BI with private/anonymous VPN

[razorseal]

Hey everyone,

I just subscribed to NordVPN and also Private Internet Access (PIA) and it seems I'm out of luck for port forwarding with these.

I initually got NordVPN, but it doesn't port forwarding at all. I then looked into PIA and that apparently supports dynamic port forwarding...

My problem is, I can't get the port forwarding to work with these VPNs so I can't connect to my cameras when not in my own network.

Any help or ideas to make this work?

ps. I use DUC for constantly updating my DDNS to my VPN IP

 

[SyconsciousAu]

Updating your Dynamic IP to that of the VPN wont help because you need to connect with the computer, and not the VPN Server.

If I'm correct, and I'm assuming these services use a virtual network adaptor, you still have a public IP, just the sites you visit see the IP of the VPN server.

I would consider a second NIC, dedicated to the BI server and just port forward your public IP as normal at the router, but to the second NIC. Not entirely sure that will work, but they only cost about $20 so it couldn't hurt to give it a run.

 

[razorseal]

I sort of understand what you mean. My public IP is not accessible now though. My Local IP is visible for my computer within the house, but not outside the house.

I also don't understand how I would separately forward BI to the router.

I like the anonymity, but if I can't access my cameras, it defeats the purpose of my home cameras...

 

[giomania]

For a BI server with dual LAN, I want to make sure I understand how this works. I saw this thread, and the response, so figured this might be a good place to discuss this. Is the below accurate?

The Blue Iris PC needs to have access to both of the secure and non-secure networks, which need to be on different subnets; i.e. 192.168.1.X secure, and 192.168.0.X non-secure.

The non-secure network would connect to the PoE switch w/all your cameras, which could all be configured with static IP addresses, and no Gateway (internet) access. With this configuration, only the Blue Iris server will be able to access both the (secure) LAN and the (non-secure) camera network. Further, devices on the secure LAN cannot access the cameras, and the non-secure camera network cannot access the secure LAN or the Internet.

The Blue Iris computer acts as the time server for the cameras, and the cameras point to the secure LAN IP address for this computer (i.e. 192.168.1.X secure). To allow the communication from the cameras to the time server IP address, set a rule to allow port 123/UDP to pass through the firewall of the non-secure network, or turn it off completely.

Thanks for any input.

Mark

 

[RoadHazard]

I'm using an anonymizing VPN (PIA, in this case) running on the same Windows 10 box that's running Blue Iris, but as soon as I enable it, the Blue Iris iOS app stops connecting remotely. Local connections from inside the LAN are still fine, but the app no longer connects when I'm on the road, due to PIA and its effect on WAN IP addresses. I'm sure there's an obvious trick to this, but I haven't learned it.

Running VPN on the router is not an option, in part because my bank won't allow access through a VPN. So the VPN client has to run on the PC, not on the router. I've also tried Windows' built-in VPN feature, but with the same result.

All I need is simple BI app access. I'm not trying to set up a VPN server, or get remote access to my cameras or file server or anything else exotic.

What's the trick to getting the BI app and the VPN to coexist?

 

[fenderman]

Why are you running pia on the blue iris box. Makes no sense ... provides no security...

 

[RoadHazard]

It's not for Blue Iris, it's for all the other apps running on the same Windows box. But now that it's running, I need a way to "tunnel" back into Blue Iris when I'm away.

 

[fenderman]

It's not for Blue Iris, it's for all the other apps running on the same Windows box. But now that it's running, I need a way to "tunnel" back into Blue Iris when I'm away.

well its not going to work the pia will route all the traffic via their servers...blue iris should be run on a dedicated pc...

 

[RoadHazard]

So far, that's what I'm seeing, too. The box has two Ethernet cards, so could I use one for the VPN-protected apps and the other (minus VPN) for Blue Iris?

 

[Zanthexter]

So far, that's what I'm seeing, too. The box has two Ethernet cards, so could I use one for the VPN-protected apps and the other (minus VPN) for Blue Iris?

PIA just encrypts between your device and their server. They don't add encryption from their server to the internet. They don't put a remote device inside your home network. They show the internet their server IP instead of yours. They don't hide your computer's "Fingerprint" from advertisers. They forward a single regularly changing port to your server and force you to hand update it regularly. Pretty much useless with BlueIris or any other "access it when not home" server. (that doesn't use a relay server) If you're doing something illegal enough for the authorities to make an effort, PIA will slow them down. If you want to hide your web browsing from your cable company, PIA works. If you're using work or public WiFi and are worried about being spied on it hides you from the IT guy and the hackers. But if you want to protect your server from hackers, that's not what PIA does.

NordVPN doesn't offer port forwarding at all. Simply won't work for BlueIris at all.

A VPN enabled router takes your remote device and lets it pretend to be in your house instead of on the internet with an end-to-end encrypted connection. That means you can block all internet access on your firewall. No port forwards. No exposing BlueIris to potential hackers. Significant security improvement. It also means the entire connection is hidden from internet providers and WiFi hotspot hackers, not just half of it. This is what you should be looking into doing. Encryption is heavy lifting for a router and many can only manage it at lower speeds. It wont slow down the authorities at all.

You might look into Tomoato and DDWRT compatible routers.

 

[randytsuch]

If you are port forwarding, then STOP
read this
VPN Primer for Noobs

 

[RoadHazard]

That's good and useful information. I'm sure I'd be better off running a VPN server locally and VPN-ing into it from outside, rather than the default method of port forwarding that's supported by the iOS app. Either method will work, but one is more secure while the other is easier to configure.

In my particular situation, however, neither method solves my problem -- which may not be solvable, for all I know. I've got a torrent client running on the same machine as Blue Iris, and I want to obscure its outgoing IP address. That's trivially easy to do with PIA or similar apps, but it gets in the way of Blue Iris remote-access functionality. It seems that I can either obscure my own IP address (for incognito browsing, etc.), or I can access Blue Iris remotely, but I haven't figured our how to do both.

Or maybe I'm just overlooking a different solution that's obvious to others?

 

[fenderman]

The solution is not to use your blue iris machine to steal copyrighted media.... Using the same machine for Blue Iris and theft is the ultimate irony....

 

[Zanthexter]

That's good and useful information. I'm sure I'd be better off running a VPN server locally and VPN-ing into it from outside, rather than the default method of port forwarding that's supported by the iOS app. Either method will work, but one is more secure while the other is easier to configure.

In my particular situation, however, neither method solves my problem -- which may not be solvable, for all I know. I've got a torrent client running on the same machine as Blue Iris, and I want to obscure its outgoing IP address. That's trivially easy to do with PIA or similar apps, but it gets in the way of Blue Iris remote-access functionality. It seems that I can either obscure my own IP address (for incognito browsing, etc.), or I can access Blue Iris remotely, but I haven't figured our how to do both.

Or maybe I'm just overlooking a different solution that's obvious to others?

Run your torrents and PIA inside VirtualBox, using a drive mapped to a folder on the local system so that you can isolate it from the rest of your network while still easily accessing your files. Regularly reset the image to it's initial state.

Run your torrents on a separate machine connected to your routers DMZ. BlueIris is demanding enough that you consistently see advice to make it the ONLY thing running on a computer.

Don't torrent. (Best answer.)

Ethics aside, torrenting is risky in a practical sense. It advertises your IP as a valid attackable one, the torrent client has it's own vulnerabilities, and half the stuff you download is already infected. I've made a ton of money over the years repairing self inflicted damage caused by torrenting. If you don't get my answer without some heavy googling, you're going to make someone some money at some point. Either hackers or the local computer guy.