Can someone simplify utilizing a VPN with Hikvisions NVR and my home network?

[flaudia402]

I'm purchasing a Hikvision NVR DS7616 for a current 8 channel setup for my home.

We have two wireless networks in the home. One, is a Ubiquiti Unifi with 6 access points spread out throughout the house covering wifi. The second wireless network is my Linksys E4200 which is acting as a source for my Ubiquiti POE network switch to plug into. This second wifi network never gets used, since it's coverage is quite small and really just extends to that small area of the house. The entire house is pre-run with Cat5 homerun to a network panel box in the same room as all of this equipment.

I've read and searched the forum and other how-to's quite extensively and just need some clarification on using a VPN with my setup.

After reading the Hikvision's IVMS software quickstartup guide, it gives information about port forwarding for the ability to live view. This is obviously quite important to us, so I want to make sure I do this properly and safely.

We're a predominantly Apple/MacOSx household, but do have a few Window's machines for access to work. I much prefer the OSx interface.

Now, based on what I've read - I'm getting conflicting information.

To make sure that "door" isn't open for intruders from the public into my camera's - do I only need to install a VPN on the devices I'll be using to connect and use the IVMS software (Iphone's/Ipads/Laptops) when I'm out of the house? This seems simple enough, just using a VPN to connect to my network - thereby encrypting my information and keeping that "door" closed from intruders.

However, do I also need to install a VPN on my home network? Does this mean that the information from my NVR and cameras will thus be encrypted outward?

If so, would it be best to install this VPN on the Linksys E4200 router (not sure how, but if it means purchasing another router I will) - since this is the router the NVR will connect to. I really was trying to lean towards the MacOSx OpenVPN on our idevices, but not sure how I can utilize this on the router.

Or, do I install one VPN on our home network, and then use another VPN application on our Idevices to access the VPN home network.

This last sentence is what needs the most clarification.

Thank-you so much in advance.

 

[tr0ubl3Sh00t3r_24]

So heres the thing.

If you want to access the NVR remotely, you can do one of 2 things (or both technically)

forward the ports on your router to the NVR. This is a door, but as along as you put a strong password, then at least its a very secure (Strong door). This will be the simplest method.
You would then use a ddns service to keep track of your dynamic Ip address. so you would have an domain name such as myhome.dyndns.org and you would enter that into your ivms viewing client along with the port and credentials.


2nd option,

VPN server on the edge of your network.

this would create a virtual private network between you and your home network when you are away from your home. But as long as you are connected to your home through VPN, you just put the local address of the NVR in your ivms client (something like 192.168.1.100, or 10.0.1.150, etc, etc)

makes sense?

Just to clarify as well, yes you will need some sort of client on your idevice depending on what vpn server you are using at home. OpenVPN is very easy and can be found on over the shelf routers (asus has some). you go through the wizard on the asus router to install vpn server, very easy. then generate openvpn file to put on your clients. just run through the wizard, its very simple.

 

[flaudia402]

So heres the thing.

If you want to access the NVR remotely, you can do one of 2 things (or both technically)

forward the ports on your router to the NVR. This is a door, but as along as you put a strong password, then at least its a very secure (Strong door). This will be the simplest method.
You would then use a ddns service to keep track of your dynamic Ip address. so you would have an domain name such as myhome.dyndns.org and you would enter that into your ivms viewing client along with the port and credentials.


2nd option,

VPN server on the edge of your network.

this would create a virtual private network between you and your home network when you are away from your home. But as long as you are connected to your home through VPN, you just put the local address of the NVR in your ivms client (something like 192.168.1.100, or 10.0.1.150, etc, etc)

makes sense?

Makes perfect sense.

So going with the second option - do I have to create the VPN through my router? As in, on my Linksys E4200 install Tomato firmware and go through all that?

Could I create the VPN on my mac as seen in these two tutorials?

http://computers.tutsplus.com/tutorials/how-to-use-vpn-on-your-mac--mac-46053

In this tutorial - it states that to set up a VPN connection, I need a "VPN Server Address - This is the IP address that we need of the VPN server. It can also be a fully qualified domain name (FQDN) such as vpn.mycompany.com, depending on how it’s been configured."

