VPN Primer for Noobs

SouthernYankee · Jul 26, 2018

If you are at home you do not need to use OpenVPN. When OpenVPN is in use, all traffic goes to the home network, then out to the internet, you may be being blocked by your home router.

nuraman00 · Jul 27, 2018

m4paws said:
Before connecting to the VPN, the VMS7000 app would said "connection failed" when I would try to access the cameras. Only after connecting to the OpenVPN first was I able to access the cameras. Which OpenVPN app are you using on your phone? I use OpenVPN Connect (I had previously tried OpenVPN for Android but had problems). Today, I started the OpenVPN app on my phone and then typed in my camera's IP address and was able to access the camera's browser page. I don't believe you should be logging directly into your router, but rather use your camera's IP address.

I am also using OpenVPN Connect.

randytsuch · Jul 27, 2018

FWIW, I tried out an android app call RouterCheck last night.
It found I had an open port, the FTP port. I guess either Asus, or me (without realizing) opened the port when I connected a HDD to the router to use as a NAS, and enabled the FTP function.
So Routercheck found the open port, I disabled FTP and no more open ports.

Randy

anon71 · Jul 27, 2018

I have a DDNS question related to VPN. I am in the process of setting up OpenVPN server on a secondary router. it will be a router-behind-a router setup, with the secondary router being only an access point (which it is now) and a VPN server. My primary cable router is an Arris NVG589 (192.168.1.254), which is connected LAN to LAN with the secondary router, a Linksys E1200 flashed with DD-WRT (192.168.1.1). I want to keep both routers on the same subnet if possible. I have not set up OpenVPN yet on the secondary router - I figured I'd start with getting DDNS squared away. I created a No-IP account and entered the relevant login info in the DDNS tab in DD-WRT. "Use external ip check " is set to "No".

The problem: I get the following errors when it tries to update:

Fri Jan 2 21:52:29 1970: W: DYNDNS: Error: device has no WAN Address
Fri Jan 2 21:52:29 1970: W:'RC_ERROR' (0x1) updating the IPs. (it 303)

Any thoughts?

Terk · Jul 27, 2018

DDNS has to be setup on the primary router because the whole point of DDNS is to register the current WAN address which a router behind the primary wouldn't be able to see. Also VPN on that secondary router will be chalanging as well since you would have to open any necessary ports from the WAN through the primary router to the secondary router. It would be a lot easier if you could setup DDNS and VPN on the primary router and just leave the WRT as an AP.

anon71 · Jul 28, 2018

Thanks Terk - that explains it. That probably also means that the NTP client I set up on the secondary router won't work either without port forwarding, right?

It would be a lot easier to set up the VPN/DDNS on the primary router, but the NVG589 is a lousy cable company router, and it won't let you. I just checked, and I see no settings that allow me to set up DDNS on it, either. Is there really not an easy way to get around this with port forwarding? I already know I have to port forward UDP 1194 to the second router for the VPN. which doesn't seem complicated. Is there really nothing similar (or different) that I can do for DDNS, and if I am following all this, NTP?

In case it helps, I have Blue Iris set up on a PC behind the second router.

m4paws · Jul 30, 2018

anon71 said:
Thanks Terk - that explains it. That probably also means that the NTP client I set up on the secondary router won't work either without port forwarding, right?

It would be a lot easier to set up the VPN/DDNS on the primary router, but the NVG589 is a lousy cable company router, and it won't let you.

I actually used to have that NVG589 and if I remember correctly, there weren''t a whole lot of options. Just wondering if there is any way to set it in bridge mode so you're just using the modem part, and then use your other router for routing and putting DDNS on.

Maybe something here will be helpful: nvg589 bridge mode - Google Search

Terk · Jul 30, 2018

Another possible option is a lot of cable companies allow you to buy your own modem to use rather than paying to rent theirs and you can then get one that is just a modem and not a modem/router combo. This will usually save you money in the long run as well.

randytsuch · Jul 30, 2018

Terk said:
Another possible option is a lot of cable companies allow you to buy your own modem to use rather than paying to rent theirs and you can then get one that is just a modem and not a modem/router combo. This will usually save you money in the long run as well.

I've owned my modem for a long time. And you don't have to buy the newest/faster/most expensive one. You just need one that's faster than the rates you get with your plan.
I have a Arris modem, its been reliable and works well.

randytsuch · Aug 1, 2018

I've been playing with new Home Automation software lately, and stumbled on this thread yesterday
Home Assistant security concern

Its relevant to this thread because some HA users were hacked because they had open (forwarded) ports so they could access HA when away from home.

Its a long thread, but if you read the beginning you'll get the point of what happened.

I think they eventually figured out there was a security flaw in HA, which coupled with an open port, and a default samba configuration that allows guests (no password needed), well it was like leaving your front door open.
Guys were able to hack into a network without any passwords.

So another reminder to turn off all port forwarding.
And the tool I linked to a few posts ago works well to check for open ports. I had an open port because of FTP, not because I had forwarded any ports.

Randy

58chev · Aug 1, 2018

randytsuch said:
So another reminder to turn off all port forwarding.
And the tool I linked to a few posts ago works well to check for open ports. I had an open port because of FTP, not because I had forwarded any ports.

