“Putting a camera directly on the Internet is not a good idea. I don’t care whose camera it is.”

[Radnoaz]

Hey Radnoaz.Per below;

1. Essentially your router becomes the vpn server. the thing you authenticate to when you want to connect to your home network.
2. Its secure because with a vpn server it only allows users who have the Certificate (security file) to connect.
3. Thats why you have to generate the CERT at the router and IMPORT it at the devices you want to be able to connect.
4. Hackers that don't have this CERT theoritically will not be able to connect to your vpn from their devices. Only devices with the CERT can connect.
5. In addition there is also the vpn server user and password that is encrypted ( no one can see it) when you authenticate with the vpn server.
6.When you connect to the vpn server successfully its like you are at home on your wifi. You can connect from the vpn on your router to your home devices all encrypted communication that no one on the internet can see.
7. One more thing make sure you use a cipher/ encryption algorithum ( i forget which) but something strong like AES256.
OpenVpn for me defaulted to something less secure in bit length.

Thanks! When a family member visits, we've always let them into our LAN with the router access password. I've never looked into "guest" access. But I think I would want to set up guest access after switching to OpenVPN, yes? That way I wouldn't have to import the cert. to guest devices that normally don't reside here, but could still let them have internet access. They just couldn't access the internal LAN, correct?

 

[Mr_D]

Thanks! When a family member visits, we've always let them into our LAN with the router access password. I've never looked into "guest" access. But I think I would want to set up guest access after switching to OpenVPN, yes? That way I wouldn't have to import the cert. to guest devices that normally don't reside here, but could still let them have internet access. They just couldn't access the internal LAN, correct?

Setting up the VPN doesn't affect your wifi and how users connect to it. They're two separate functions in the router. What he meant was that once you connect to your home network over the VPN, it is as if you are sitting at home on your wifi (or wired network). You then have access to things on your home network that are not visible to anyone outside of your home's network (cameras, printers, NAS). Imagine running a really long Ethernet cable from where ever you are back to your home network. That's what a VPN does.

 

[tradertim]

Yeah. I can see how that wasn't clear.

The VPN access is only from outside your home network.

Maybe you are using 4G mobile, or you are at work , or on holiday, hardware store, and you want to check your cameras/ security (remember we trying to get away from port forwarding)

But you would need to have the Certificate imported onto the devices you want to connect with.

Everything at home , wifi , lan stays the same, you dont put a vpn client on the devices in the home.

In the home you have good wifi authentication, you could do MAC address filtering but I don't think it's needed. But you give guests a guest wifi password.

 

[hyde]

Anyone here use Netgear R6700?

 

[Radnoaz]

Yeah. I can see how that wasn't clear.

The VPN access is only from outside your home network.

Maybe you are using 4G mobile, or you are at work , or on holiday, hardware store, and you want to check your cameras/ security (remember we trying to get away from port forwarding)

But you would need to have the Certificate imported onto the devices you want to connect with.

Everything at home , wifi , lan stays the same, you dont put a vpn client on the devices in the home.

In the home you have good wifi authentication, you could do MAC address filtering but I don't think it's needed. But you give guests a guest wifi password.

Oh, OK. Thank you for clarifying that! It answered some questions that began forming in my mind, because I had mistakenly thought that every device INSIDE our WiFi would need the certificate. So I was beginning to wonder how one would import a certificate on, for example, a garage door opener. Glad I was mistaken. This doesn't appear to be too terribly hard to implement then.

Having never done this, I am wondering, on an Asus router, if turning on OpenVPN and setting it up automatically precludes previous port forwarding for things like Blue Iris, or is stopping the exisiting internet access to Blue Iris something I would have to do myself. I'll have to also remember I have one camera I got before Blue Iris that uses the camera maker's proprietary online access. It is also sending to my Blue Iris setup, so after reading this info above I reckon the first thing I should do is disable that initial link to the web, right? I had let it continue because I initially had some problems to work out with Blue Iris, so that had given me a secondary means of accessing that camera. It is inside a storage building which is closed most of the time, so I hadn't considered the imagery a security risk. But that was before I learned hackers can do far more than just view the video feed.

 

[tradertim]

you want to turn off UPnP and port forwarding off your router.

this applications are what is the vunerab ilities and exposing your cameras to the web.

at any moment in time your modem is being scanned for open ports (port forwarding) 1000s of times a day.

take it in little steps. read my first post.

get the vpn working first, transfer a camera over validate it works and then change the config on TinyCam, iVMS to have the local IP addresses of your home network and then turn everything off on your router UPnP and Port forwarding.

Remember with a vpn and when you "vpn in" its effectively like you are at home on your wifi or local network.

Youve got a secure tunnel from whereever you are into your home network.

 

[Radnoaz]

Thanks!