So - in this case, would the IP address simply be the IP address of the router/wireless network that my NVR is connected to?

https://www.expressvpn.com/support/vpn-setup/app-for-mac-os-x/

 

[tr0ubl3Sh00t3r_24]

I actually edited the post and clarified it.
(Home LAN <->Router/VPN server<->)----internet------<->VPNclient(software installed on any hardware)


Just to clarify as well, yes you will need some sort of client on your idevice depending on what vpn server you are using at home. OpenVPN is very easy and can be found on over the shelf routers (asus has some). you go through the wizard on the asus router to install vpn server, very easy. then generate openvpn file to put on your clients. just run through the wizard, its very simple.

 

[tr0ubl3Sh00t3r_24]

it wouldnt exactly be like those tutorials for openvpn. I would honestly just use openvpn. BTW, i made a mistake, you will still need a ddns service for your home ip address for the openvpn server.

 

[flaudia402]

I actually edited the post and clarified it.
(Home LAN <->Router/VPN server<->)----internet------<->VPNclient(software installed on any hardware)


Just to clarify as well, yes you will need some sort of client on your idevice depending on what vpn server you are using at home. OpenVPN is very easy and can be found on over the shelf routers (asus has some). you go through the wizard on the asus router to install vpn server, very easy. then generate openvpn file to put on your clients. just run through the wizard, its very simple.

So essentially - the easiest thing for me to do is purchase a new router such as the Netgear Nighthawk that has a built in VPN server access?

http://kb.netgear.com/app/answers/detail/a_id/23854/~/how-do-i-use-the-vpn-service-on-my-nighthawk-router-with-my-windows-client??cid=wmt_netgear_organic

 

[nayr]

Your VPN Server is hosted on the internet with the public IP address of your router, your VPN Clients/Mobile devices are configured to connect to that IP Address or a DDNS Hostname for your router.

Your IP Camera software will connect to the local IP Addresses of your NVR/Cameras that you connect to when your at home on your wifi.. When you are on a remote network, you open the VPN Client.. press connect then your connected to the home network and all the devices on your home network are accessible..

Once you have that VPN Client connected, your basically at home on your own network.. File Shares, Remote Desktops, IP cameras, everything you have at home will be SAFELY accessible from wherever you find internet.

If your router already has VPN Server built in, just set it up.. if your Router does not have a VPN Server in it you can:

• Upgrade your router to an off the shelf solution w/VPN Server (Asus, Netgear, Linksys, Ubiquiti, etc)
• Upgrade your router's firmware to a 3rd party open source firmware w/a VPN Server (DD-WRT, Tomato, etc)
• Run a VPN Server on an always on Computer/Server that you operate (BlueIris Server?)

 

[tr0ubl3Sh00t3r_24]

exactly.
Asus also has one that i used before.
https://www.asus.com/support/faq/1008713

 

[PSPCommOp]

exactly.
Asus also has one that i used before.
https://www.asus.com/support/faq/1008713

I love my Asus. I'm not network inclined and it was pretty easy to do with OpenVPN. Lots of tutorials online. I'm an OSX/iOS user as well. Simply start the OpenVPN app, connect, open BI and boom i'm in. I also use the RD Client app on my iPhone to remote into my BI PC and adjust things that u can't adjust via the BI iOS app once the VPN is connected.

 

[wideLoad]

forward the ports on your router to the NVR. This is a door, but as along as you put a strong password, then at least its a very secure (Strong door). This will be the simplest method.

How safe is this with, for example a Hik NVR that you are actively updating firmware with via Nellys?

EDIT: Assuming it's not all that safe, are there any wife friendly methods of auto connnecting iPhone/iPad/Andoids to an openVPN?

 

[nayr]

your wife wont care to ever open the app to look at cameras once.. even if you set it all up so a newborn could do it, dont worry about it

if she does care, she will likely understand the need to open one app before the other when she is away.

and the strongest front door in the world (password) is pointless when the backdoor is left wide open.

