15
Location
Israel
Yes and no. Generally, you can connect to it using a local IP address and otherwise access it as if it were on your local network. But it's not actually on your local network.

A a little into the weeds but the VPN routes traffic from the remote network internally through it's own IP address space (e.g., 10.0.0.0) which it then assigns a local IP address. The VPN manages routing and address translation across the three networks. You won't notice the distinction in most typical practical use but does make a difference in some cases. e.g., The firewall at the router typically sits ahead of the VPN and still considers that traffic external to your network. So whatever rules and other limitations may apply will affect that traffic.

As a practical example, if at your router/firewall you block external Internet access for a camera on your network, then by default as most work you then won't be able to access that camera over the VPN even if connected. The blocking rule at the router/firewall sits ahead of the VPN and still sees that traffic as external so it doesn't let it get through. In that case, you'd need to create an exception or otherwise change how routing of that traffic works in order to access it directly it over the VPN, or, leaving the block in place, access the camera's stream indirectly through some other system like Bi or another VMS that isn't blocked.
Thank you very much for the detailed answer.
I just wonder how come the camera (assuming its port blocked by the firewall) is still available for the vms? If it is too complicate, i'll pass. Thanks.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Because in that case the traffic is internal to the same network and not passing through the router/firewall/VPN. So it's not blocked by a rule prohibiting traffic originating from the cam destined to an external address outside of the same address space. In the same way, you still can access the cam internally when on your own network even when it's blocked from Internet access at the router/firewall since your traffic to/from it is local. When you move to the VPN, as above, it then has to pass through the router/firewall and is subject to the block.
 

Ollie

Young grasshopper
Joined
Aug 17, 2022
Messages
70
Reaction score
15
Location
Israel
Hi, I have several questions...

- If implemnting a VPN in my network, by using a new/fresh router - is additional firewall configuration needed on this router?

- if my vpn server router has different lan segments (different subnetworks) - will all be accessable to the client vpn?

- Can an OpenVPN app (on Android) allow specific apps to use the VPN? - if so can the VPN tunnel live aside the public traffic at the same time without disconnected?

- Can I use No-IP account instead of a static IP - will it harm my network security?

- On the remote site - where the vpn server located - can I set an external (public) ntp server's address or it might create a security flaw in my vpn router? - do I need to do it, or PC sync for each device will do?
Will using an external ntp server required to do the same on each of my clients, in order they will be synchronized with the vpn server?

- on a Windoes PC, while using a vpn client - is it possible to restrict the VPN for a VMS app only? - don't want to use the low speed of the VPN server for my other web browsing.

- Currently, I'm using DMSS app (Android) + P2P. any other suggested application?

Thanks.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Hi, I have several many questions...
^ FIFY ; )

- If implemnting a VPN in my network, by using a new/fresh router - is additional firewall configuration needed on this router?
Depends on what else you want to do as far as incoming/outgoing traffic. As above, by default most all will block all unsolicited traffic destined to your edge/public IP address. If the router/firewall doesn't automatically open a port for the VPN as part of its configuration, then you'd need to do that. If you want to block outgoing traffic from your cams by MAC address, you'd need to do that. If you want to open up traffic for some other purpose, you'd need to do that. Etc., etc.

- if my vpn server router has different lan segments (different subnetworks) - will all be accessable to the client vpn?
By default in most all cases, no. You'd need to set up some routing within your network to do that, or scope the address so that it's supernetted, or maybe could do with different VPN profiles assigning different client IPs to different subnets.

- Can an OpenVPN app (on Android) allow specific apps to use the VPN? - if so can the VPN tunnel live aside the public traffic at the same time without disconnected?
I don't use Android for that purpose much but believe that can be done in various ways. Will depend some on the VPN/client used. Yes, as above, you can split the traffic routing based on destination.

- Can I use No-IP account instead of a static IP - will it harm my network security?
Yes - No. The DNS just serves as a lookup table for your public IP address. No-IP and other DDNS services just update DNS dynamically with your current IP address. What happens from there is on you. Kind of like a name listing in a phone/telephone book. The name is associated with a number which is returned to be used to make whatever connection.