Randy,
did you run the app from within your network or while you were out and connected by VPN?

randytsuch · Aug 1, 2018

58chev said:
Randy,
did you run the app from within your network or while you were out and connected by VPN?

From home in my network.

anon71 · Aug 3, 2018

Mpaws - Thanks - I looked into the bridge mode. It's possible with the NVG589, but it's not terribly straightforward, and I was hoping to do this without messing too much with the cable company device.
Randy/Terk - I'd buy my own modem in a heartbeat, but the cable company won't provide one, and apparently there isn't a better one compatible with UVerse anyway.

What if I took the second router out of the loop and ran the VPN server on the Blue Iris computer? Does that solve the problem without having to resort to bridge mode?

Barboots · Aug 9, 2018

Terk said:
DDNS has to be setup on the primary router because the whole point of DDNS is to register the current WAN address which a router behind the primary wouldn't be able to see. Also VPN on that secondary router will be chalanging as well since you would have to open any necessary ports from the WAN through the primary router to the secondary router. It would be a lot easier if you could setup DDNS and VPN on the primary router and just leave the WRT as an AP.

Until yesterday I was using a VPN router behind my ISP modem/router. The VPN router was able to identify the changing WAN address, and no ports were forwarded on the modem/router to allow traffic to reach the VPN router. I've been using it daily for 7 weeks while overseas to both check my cams and also for protection on insecure networks.

I changed equipment yesterday only because I am finally on fibre and none of the above components would have kept up with the network speed available... but it worked fine and passed GRC's tests, plus the port scanner posted recently.

Cheers, Steve

brentkhack · Aug 19, 2018

I had an ASUS router with OpenVPN built in and was able to connect on my Samsung S8 using the app and then the BI app. I have since replaced the ASUS router with a Unifi USG router and that seem very complicated to install any VPN. So as of now I have installed on my computer, which runs BI, open VPN but do not know what my next step is to be able to view outside my network. Would I be able to use the ASUS ovpn profile with my new setup? Thanks.

nuraman00 · Aug 22, 2018

Barboots said:
Heading off topic, but every device will have an IP address. Enter the it into your browser on the home network and you will see the device... same on a mobile device once you have the VPN running and connected.

For mobile viewing a similar NVR and my cameras I use Gdmss... from the Google Play Store. I think iDevices use Dmss.

Cheers, Steve

Is there only a "Gdmss Lite", or is there a non-lite version too?

nuraman00 · Aug 22, 2018

brentkhack said:
I had an ASUS router with OpenVPN built in and was able to connect on my Samsung S8 using the app and then the BI app. I have since replaced the ASUS router with a Unifi USG router and that seem very complicated to install any VPN. So as of now I have installed on my computer, which runs BI, open VPN but do not know what my next step is to be able to view outside my network. Would I be able to use the ASUS ovpn profile with my new setup? Thanks.

I am not sure, but I think if you have a new router, then you'll need a new profile. That's my guess.

Barboots · Aug 22, 2018

nuraman00 said:
Is there only a "Gdmss Lite", or is there a non-lite version too?

GDMSS Plus.

I don't mean to be mean, but I wonder if you even looked before asking?

nuraman00 · Aug 22, 2018

Barboots said:
GDMSS Plus.

I don't mean to be mean, but I wonder if you even looked before asking?

I looked this morning, and all I was seeing was Gdmss Lite. Almost every result through the first 2 pages of searching.

It didn't make sense for me to see a Lite without seeing any other version, and I wasn't finding another version. So after a few minutes of searching and not finding anything else, that's why I asked here.

I then had to leave.

I can now see 2 ways to see of Gdmss Plus's existence.

If I go here:

Mobile/gDMSS Features - Dahua Wiki

Or, if I look at Google's "Searches related to gdmss", then it will tell me a similar search is for "gdmss plus".

But when I do a plain search for "gdmss" like I did this morning, I don't really see a good result for plus. Most results mention Lite.

FlexiPack · Aug 23, 2018

I'd really appreciate some advice on what would be the cheapest and easiest option for me to set up an always on vpn at home for my IP cam?

My router is a BT Home Hub and doesn't support vpn and I wouldn't want all my home Internet routed through a VPN, I only want the VPN for accessing my IP cam when away from home. I don't currently have a NVR. I have a PC but I don't want to leave that on all the time. I know you can use Rasp Pi's but I have no experience with those or Linux.

VPN Primer for Noobs

What VPN Solution are you using?

OpenVPN

IPSec/L2TP

on an OEM Asus Router

on a WRT flashed Router

on a pfSense Router

on my PC NVR (BlueIris, Milestone, etc)

on a dedicated device (Raspbery Pi, VPN Concentrator, etc)

ssh tunnels are the only way to roll

on my NAS (Synology, FreeNAS, etc)

on a OEM Netgear Router

Getting the hang of it

Pulling my weight

Getting comfortable

Pulling my weight

Getting comfortable

n3wb

Pulling my weight

Pulling my weight

Pulling my weight

Pulling my weight

Pulling my weight

Getting comfortable

Pulling my weight

n3wb

Getting the hang of it

Getting the hang of it

Pulling my weight

Getting the hang of it

n3wb