VPN considerations

Ainsophaur · Mar 19, 2017

I'm in the process of choosing my equipment for my home surveillance system. I'm leaning toward Dahua products. I will obviously want to see my cameras from my smart phone or computer when I'm away from home. So I'm curious what I will need to implement to make sure that is possible.

My home network is as follows:

INTERNET--->CABLE MODEM/ROUTER--->Ubiquiti EdgeRouter X--->Ubiquiti POE EdgeSwitch--->Ubiquiti UniFi

I currently use the VPN service PRIVATE INTERNET ACCESS (PIA)

It's set up on my computers and smart phone currently.

Is there a way to integrate PIA into my LAN so that all devices on the LAN route their traffic through the VPN?
Is there a way to utilize PIA as a tunnel back to my home network in order to access my surveillance cameras?
I've read that port forwarding is a big security no-no, right?
I've watched tutorials that explain how to set up L2TP VPN on the EdgeRouter to allow tunneling into a range of device IPs on the network. Is that all I need to do to make it possible to access my NVR?

Thanks in advance for your help. This is an amazing forum and I've learned so much already.

cybermech · Mar 19, 2017

cybermech said:
Paid vpn services exist to allow someone to anonymously surf the internet. The vpn client on your router provides a secure tunnel through the internet between you (when you're not at home) and your home router. These are 2 separate and very different things.

Easier to quote myself on this one. =)

Paid vpn service like PIA = anonymous web surfing. You vpn to them for this.

Separately, a vpn client running on your router provides you the ability to "phone home" to your router and access your home network securely while away from home. This is the vpn you need to set up, not PIA. Keep PIA if you want to anonymize your web surfing, but you still need to set up the vpn client on your router to access your cameras.

ShawnB · Mar 26, 2017

As cybermech said, you basically will need to setup two VPN systems to accomplish what you want.

The EdgeRouterX can be configured to create an outgoing (OpenVPN) connection to one of the PIA servers, and then route all (or certain) LAN traffic that is destined for the internet through that "tun" (tunnel) interface instead of directly to the "eth" interface that your cable modem is connected to.

The EdgeRouter X can also be configured to act as an OpenVPN (or L2TP) server, so your phone/computer can establish a VPN connection back to your home LAN just like it does to PIA. You will need to make sure your cable modem/router is in "bridge" mode so that the public IP is passed directly to the EdgeRouterX, and if you have a dynamic IP address, use a Dynamic DNS service that the EdgeRouterX can keep updated.

Generally, there isn't a reasonable way to use the PIA connection to tunnel back to your LAN (for the typical PIA user, this "feature" would be considered a security risk).

Also, probably unlikely that you could use your phone to connect to PIA VPN first (to "anonymize"), and then establish a second VPN connection through PIA back to your LAN. You probably would want to leave your phone connected to PIA, and then disconnect and connect to your home VPN instead when you want to view your cameras. Theoretically, you should be able to set your phone to route all traffic to your home VPN when connected, and then configure the EdgeRouterX to route all "internet" destined traffic that comes IN through the VPN server tunnel back out through the PIA VPN tunnel. Your needs may vary, but that would be secure enough for me.

I wouldn't recommend port forwarding to any device other than a VPN server. It's still possible that someone could exploit a security hole on your router or the VPN server, but it's better than having a dozen different random devices that anyone on the internet can probe and try to compromise as a way into your home LAN.

FWIW, you can do a lot with the EdgeRouterX but prepare to spend hours/days/weeks searching the Ubiquiti forums for general direction and then trial-and-error at the CLI until you get it working for your particular setup. There are also broader considerations that you have to think through (e.g. if you're trying to force all outgoing traffic through PIA: where are the DNS requests going? what happens if the PIA connection fails and you don't know it, did you add a black hole route or is it just defaulting back direct to your cable modem? etc). It may be more straightforward to look into a router with Tomato or DD-WRT firmware that has web GUI configuration for some of these more advanced but somewhat "typical" uses and PIA provides instructions/support for configuring.

fenderman · Mar 27, 2017

There is no reason to use PIA when

ShawnB said:
As cybermech said, you basically will need to setup two VPN systems to accomplish what you want.

