Yeah. I can see how that wasn't clear.
The VPN access is only from outside your home network.
Maybe you are using 4G mobile, or you are at work , or on holiday, hardware store, and you want to check your cameras/ security (remember we trying to get away from port forwarding)
But you would need to have the Certificate imported onto the devices you want to connect with.
Everything at home , wifi , lan stays the same, you dont put a vpn client on the devices in the home.
In the home you have good wifi authentication, you could do MAC address filtering but I don't think it's needed. But you give guests a guest wifi password.
Oh, OK. Thank you for clarifying that! It answered some questions that began forming in my mind, because I had mistakenly thought that every device INSIDE our WiFi would need the certificate. So I was beginning to wonder how one would import a certificate on, for example, a garage door opener.
Glad I was mistaken. This doesn't appear to be too terribly hard to implement then.
Having never done this, I am wondering, on an Asus router, if turning on OpenVPN and setting it up automatically precludes previous port forwarding for things like
Blue Iris, or is stopping the exisiting internet access to Blue Iris something I would have to do myself. I'll have to also remember I have one camera I got before Blue Iris that uses the camera maker's proprietary online access. It is also sending to my Blue Iris setup, so after reading this info above I reckon the first thing I should do is disable that initial link to the web, right? I had let it continue because I initially had some problems to work out with Blue Iris, so that had given me a secondary means of accessing that camera. It is inside a storage building which is closed most of the time, so I hadn't considered the imagery a security risk. But that was before I learned hackers can do far more than just view the video feed.