IPcam VPN & network setup

Hi all,

So thanks to this site I've done my research and now have decided upon a Hikvision turret cam to start me off.

I'm starting to research networking so I can securely access cameras via VPN remotely. I have a TPlink router with Open Vpn server option. I'm wondering how to set this up and isolate the camera or is this not required? I believe I'll also need to use dynamic dns, it seems straight forward in the router setup but I'd like to understand a little more what I'm doing rather than just going with it.

I'd also like the option of my connection back to my VPN to allow Internet access for use when I am at local WiFi spots, I assume this won't expose my cameras/network in anyway and will still be secure?

Any good sites of research/interesting reads greatly received, thanks

Does this help ? ==>> How to setup OpenVPN on TP-Link Routers

Hi Tony, it certainly does. I had already found that link relevant to my VR600. However id like a bit of understanding around it, for example i now need to obtain a fixed IP to enable the VPN or use a service such as NOIP TP-LINK also offer remote access to the router, but im not sure how secure. The article i have found also states if my ISP supply a private WAN IP such as 192.168.1.x to my router then using Dynamic DNS is not an option? Id just like to get a bit of a better understanding of these things.

Newbuser said:

Hi Tony, it certainly does. I had already found that link relevant to my VR600. However id like a bit of understanding around it, for example i now need to obtain a fixed IP to enable the VPN or use a service such as NOIP TP-LINK also offer remote access to the router, but im not sure how secure. The article i have found also states if my ISP supply a private WAN IP such as 192.168.1.x to my router then using Dynamic DNS is not an option? Id just like to get a bit of a better understanding of these things.

Click to expand...

With the VPN on your router when accessing remotely your remote device won't be using anything relevant to WAN, including a hostname from a DDNS, as the VPN provides a secure tunnel from your remote device (where OpenVPN has also been set up) directly to your LAN. Therefore, where the remote device asks for WAN IP or hostname, you put in your router's LAN IP. No DDNS needed.

I disagree with TonyR, my guess is that when the TP-LINK router creates your OpenVPN file it will put your then-current WAN IP in the config, but unless you have static IP or DDNS, if your service provider ever changes your WAN IP your OpenVPN will cease to function. I'm not saying it won't work the first day, but it might abruptly stop working is all.

Full Disclosure: I could definitely be wrong as I don't have a TP-LINK router, but I bet you will need to either:

1. get a static IP from your internet provider (usually this involves a charge)
2. setup DDNS on your TP-LINK ( instructions here )

Let us know once you get it working!

crw030 said:

I disagree with TonyR

Click to expand...

I stand corrected; I know very well what you said is correct as I use NO-IP myself; I just did not have my thinking cap on when I responded to the OP...glad you caught it.

Thanks both for the responses. Glad you both have your thinking caps on, Not an easy task as I thought.

So even though this article
..
How to Set Up a Dynamic DNS Service Account on the AC VDSL/ADSL Modem Router？ - TP-Link

Says it will not work, you still think NOIP will work and I can setup ddns?

Come to think of it my router IP never changes and is always available on the same IP anyway? So do why do I need ddns?

Sorry just realised that's my local IP isn't it for the router! Still unsure of the comment reference the ddns not working with that router IP though

ok google "what is my ip"..... this will return you public ip address. turn the router off for 5 mins, turn the router back on and again google "what is my ip" if the number is different then your isp provides a dynamic Public address,
if the address is the same then you may have a stick dynamic address, these normally need a disconnection of 24/48hrs to change or the routers mac address changing.

with both sticky dynamic and dynamic public address you should use a DDNS service to update the public address if it changes and thus you will always be able to connect the vpn to your router.

now disconnect the wifi on your phone and again google "what is my ip" then connect the vpn and again google "what is my ip" fit the address changes then openvpn is routeing all traffic across the vpn, if the addrss stays the same then opnevpn is only routing local traffic ( i.e only request to 192.168.x.x ) then google "openvpn only route local traffic" adding the device type will refine the results.

as for when you use the vpn are the cameras exposed question? the answer is complicated but the basic answer is No...... but if the device that created the vpn was compromised they the campers would be exposed but only when the vpn was established.

your router uses something called NAT to translate requests from the Public ip address to the local ip address. ( E.g public ip is 208.1.xx.77 ip of computer is 192.168.1.10 ) so when you request a web page the following happens with a few bites missing to keep it simple 192.168.xx.xx asks router for www.mywebpage.com router ask www.mywebpage.com for the webpage and www.mywebpage.com return the web page to 208.1.xx.77 and the router the passes the web page to 192.168.1.10 and your computer displays the web page when using a DDNS server the request would be 192.168.1.10 asks router for www.mywebpage.com router ask www.mywebpage.com for the webpage and www.mywebpage.com return the web page to MYDDNSNAME.COM and the router the passes the web page to 192.168.x.x

hope it make some kinda sence...