The EdgeRouterX can be configured to create an outgoing (OpenVPN) connection to one of the PIA servers, and then route all (or certain) LAN traffic that is destined for the internet through that "tun" (tunnel) interface instead of directly to the "eth" interface that your cable modem is connected to.

The EdgeRouter X can also be configured to act as an OpenVPN (or L2TP) server, so your phone/computer can establish a VPN connection back to your home LAN just like it does to PIA. You will need to make sure your cable modem/router is in "bridge" mode so that the public IP is passed directly to the EdgeRouterX, and if you have a dynamic IP address, use a Dynamic DNS service that the EdgeRouterX can keep updated.

Generally, there isn't a reasonable way to use the PIA connection to tunnel back to your LAN (for the typical PIA user, this "feature" would be considered a security risk).

Also, probably unlikely that you could use your phone to connect to PIA VPN first (to "anonymize"), and then establish a second VPN connection through PIA back to your LAN. You probably would want to leave your phone connected to PIA, and then disconnect and connect to your home VPN instead when you want to view your cameras. Theoretically, you should be able to set your phone to route all traffic to your home VPN when connected, and then configure the EdgeRouterX to route all "internet" destined traffic that comes IN through the VPN server tunnel back out through the PIA VPN tunnel. Your needs may vary, but that would be secure enough for me.

I wouldn't recommend port forwarding to any device other than a VPN server. It's still possible that someone could exploit a security hole on your router or the VPN server, but it's better than having a dozen different random devices that anyone on the internet can probe and try to compromise as a way into your home LAN.

FWIW, you can do a lot with the EdgeRouterX but prepare to spend hours/days/weeks searching the Ubiquiti forums for general direction and then trial-and-error at the CLI until you get it working for your particular setup. There are also broader considerations that you have to think through (e.g. if you're trying to force all outgoing traffic through PIA: where are the DNS requests going? what happens if the PIA connection fails and you don't know it, did you add a black hole route or is it just defaulting back direct to your cable modem? etc). It may be more straightforward to look into a router with Tomato or DD-WRT firmware that has web GUI configuration for some of these more advanced but somewhat "typical" uses and PIA provides instructions/support for configuring.

There is no reason to use PIA to remotely access your cameras .....no reason to over complicate it for the poor guy..all he needs to do us run a VPN server on his router..connect to it on his cell, done..

ShawnB · Mar 27, 2017

fenderman said:
There is no reason to use PIA when

There is no reason to use PIA to remotely access your cameras .....no reason to over complicate it for the poor guy..all he needs to do us run a VPN server on his router..connect to it on his cell, done..

OP asked, I answered. The only other response the "poor guy" got couldn't differentiate correctly between a VPN server and a client. OP wants both a VPN client and server on his router, if you think my response was over-complicated you should try walking him through the setup for that on an EdgeRouterX.

fenderman · Mar 27, 2017

ShawnB said:
OP asked, I answered. The only other response the "poor guy" got couldn't differentiate correctly between a VPN server and a client. OP wants both a VPN client and server on his router, if you think my response was over-complicated you should try walking him through the setup for that on an EdgeRouterX.

Your response was pointless and silly...why mislead someone when they are obviously confused...

Ainsophaur · Apr 9, 2017

fenderman said:
Your response was pointless and silly...why mislead someone when they are obviously confused...

It's all good, guys. Appreciate your feedback. It's all clear to me now.

Sent from my iPhone using Tapatalk

Camit · Apr 9, 2017

Its Simple as most have said already there are 2 types of VPN you can have one is paid to hide your wan ip and location ect.. the other is to remote into your lan. It's confusing but you DON'T need PIA for what you wanna do . Look at vpn's like Hamachi,Freelan...ect..

mat200 · Apr 9, 2017

fyi - Nayr wrote:

VPN Primer for Noobs

Search

VPN considerations

Ainsophaur

n3wb

cybermech

Getting the hang of it

ShawnB

n3wb

fenderman

ShawnB

n3wb

fenderman

Ainsophaur

n3wb

Camit

Pulling my weight

mat200