 

[wideLoad]

Thanks Nayr.


So there's no way to autoconnect to an openvpn on phones/tablets?


If there's no way to autoconnect, then any alert you get is a PITA because it might be a cam in backyard that rarely gets false positives.... but now you've got to login to openvpn first and the whole "ease of use" goes down the drain (I'm fine with it but less technical people are going to struggle).


Is there any hard evidence on how bad it is to open a hik NVR port up (aka port forward the one port I believe is needed)? Again, assuming you keep firmware up-to-date, have a good password, and if possible use a random port in upper ranges? I mean, are we hearing horror stories every other day here..... or more like there's a few articles on the web that show an exploit for someone who used default port, had lame password, and didn't have up to date firmware?

 

[tr0ubl3Sh00t3r_24]

Thanks Nayr.


So there's no way to autoconnect to an openvpn on phones/tablets?


If there's no way to autoconnect, then any alert you get is a PITA because it might be a cam in backyard that rarely gets false positives.... but now you've got to login to openvpn first and the whole "ease of use" goes down the drain (I'm fine with it but less technical people are going to struggle).


Is there any hard evidence on how bad it is to open a hik NVR port up (aka port forward the one port I believe is needed)? Again, assuming you keep firmware up-to-date, have a good password, and if possible use a random port in upper ranges? I mean, are we hearing horror stories every other day here..... or more like there's a few articles on the web that show an exploit for someone who used default port, had lame password, and didn't have up to date firmware?

There is nothing to worry about. If you were an enterprise sitting on customer data, then I would say think twice but you have nothing to worry about. There is nothing wrong with port forwarding. Now if you want to get crazy, you can setup a PFsense box as your router and block incoming connections from IP address ranges from * except US. That way, technically no one can try to connect directly to your home from other countries. Real hackers do usually use proxy servers but at least you have a small safeguard against lazy hackers, which is most likely the type of hacker who will be trying to hack into nvrs.

Another thing you can do is set notifications for illegal logins. Which means if someone tries to login and fails, you get an email notification. Also checking logs from time to time will tell you if someone fishy is trying to connect.

 

[nayr]

There is nothing to worry about. If you were an enterprise sitting on customer data, then I would say think twice but you have nothing to worry about. There is nothing wrong with port forwarding

I respectfully disagree with this statement, port forwarding should be avoided at all costs.. https://blog.sucuri.net/2016/06/large-cctv-botnet-leveraged-ddos-attacks.html

@wideLoad, thats complete nonsense.. VPN is used by some of the most stupid people in the world; its a requirement for EVERYONE at my work to check email.. and we have some pretty dim people working here.. if C level executives can figure out how to click a button.. I think your users can manage it too.

The problem with auto connect is mobile OS's wont let 3rd party apps hook into the OS like that.. L2TP/IPSec that's built into most operating systems usually has options to make the VPN Auto Connect.

 

[wideLoad]

Nayr, you're totally right yet totally wrong.


(1) The link you provided... what is that proving? That some hiks get rooted? To what extent?


(2) Can the potential to get hacked be mitigated by using a secure password, a random port, and staying up to date on firmware?


(3) You're asking Joe Schmoe public to install openvpn on their router, and a client on their phone/tablet. And to know what this all means and to do it correctly. Is it ideal, yes, will it happen, no!


Ugh, I know you are right in terms of "best practices" but these requirements are not for average home users. This is almost a case study for why dropcam actually has market share.


I got off the phone w/ Nellys today and they are not getting calls night and day about their hacked NVRs/cams. Are they dumb and/or in denial? Probably to some extent...... but to WHAT extent is my entire point. If requiring VPN is needed for home use then man, these damn cams have a long way to go.

 

[nayr]

A Secure Password sent in plain text is not a secure password, and a random port does absolutely nothing to secure you, I can scan all 65k ports on your computer in a few seconds and fingerprint any open ports and identify its a camera regardless of what port you put it on.. You get scanned and each open port probed pretty much non stop from attackers in China and Russia, everyone does.

The video streams are rarely secured with passwords.. the ones that do actually require a password ALWAYS transmit it in plain text.