The need for DDNS is for your WAN (Public) IP. If you don't know whether it's dynamic (can change) or static (does not change) and your ISP can't tell you, maybe you can try this:

• Open a browser, go to What Is My IP?
• Write down your Public IP, also known as your 'WAN' IP (Wide Area Network).
• Turn off power to your router and keep it unplugged for 5 minutes.
• Plug your router back in; wait 2-3 minutes.
• Open up What is My IP? again.
• If your IP is the same as it was, it's likely static; if it's different, it's dynamic. This is not an absolute test, but if it DOES change, then it's definitely dynamic.
• If it's dynamic, you will need to set up DDNS.
• The simplest way is to have your router perform the updates to DDNS.
• If it has place for DDNS or no pull-down for your desired DDNS provider and no way to insert a custom DDNS, then check your NVR or camera. Most will service DDNS.
• If none of those are available, you can have a client program running on your PC, provided free by your DDNS provider, that will update the DDNS provider with your latest WAN IP every few minutes or when it changes.
• You choose a DDNS provider, create an account, sign in and create an available hostname, such as 'newuser.noip.us' .
• From outside your LAN, whenever you access that hostname, the DDNS provider will lookup your latest WAN (Public) IP and use that to find your router.
• If you have a port forwarded in your router to a specific LAN IP, the URL of the hostname would have the port number preceded by a colon at the end of the hostname , such as 'http://newuser.noip.us:8080' or the like.

DISCLAIMER: This is not an advisory to recommend port forwarding.

Man, @copex ...you beat me by 4 minutes! Good stuff...

P.S. - @Newbuser , I use No-IP, have 24 hostnames for $25/year, have had ZERO issues; have handed out a few to clients that access their Blue Iris servers remotely with the BI app on their phone. Other forum members report good results from other DDNS providers.

TonyR said:

Man, @copex ...you beat me by 4 minutes! Good stuff...

Click to expand...

kinda cool we both provided more or lees the same advice

@TonyR @copex .

Brilliant! Such detailed answers which have really helped me understand what i wanted! It makes sense now. And after your advice i am up and running, albeit with some issues!

So i signed up to NOIP - i can use my router for the login so it will update the IP should it change correct? I setup my hostname all good. checked my IP provided by my phone carrier, I then turned off my WIFI and used mobile data connected to OPENVPN app on android , asked for me IP and Voila the same as my ISP IP! Its routing all traffic through my (home) ISP .

Only issue i have is that when i go to my browser and type 192.188.1.x for router on the wifi it works and opens router, when i go through the VPN all i get is 403 forbidden. Therefor i cant access my local network? So admitidly i currently have limited (ok nothing but router and TV etc) connected to my home network but when i add the IP CAM i assume this will also be forbidden, what am i doing wrong!!

Thanks again for all your help really great.

403 has to do with permissions.
When going thru VPN are you putting in ":forwarded port#" at the end of the URL ?

Have I missed a step?

I setup open vpn on router, UDP, picked service port which is where my client connects, but this isn't port forwarding as such is it.

Ive not forwarded ports as all I've seen on here is about not forwarding ports and the security issues with doing so! So are you saying the only way to access my network is to forward port?

I assumed with my von server setup, I can remotely tunnel into my home network on any device with a certificate setup and it would be exactly like I was connected to the LAN.

Thanks

Newbuser said:

Ive not forwarded ports as all I've seen on here is about not forwarding ports and the security issues with doing so! So are you saying the only way to access my network is to forward port?

Click to expand...

No, I'm not suggesting, only asking if you did forward a port, as that procedure was 'normal' when NOT using a VPN.

Instead, try this:
Go back to step #5 in the TP-LINK setup and instead as shown, check the radio button marked "internet and Home Network", save and re-boot router.
___________________________________________