BI-OpenVPN questions

Dauv · Feb 2, 2019

So I have OpenVPN set up on a router and have that all squared away with no issues connecting from outside my LAN. I can navigate my main LAN while connected through OpenVPN.

As a test, I removed the WAN address from the Android app on my phone, opened the VPN onnection on my phone and then launched the BI App and connected no problem, so I know that part is working.

What I would like to know, is now that I have VPN set up and running, what is the next step in removing the BI server from facing the internet? Do I disable the WAN IP address from the web server tab and just leave that blank and then unforward the port in my router that the BI machine uses to get out to the web?

I am striving for more robust security here and would love to know what the best way to lock down BI as much as possible.

Any help would be greatly appreciated.

Thanks!

NoloC · Feb 3, 2019

The job of securing your network is up to the firewall in your router. You should not forward ANY ports and turn off upnp.

I'd recommend a scan to see any open ports from a service like shields up GRC | ShieldsUP! — Internet Vulnerability Profiling

It doesn't matter what the BI machine WAN IP says as long as the firewall is stopping ALL in bound traffic. You need to learn more about the configuration of your router/firewall.

What are you using?

Dauv · Feb 3, 2019

NoloC said:
The job of securing your network is up to the firewall in your router. You should not forward ANY ports and turn off upnp.

I'd recommend a scan to see any open ports from a service like shields up GRC | ShieldsUP! — Internet Vulnerability Profiling

It doesn't matter what the BI machine WAN IP says as long as the firewall is stopping ALL in bound traffic. You need to learn more about the configuration of your router/firewall.

What are you using?

My internet facing router is stealth according to ShieldsUp which I have used for over a decade now. The only ports that are forwarded, is 8081 so that the BI webserver can access the web, and a port for VPN.

I am using OpenVPN server on a DD-WRT (flashed) router.

ALL cameras are blocked from web services.

Whoaru99 · Feb 3, 2019

I'm using a dual NIC setup. Off top of my head, for the BI webserver IP, I used the IP of the NIC is allowed Internet access. Not the WAN IP; the internal/LAN IP.

After I start the VPN I use that internal/LAN IP to get the UI3 webpage. No ports forwarded for that.

Dauv · Feb 3, 2019

Whoaru99 said:
I'm using a dual NIC setup. Off top of my head, for the BI webserver IP, I used the IP of the NIC is allowed Internet access. Not the WAN IP; the internal/LAN IP.

After I start the VPN I use that internal/LAN IP to get the UI3 webpage. No ports forwarded for that.

That would be the same thing as just using the static LAN ip for the WAN ip section in BI no?

I am probably being overly paranoid here, because for all intents and purposes, my whole WAN router is invisible to the internet according to shields up, but if I can exclusively use the VPN for all access to BI outside of my LAN, then at least I know the BI traffic is encrypted... That is my primary desire here, that no matter what, my BI traffic is invisible outside my LAN. If you don't have access to my VPN and you are not on my LAN, you are not going to see my BI cams....That is the panacea...

Whoaru99 · Feb 3, 2019

Just checked, and I misspoke.

What I did was to turn off the automatic refresh of the WAN IP, then set it to 0.0.0.0. Whether that really matters if there aren't any forwarded ports is another matter. It probably doesn't.

But, the part about using VPN is basically correct. I connect by VPN then hit the LAN IP of the NIC you picked in the BI webserver tab to pull up the UI3.

NoloC · Feb 3, 2019

Your test did not scan 8081 and you say that is forwarded.

No ports should be forwarded!

The WAN IP in the BI server is not the issue. You need to stop port forwarding. OpenVPN does not need port forwarding.

looney2ns · Feb 3, 2019

How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

Dauv · Feb 4, 2019

NoloC said:
The WAN IP in the BI server is not the issue. You need to stop port forwarding. OpenVPN does not need port forwarding.

I solved the 8081 port forwarding issue. I am no longer forwarding that port.

Can you please share your wisdom on how to get OpenVPN working without port forwarding? I have read the VPN primer for dummies that loony2ns linked below several times now, but am stuck on that issue.
Whenever I delete the port forwarding rule for 1194 I cannot make OpenVPN connections.

Just so I am clear on how I have it set up, port 1194 is forwarded (from the primary router) to the second router which is running OpenVPN in server mode. My intention is to have a VPN client on my laptop and mobile devices so I can access the (local) LAN and internet of the house from anywhere else i may happen to me... A coffee shop, work, my relatives etc.

