Adding VPN Router

Bill_GT3 · Aug 17, 2018

On the Asus line, look at the 68P (1900P), bestbuy exclusive. Same as the U but has 1.4GHz chip.

I had one as a primary and it was awesome. Ended up scoring an 88U which is now my primary and use the 1900P as an access point in the garage.

Both are fantastic routers, super simple user interface and way more capable than most people need. Cant go wrong with either one.

TonyR · Aug 17, 2018

Pocono Joe said:
Ok.. So I have the ASUS router set up and running.. How to I set it up for the VPN?

Joe

Try ==>> this.

Pocono Joe · Aug 17, 2018

Thanks for the info.. I'll have to get my nephew to help me with this!

Joe

Ubiware · Aug 18, 2018

Pocono Joe said:
Thanks for the info.. I'll have to get my nephew to help me with this!

Joe

Hello Joe, I recently installed my Lechange NVR and configured a VPN for remote viewing from my phone. It is not terribly difficult, but just remember to set up a rule to deny all inbound/outbound traffic to the NVR from the WAN interface.

Let me know if you run into any issues. I'd be happy to help!

Pocono Joe · Aug 18, 2018

ubiware... I'm sure I'll have questions... Thanks

catcamstar · Aug 19, 2018

Pocono Joe said:
ubiware... I'm sure I'll have questions... Thanks

Within ASUS you have "parental controls" which is one way to "block" the NVR/cams from phoning home. Or you work directly in the iptables and block (all) access (except NTP for example).

Good Luck!
CC

c hris527 · Aug 19, 2018

You can actually block any client from the main screen on the Asus GUI. Click your device or client list and a list of connected clients will come up. Click the world looking icon next to the client and a window will pop up and a sliding switch will appear, it will give you the option to turn it on or off.

catcamstar · Aug 19, 2018

c hris527 said:
You can actually block any client from the main screen on the Asus GUI. Click your device or client list and a list of connected clients will come up. Click the world looking icon next to the client and a window will pop up and a sliding switch will appear, it will give you the option to turn it on or off.

Affirmative, but keep in mind that all other requests (eg NTP) are blocked too (all-or-nothing), with the parental controls, you are able to "filter" all services (except NTP) so at least timingwise your NVRs/IPCs are synced.

SouthernYankee · Aug 19, 2018

The ntp ( time service) should be run on the local network for your cameras. I run an ntp service on my BI computer, or any other 24/7 computer.
Network Time Protocol (NTP)

c hris527 · Aug 19, 2018

catcamstar said:
Affirmative, but keep in mind that all other requests (eg NTP) are blocked too (all-or-nothing), with the parental controls, you are able to "filter" all services (except NTP) so at least timingwise your NVRs/IPCs are synced.

You are right, If you have a VPN to your NVR or other device it will block it. I use it to block cams on my network from calling home. And one more thing its handy for, When my 8 year old pisses me off I can easily block her I pad and that goes for the wife also.

Mike Oz · Aug 20, 2018

So how do you guys recommend locking down an nvr connected to a router? I have an Asus RT-AC68U, and if I block all WAN traffic for the NVR's IP it won't be able to get the network time.. is this a problem? Does the NVR need to make requests to fetch the time or anything else? I figure when I need to upgrade firmware on the router I'll need to temporarily disable this rule In parental controls I don't see the option to only allow NTP requests. Anyone who has any advice on setting this up please let me know. I've been running the vpn software and using openvpn on my phone to remotely access the nvr which is great, but I'm not sure how to lock down the NVR.

Edit: So I am blocking the traffic via the firewall->networkservicesfilter option and blacklisting the IP of the router and port range (1:65535). I didn't even realize you could do it right from the device list..? I'm not sure what the preferred/better option is. TIA!

Mr_D · Aug 20, 2018

Mike Oz said:
So how do you guys recommend locking down an nvr connected to a router? I have an Asus RT-AC68U, and if I block all WAN traffic for the NVR's IP it won't be able to get the network time.. is this a problem? Does the NVR need to make requests to fetch the time or anything else? I figure when I need to upgrade firmware on the router I'll need to temporarily disable this rule In parental controls I don't see the option to only allow NTP requests. Anyone who has any advice on setting this up please let me know. I've been running the vpn software and using openvpn on my phone to remotely access the nvr which is great, but I'm not sure how to lock down the NVR.

Edit: So I am blocking the traffic via the firewall->networkservicesfilter option and blacklisting the IP of the router and port range (1:65535). I didn't even realize you could do it right from the device list..? I'm not sure what the preferred/better option is. TIA!

If your router supports actual firewall rules, you can put a rule allowing NTP access above a rule denying all access. This is what I do with my cameras.

Mike Oz · Aug 20, 2018

Mr_D said:
If your router supports actual firewall rules, you can put a rule allowing NTP access above a rule denying all access. This is what I do with my cameras.

Thanks.. the issue is it looks like I can only have a blacklist OR whitelist. So, I can't block the WAN access for one IP address on my LAN (the NVR box) and make an exception for the external NTP server.. If you have any ideas I'm all ears. Thanks!

Ubiware · Aug 21, 2018

Mike Oz said:
Thanks.. the issue is it looks like I can only have a blacklist OR whitelist. So, I can't block the WAN access for one IP address on my LAN (the NVR box) and make an exception for the external NTP server.. If you have any ideas I'm all ears. Thanks!

Howdy Mike,
Are you running stock firmware on your RT-AC68U? If so, then you can probably experiment with the blacklist and whitelist. Eg: Have blacklists for UPD port ranges (1:122) and then another blacklist rule for (124:65535) if that is the range you want to block. NTP uses UDP port 123 for two-way communication I believe.

You should be able to do it. It might just take a bit of research and experimentation.

Alternatively, you may want to look into a custom firmware like Asuswrt Merlin (very similar to stock with a couple of added features) or DDWRT. DDWRT will have firewall rules, like Mr_D mentioned. In which case you would just add a permit rule for NTP (UDP 123), then a deny all rule after that rule for your DVRs IP address.

J Sigmo · Aug 21, 2018

TonyR said:
Try ==>> this.

I finally had a day off, AND got my various domestic chores finished, so I followed this guide, and everything worked like a charm on my setup.

I'm running the Blue Iris app on my phone, and it works dandy through the VPN setup. Now I need to set my wife's phone up with the Blue Iris app and the OpenVPN app as well, so she can monitor things from wherever she is, too.

While I was in the router's setup, I also used some of the other security suggestions in that guide.

Thanks for posting that link. I'd seen a reference to that guide in another thread on here, too, and it really was helpful.

Search

Adding VPN Router

Bill_GT3

n3wb

TonyR

Pocono Joe

Young grasshopper

Ubiware

n3wb

Pocono Joe

Young grasshopper

catcamstar

Known around here

c hris527

Known around here

catcamstar

Known around here

SouthernYankee

c hris527

Known around here

Mike Oz

n3wb

Mr_D

Getting comfortable

Mike Oz

n3wb

Ubiware

n3wb

J Sigmo

Known around here