Nelly's is not getting calls day and night because even if your cameras are hacked you wont ever notice it, they are targeted because they are always on, there are always multiple devices configured the same way, and there are never any local users logged in looking at processes and activities.. so all your cameras could be owned right now and you'd never have a clue.. They run full blown operating systems w/no automatic security updates from upstream sources, where is the CERT Response team that issues fixes when vulnerabilities are found? Without these in place a device should not be exposed to the internet.

Many if not most all cameras have known backdoors in them, I discovered a backdoor into Hikvision cameras entirely on accident poking around in the API..

I am not asking Joe Schmoe Public to install a VPN Server on there router, I am demanding it.. If your installing a security system and then putting it on the internet and think your stupid password is enough despite the advice of professionals, then your a fool and deserve to get owned.. Ive convinced most of the Joe Schmoe's here that setting up a VPN Server is no more difficult than installing IP cameras, and with some consumer off the shelf routers like Asus its actually easier than opening ports.. Millions of trained Corporate Monkey's use a VPN Solution every day, im sure our audience here is more than intelligent enough to figure it out.

You are right, these cameras have a HUGE way to go... any device that was designed to be put on the internet would come shipped secure by default, Ive yet to see a single IP Camera that was secure out of the box.. therefore they are designed to be on closed networks and protected from external connections.. this industry evolved from CCTV, the CC == Closed Circuit, and thats how this industry proceeds to think about security.. you keep the network isolated if you want any security.

There are more active members on these forums running a VPN Server now than port forwarding, if its too hard for you just ask for help..

 

[mark4470]

nayer,

I'm not too proud to ask for help, I have no clue how to set up a vpn.. I have a Linksys ea8500 router, two iPhones, two iPads, and two dell laptops with Windows 10. Thanks for your time...
Mark

 

[nayr]

It appears as if your Linksys does not include a VPN Server out of the box, at least not that I can find in the spec sheet..

your best option would be installing DD-WRT on your Linksys ea8500, it looks like the firmware image you need is this one: ftp://ftp.dd-wrt.com/betas/2016/08-04-2016-r30356/linksys-ea8500/factory-to-ddwrt.img

beware, you will be required to re-setup your network after you re-flash your router to DD-WRT.. it'll be all defaults.

then go check this walk-through out: http://www.howtogeek.com/64433/how-to-install-and-configure-openvpn-on-your-dd-wrt-router/

most of the meat you want is in: Configuring DD-WRT’s OpenVPN Daemon

for your iphones/ipads you need to get the OpenVPN app from the App Store.

 

[mark4470]

nayer
thanks for the reply .. Just looked at your post looks like for me being a blue collar type a guy,
a new router may be a better idea? Can you recommend a Asus router that has great range and speed?
Thanks,
Mark

 

[nayr]

dont let the DD-WRT thing scare you off.. it looks harder than it is.

Download factory-to-ddwrt.img above and save it.
Plug into wired network, you probably dont want to proceed on WiFi.
Login to router, Reset it to Factory Defaults.
There are two (2) ways in resetting the Linksys EA8500 to factory defaults:

• Press and hold the Reset button located at the back panel of your router for 10 seconds.
• Log in to your router’s web-based setup page, then go to Troubleshooting > Diagnostics and click Reset under Factory reset.

Connect and log back into router after its all on default values.
Go to Advanced -> Firmware -> Upgrade (or something like that), choose the factory-to-ddwrt.bin file and upgrade it.
Let it do its thing, DO NOT UNPLUG OR INTERFERE WITH IT.
It should come back online w/default DD-WRT firmware when its all done.. the default login for DD-WRT is: root/admin @ 192.168.1.1

Then you can start setting up the router again for your network (Wifi, DHCP, etc).. when your happy that everything is working again, start setting up OpenVPN with the doc above.

If you still have trouble or cant figure this out, then you can consider an asus router w/OpenVPN built in.. I cant recommend one specifically, mebe someone else can chime in.. but it does appear to me that Asus has the easiest VPN Server to setup on most all modern routers.