Thanks

Thanks

looney2ns said:
How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

Thanks, read that a few times..

NoloC · Feb 4, 2019

Actually I have no wisdom on that but hope someone here will see this and answer.

I run OpenVPN on an ASUS router and have not forwarded 1194. Also the Shields Up test sees no open ports. I do wonder how that can work but it does.
It would seem the client would need an open port to establish a connection. I want to know that answer as well. Maybe take a visit to an OpenVPN forum or hope someone here answers!

NoloC · Feb 4, 2019

So I looked around a bit using Google and think the answer may be related to the protocol. Looks like if 1194 is open only to udp, OpenVPN will work. Port checkers such as Shields Up are looking for the tcp handshake.
Still reading but perhaps you can only open udp on 1194?

Dauv · Feb 4, 2019

NoloC said:
So I looked around a bit using Google and think the answer may be related to the protocol. Looks like if 1194 is open only to udp, OpenVPN will work. Port checkers such as Shields Up are looking for the tcp handshake.
Still reading but perhaps you can only open udp on 1194?

That is exactly what I did...port 1194 on udp only. My router has a choice between udp, tcp or both. Mine is set to 1194 on udp only.

NoloC · Feb 4, 2019

I think that is OK. I didn't have to do that on the ASUS probably because the OpenVPN server is integral and it does it when the server is turned on.
Since udp doesn't handshake the vulnerability is lowered.

Let's see if we get additional responses here!

Dauv · Feb 4, 2019

NoloC said:
I think that is OK. I didn't have to do that on the ASUS probably because the OpenVPN server is integral and it does it when the server is turned on.
Since udp doesn't handshake the vulnerability is lowered.

Let's see if we get additional responses here!

OpenVPN is integral to the Linksys AC1900ACS as well and I am using a version of DD-WRT on it. It is actually integral on the stock firmware of the router, but I like the security and extended features of DD-WRT so that is what I am running, however, the Linksys is NOT my primary router. It is one of 3 that I have running in WAP mode that are peripheral to my main router/modem to extend wireless coverage on my property.

Is your ASUS your primary router? That may explain why you do not require 1194 to be forwarded from your ASUS.

NoloC · Feb 4, 2019

Yes, primary behind ATT modem/router in pass through.

NoloC · Feb 4, 2019

Pretty decent "How To" on the OpenVPN forum. Here is an excerpt that confirms what you are doing:

If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server’s gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.
Open up the server’s firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).

Dauv · Feb 4, 2019

NoloC said:
Pretty decent "How To" on the OpenVPN forum. Here is an excerpt that confirms what you are doing:

If the OpenVPN server machine is a single-NIC box inside a protected LAN, make sure you are using a correct port forward rule on the server’s gateway firewall. For example, suppose your OpenVPN box is at 192.168.4.4 inside the firewall, listening for client connections on UDP port 1194. The NAT gateway servicing the 192.168.4.x subnet should have a port forward rule that says forward UDP port 1194 from my public IP address to 192.168.4.4.

Open up the server’s firewall to allow incoming connections to UDP port 1194 (or whatever TCP/UDP port you have configured in the server config file).

Yeah that is standard OP for OpenVPN as far as I can tell. The 1194 (or whatever) port definitely needs to be open on the gateway to allow OpenVPN traffic through.

NoloC · Feb 5, 2019

Dauv said:
Yeah that is standard OP for OpenVPN as far as I can tell. The 1194 (or whatever) port definitely needs to be open on the gateway to allow OpenVPN traffic through.

Yes but the secret sauce is udp.

Let us know how it works out.

cam26 · Feb 25, 2019

@NoloC I saw that your Asus is behind an AT&T modem- did you by chance bridge the NVG589 to an Asus AC1900 (ac68u) and run OpenVPN on the Asus?

I'll be looking to do that same thing here shortly and have been looking for someone who's done that successfully with the same routers in case I run into any issues (total noob here).

NoloC · Feb 25, 2019

Hello.

Yes but different modem. Arris bgw210

BI-OpenVPN questions

Young grasshopper

Getting comfortable

Young grasshopper

Attachments

Pulling my weight

Young grasshopper

Pulling my weight

Getting comfortable

Young grasshopper

Getting comfortable

Getting comfortable

Young grasshopper

Getting comfortable

Young grasshopper

Getting comfortable

Getting comfortable

Young grasshopper

Getting comfortable

Getting the hang of it

Getting comfortable