Bypass port forwarding

[kmax1940]

Hello, anyone have any suggestions on how to bypass port forwarding?

Right now we ship a single camera to our clients and we have to remote into their system and get into their router and open ports.

Anyone have a solution for bypassing port forwarding?

Maybe some type of ssh tunnel appliance?

Thanks

 

[bp2008]

Without knowing more about your operation, it is hard to give a recommendation. A VPN is a much more secure method of remote access. Many routers include a built-in VPN server. Or you could run your own VPN server on your premises and ship clients a raspberry pi that is preconfigured to connect to your VPN server to provide remote access. Or you could ship them a raspberry pi that is configured to be a VPN server, and you log in [somehow] to forward a port in their router to that VPN server.

 

[kmax1940]

Thanks, I am looking into VPN now.

 

[looney2ns]

How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

 

[kmax1940]

If I use a VPN on my clients sites... the vpn device will be behind the clients router / nat.

In that case I would still have to do port forwarding on the clients router to the vpn device.

Anyone know of a good way to vpn without having to set up port forwarding on the client router?

 

[bp2008]

Anyone know of a good way to vpn without having to set up port forwarding on the client router?

Or you could run your own VPN server on your premises and ship clients a raspberry pi that is preconfigured to connect to your VPN server to provide remote access.

 

[kmax1940]

BP2008 - thanks

Yes, thats what I am thinking about now...

Heres the problem I am running into.

At the client locations where I put the raspberry pi with the vpn client... that raspberry pi would need to connect directly to the camera.
Otherwise the camera would be over on the clients network and not be accessible from my raspberry pi.

The vpn connection would be between the PI and my VPN server which is located offsite... so then my wifi camera would not be accessible...

Am I missing something?

 

[alastairstevenson]

At the client locations where I put the raspberry pi with the vpn client...

Wouldn't that be a VPN server? Assuming that you need to access the remote site to connect to the camera, using a VPN client.

that raspberry pi would need to connect directly to the camera.

The camera is using a WiFi connection, which is provisioned by an AP which presumably is on a LAN?
So the raspberry pi would connect to the LAN.

The VPN tunnel, once active, behaves simply as a remote direct connection to the LAN that the VPN server is connected to.

 

[bp2008]

Once you have a raspberry pi on the client's network connected to your VPN, you can remote into that pi and use it to proxy whatever network traffic you want.

 

[bp2008]

@alastairstevenson I was suggesting that he run the VPN client on the pi and connect it to a server that he controls, therefore avoiding the need to reconfigure the client's firewall. This solution also works if the client has a non-routable IP address (e.g. behind most cellular modems)

 

[bp2008]

I should point out that if a traditional VPN like OpenVPN is too complex, there are services out there like Hamachi and NeoRouter which simplify the task of connecting multiple sites. There are drawbacks of course, as with anything.

Hamachi isn't free, but it is probably the easiest to work with, and the easiest to control access on, so you aren't accidentally allowing all your clients to access each others' LANs.

 

[catcamstar]

The unasked question is: would any of your customers object of having an "unmanaged" device on their private LAN, which might (or not) be sniffing internet packets, logging browsing histories etc - what would your answer be? You don't want to have a bus of advocates ringing your bell because your PI got infected with malware and a 10TB NAS with family pictures got cryptolocked.

My opinion: make sure your setup is safe and secure. I would preconfigure the devices with P2P (but that's not secure either) and work that way up. Or you have to provide something vlan ready and secure bottom-up.

Good luck!
CC

 

[kmax1940]

Thanks so much.

The problem with running the vpn client on the PI is that the clients router/modem is going to block it.

I need a device that I can put behind my clients router/modem which:
* does wifi - for the camera
* is a vpn client
* does nat traversal

Open VPN does not do nat traversal.

I looked at SoftEther which is like OpenVPN but it does nat traversal...
But I dont see a way to run that on a wifi router.

I can install dd-wrt on a router... but I only find directions for using that with OpenVPN.

Thanks for your time!

I will keep thinking and working and hopefully come up with a workable solution.

We are launching a "single camera" for home users type of package...
The idea is that we can just ship it to them and have an easy set up...
No port forwarding etc...

Then we just have to manually set their camera up in our cloud software... which is easy to do...

Thanks again

 

[bp2008]

I'd damn sure trust a pi with an outgoing VPN connection more than an IP cam with a port forward to it.

 

[bp2008]

@kmax1940 You are mistaken. There is no reason for an OpenVPN client to be blocked by anyone's router/modem/firewall. You can even configure your VPN server to listen on port 443 and use the TCP protocol only, so as far as anyone's firewall is concerned, the VPN traffic looks exactly like normal web activity done over HTTPS.

 

[kmax1940]

I agree, that is one reason we are working towards a solution that gets us away from port forwarding.

 

[kmax1940]

@kmax1940 You are mistaken. There is no reason for an OpenVPN client to be blocked by anyone's router/modem/firewall. You can even configure your VPN server to listen on port 443 and use the TCP protocol only, so as far as anyone's firewall is concerned, the VPN traffic looks exactly like normal web activity done over HTTPS.

Hummmm ok thanks... multiple video tutorials have showed that you still have to open ports if your vpn client is behind nat

Here is what I am thinking our setup will look like:

Customers home router / moden -->
Our VPN device -->
Our wifi camera

If I connect a PI /VPN Client to the customers modem... won't that put the customers entire LAN on our VPN?

I was trying to have only the camera on the vpn.

Thanks again!

 

[alastairstevenson]

I was suggesting that he run the VPN client on the pi and connect it to a server that he controls, therefore avoiding the need to reconfigure the client's firewall. This solution also works if the client has a non-routable IP address (e.g. behind most cellular modems)

OK, understood, and makes sense.

 

[bp2008]

If I connect a PI /VPN Client to the customers modem... won't that put the customers entire LAN on our VPN?

No, only if you were to bridge the networks.

I'm sure you could even figure out a way to use the pi's wifi interface to run a separate network just for the camera, so that literally all the client would need to do is plug in the camera to power, and plug in the pi to power and ethernet, within wifi range of the camera. Keeping in mind of course that the wifi antenna on a pi isn't likely to be spectacular.

 

[kmax1940]

No, only if you were to bridge the networks.

I'm sure you could even figure out a way to use the pi's wifi interface to run a separate network just for the camera, so that literally all the client would need to do is plug in the camera to power, and plug in the pi to power and ethernet, within wifi range of the camera. Keeping in mind of course that the wifi antenna on a pi isn't likely to be spectacular.

Yes! That is exactly what I am trying to do!

The camera would have to connect to the PI though.
Either through ethernet or wifi.

How would the camera get an ip address because the PI does not do DHCP does it?
If the PI was a mini wifi router that would be perfect.