IP Cam <-> Web server direct connection and integration

I've been doing a lot of research lately, including this forum, into the possibility of implementing a direct interface between IP cameras (possibly Dahua, but I'm open to others) and a web server as part of a commercial solution.

My goal is to be able to have several cameras monitoring different geographical locations around the country and connected to the internet via a 4G modem, fiber or cable. Each monitored location would preferably have no NVR or computer managing it, only the camera and the wired internet access to minimize hardware requirements, power consumption and costs. These cameras should connect to my cloud server (with a fixed and public IP) which will receive the image from all the cameras and make it available for viewing to users accessing a website. The users may also control some camera functions, such as PTZ.

So far, I have been searching for ways to accomplish that goal but could not find the right path. Some of the possible solutions I've looked at and the difficulties encountered are as follows:

1. Use DDNS + port forward + firewall rules on each modem so the server can access the cameras. Problem: Security risks; The IP address may not be public (CG-NAT); Lack of IPv6 support for some providers...
2. Set up a VPN server on my cloud, the cameras connect to it so the server can access. Problems: May need additional hardware (like a Raspberry Pi with OpenVPN or WireGuard) on each camera site, because AFAIK the cameras doesn't have embedded VPN support (like some Asus routers)
3. Tailscale or ZeroTier. Problems: As far as I know, both solutions are not free and would also require additional hardware as the VPN option above.
4. Modifying or configuring the camera firmware so they initiate the communication with my cloud server, similar to how AliExpress cams that use apps such as ICSee, Yoosee, etc works. Problems: Closed source?; Huge software development investment? Access to the needed documentation without being a Dahua partner/OEM ?

I'd be very grateful if anyone has any ideas on how to proceed in this case

According to my research so far, I think maybe the most viable solution would be to have a router/gateway device like the GL.iNet GL MT300N/V2 or NanoPi R2S, running at every site where cameras are installed. Those routers are running OpenWRT firware, which has support for WireGuard VPN. Those would be configured to connect (as a client) to a VPN server which I will be hosting on the cloud, alongside my webserver.

I would be very grateful if anyone could comment on this possible approach.

I suspect there won't be much experience here with doing that. The majority of users here are doing nearly the polar opposite of what you are trying to achieve. The majority of us are using NVR's and dual-NIC PC's to isolate our cameras from the outside world.

Hi guykuo, thanks for your reply!

I think my security concerns are similar to most of the users here. Maybe only the webserver part is different.
I don't want my cameras to be exposed to the "internet" or being reached by unauthorized people, that is why I am looking for opinions on how to establish an secure and reliable connection between the cameras and the server, which are in different locations. My server will also have access control, so the intention is that only users with the right credentials and license key can have access/control to the cameras stream. I plan on blocking the camera's ability to communicate with external IPs (so it can't phone home).

The ultimate goal would be recreating the DMSS Dahua App, but instead of using the Dahua or other third-party server, using my own. This is similar to what the Dahua OEMs do, all of them share the same Dahua hardware, but have different apps and cloud services. I was thinking if it would be possible to follow that route.

So.... basically putting the cams on a VLAN. Maybe querying a networking site regarding the cheapest VLAN solution would be the route to take.

WRT #4, instead of a "push" from the camera to the web server/cloud, you might consider a "pull"- ffmpeg is your Swiss Army knife here.

It sounds like you are well aware of security issues ... so yea, make sure you have 'em locked down well.

BTW, I have a some IPC-T54IR-ZE-S3's running version 5 of the web interface, and in the configuration under Security->Attack Defense->Firewall, you can setup an AllowList ... and (BONUS!) you can use a Range. So an additional layer of defense you can add - obviously should be more ... plus be careful you don't lock yourself out!

victorfsan said:

According to my research so far, I think maybe the most viable solution would be to have a router/gateway device like the GL.iNet GL MT300N/V2 or NanoPi R2S, running at every site where cameras are installed. Those routers are running OpenWRT firware, which has support for WireGuard VPN. Those would be configured to connect (as a client) to a VPN server which I will be hosting on the cloud, alongside my webserver.

I would be very grateful if anyone could comment on this possible approach.

Click to expand...

That should work, just make sure you are using different subnets in every location and cameras are using static ips.

WireGuard is really nice software and easy to use, especially if you are not afraid to use CLI and edit config files manually

alekk said:

WRT #4, instead of a "push" from the camera to the web server/cloud, you might consider a "pull"- ffmpeg is your Swiss Army knife here.

Click to expand...

FFMPEG is great! However, I think I would still need other path for remotely configuring the camera, such as PTZ or zoom anyway.

alekk said:

the configuration under Security->Attack Defense->Firewall, you can setup an AllowList

Click to expand...

I didn't know that. Nice bonus

Molbo said:

That should work, just make sure you are using different subnets in every location and cameras are using static ips.

Click to expand...

The different subnets for each location is to isolate one camera from the other? So only the VPN server (and consequently, my webserver) can access all the cameras and the cameras can only see the server and the cameras located at the same location?
Would it be something like this?

Location 1:
Cam1 = 192.168.1.5/24 , Cam2 = 192.168.1.6/24

Location 2:
Cam3 - 192.168.2.5/24

Thanks for your kind replies.

victorfsan said:

The different subnets for each location is to isolate one camera from the other? So only the VPN server (and consequently, my webserver) can access all the cameras and the cameras can only see the server and the cameras located at the same location?
Would it be something like this?

Location 1:
Cam1 = 192.168.1.5/24 , Cam2 = 192.168.1.6/24

Location 2:
Cam3 - 192.168.2.5/24

Click to expand...

You need to configure different subnets to allow Wireguard to route network traffic to every location. The subnets going to be isolated anyway.
Your IP allocation example is correct.

I have 20+ cameras connected by cellular and for some of the live cameras I use the Inhand Networks IR302 modem. It has a built in utility for openVPN and a nice configuration utility with alarms and reporting.