- On the remote site - where the vpn server located - can I set an external (public) ntp server's address or it might create a security flaw in my vpn router? - do I need to do it, or PC sync for each device will do?
Will using an external ntp server required to do the same on each of my clients, in order they will be synchronized with the vpn server?
By default in most cases, traffic from your server to an external NTP server originates from within your network and is outgoing solicited traffic so will be passed through to whatever device requests it. Technically, there have been some potential vulnerabilities with NTP but practically nothing that you need to be concerned with. Better to use NTP vs PC synch. The former is updated on a periodic basis, the latter is not and will drift over time. Generally, what's best to do is to run a local NTP server which then permits you to isolate your cameras from getting outside and/or however you may have them restricted within. As explained above in the case of BI/VMS. the NTP server will have permission to contact an outside NTP server to get time. The cameras then will connect to the local NTP server (vs an outside source) to periodically pull the correct time. Since that traffic is internal, the cams can remain blocked from any connections outside of whatever other scope.

- on a Windoes PC, while using a vpn client - is it possible to restrict the VPN for a VMS app only? - don't want to use the low speed of the VPN server for my other web browsing.
I've not tried to do that but possibly so using the Windows firewall and permitting/restricting traffic by program along with defining how the tunneling is split for the VPN as explained earlier.

- Currently, I'm using DMSS app (Android) + P2P. any other suggested application?
I and lots of others here use BI and its app/UI3 but that's a whole 'nuther thing that you'll have a million questions about. ; )
 

Ollie

Young grasshopper
Joined
Aug 17, 2022
Messages
70
Reaction score
15
Location
Israel
Hi,
I didn't get the idea of configuring my OpenVPN server to listen on port 443.
I believe that choosing a different port (other than 443) doesn't make my network (on vpn server) more vulnerable
How can setting the vpn with port 443 help?
Any additional configuration is needed on other devices in this network (change their port to 443 as well)?
Thanks.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Not sure where you saw that but generally you don't need to do it. By default the OpenVPN server will run on port 1194. Using port 443 typically would be when you need to hit the VPN from another network that might not allow traffic out to other than that destined to a few standard ports (80, 443, etc.). Some other cases where you might but not common. Just leave it set to 1194 UDP in most cases. If you wanted to change it to some other higher port number it help a little to save you from some wide-scale automated attack but pretty much every port gets scanned these days 24x7 so that doesn't really help all that much.
 

Barboots

Pulling my weight
Joined
Mar 15, 2018
Messages
408
Reaction score
241
Location
Perth, Western Australia
- Can an OpenVPN app (on Android) allow specific apps to use the VPN? - if so can the VPN tunnel live aside the public traffic at the same time without disconnected?
Yes, I have seen that setting while poking around. The two effective connections run concurrently.
 

flynreelow

Known around here
Joined
Dec 12, 2016
Messages
1,198
Reaction score
1,086
setting up a new PiVPN with wireguard.

ill let u know how it turns out.
 

spile

Young grasshopper
Joined
Jun 11, 2020
Messages
53
Reaction score
18
Location
MIdlands UK
setting up a new PiVPN with wireguard.

ill let u know how it turns out.
I’ve been running Wireguard on a Raspberry Pi4 for a few years. Very reliable and easy to use. I now access my cameras and NAS through the vpn server.
 

flynreelow

Known around here
Joined
Dec 12, 2016
Messages
1,198
Reaction score
1,086
I’ve been running Wireguard on a Raspberry Pi4 for a few years. Very reliable and easy to use. I now access my cameras and NAS through the vpn server.
thank you.

brand new to the Pi world.. just bought a pi 400 (with the 4 gig and keyboard)

cant wait to get this up an running.....
 

Barboots

Pulling my weight
Joined
Mar 15, 2018
Messages
408
Reaction score
241
Location
Perth, Western Australia
If I have OpenVPN server running at home on an Asus router, and a remote client connected. Is it possible (within the VPN framework) to view the client device from the home network... or would this require the server/client roles to be reversed?

I have set up a remote site with a few cams and was hoping to be able to tunnel into the site. I can access my home network from the remote site, but can't seem to "look the other way". Is my realisation that this is due to the server/client relationship correct?

The current network devices at the remote site do not have OpenVPN server capabilities.
The 5G modem is Android based, and apparently Android requires Root to perform as server. The POE switch is dumb. I'm curious if anyone has any alternative (secure) solutions for me to consider.
 
Top