Client will use VPN to access (VPN server Open VPN)

Discussion in 'Networking' started by llarsx, Apr 8, 2019.

Share This Page

  1. llarsx

    llarsx Getting the hang of it

    Joined:
    May 7, 2018
    Messages:
    105
    Likes Received:
    7
    I am a little unsure for what I should use here, look at the Picture

    Lan only, internet only or Both. The case is a webcamera which I need to reach from remote. The VPN-server is 300 km from home where the camera is. When I am on the camera location I reach the camera without using vpn (through lokal ip). Internet should be my choice, I think. Will Both prevent me from using only local ip when I am where the camera is?

    Will the Choice I make be in the client1.ovpn file?

    both.jpg
     
  2. GCoco

    GCoco Pulling my weight

    Joined:
    Jun 29, 2015
    Messages:
    336
    Likes Received:
    115
    Location:
    Louisiana
    I’m not a VPN expert but from my experience this setting is not in the ovpn file. If you have VPN off and are local to the router you will have access to everything (LAN and internet). If you are local with VPN on you will only have access to whatever the setting is. I leave VPN on all the time and access the internet and my cameras without worrying about security. Set to BOTH.
     
  3. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    969
    Likes Received:
    588
    Yes, that option will be in the .ovpn file (redirect-gateway is the parameter).

    However, your use case does confuse me: This ASUS router is NOT on-site next to the camera? If that is the case, you want to have this ASUS router "dial in" into the VPN server on-site next to the camera? If yes, you are actually looking at a vpn site-to-site setup. But my guess is that you want the ASUS router next to the camera? If yes, this the aforementionned toggle is meant as follows: "LAN-ONLY": if you connect to the VPN Server, you can only access 192.168.x.y addresses, all other communication leaves your mobile's device 4g/wifi (thus default gateway). If you put "internet only", you are "masking" your mobile's device 4g/wifi by your ISP's WAN ip address. Both means "both". Keep in mind, that with the last two options, you'll consume twice the ISPs bandwidth (as your communication goes up- and downstream towards your mobile device).

    Hope this helps!
    CC
     
    llarsx likes this.
  4. llarsx

    llarsx Getting the hang of it

    Joined:
    May 7, 2018
    Messages:
    105
    Likes Received:
    7
    Sorry for not been accurate. The asus is after the wireless Broadband router and the asus has the lan where my camera is. The asus is also config as vpn-server.

    But I an not sure what you try to tell me catcamstar. Before I had no problem with only local ip connection when I in the same lan as the camera and I like to have it also in the future. But as I struggled a lot with the ovpn-file I must review my settings all over.

    I don't want to use more wifi than necessary. And spite I have an asus router at home also, I don't use it as an vpn-server too. My only need is to see the camera remote and local when I am local.
     
  5. llarsx

    llarsx Getting the hang of it

    Joined:
    May 7, 2018
    Messages:
    105
    Likes Received:
    7
    It seems to work ok in my laptop, but not in my ipad og adroid mobil.
     
  6. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    969
    Likes Received:
    588
    OK, now I am starting to see the complete picture (a drawing would have helped in the first place) :)

    So you have:
    -----> ISP -----> (wifi) broadband router ------(wired) ---- ASUS (wifi) router -------- (wired/wifi) ----- pc/mobile

    If the broadband router is not in bridged mode, then I suspect you have port forwarded 1194 (or other VPN port) from your broadband router to your ASUS router. In that case, the openVPN server on your asus is not aware of the WAN IP address of your ISP, which makes that your openvpn.ovpn file does not contain the WAN IP address. Connecting from your LAN might work, as they do see that "internal" WAN IP address on your ASUS router.

    If the broadband router is in bridged mode, your ASUS router is exposed to the internet (and port 1194 is opened when running the OpenVPN server instance). If you are in this case, the .ovpn file should contain all the required information to connect to.

    Can you share your content of your .ovpn file (do mask IP addresses and certainly security keys).

    Thank you!
    CC
     
    llarsx likes this.
  7. llarsx

    llarsx Getting the hang of it

    Joined:
    May 7, 2018
    Messages:
    105
    Likes Received:
    7
    Thank you again, catcamstar.
    You are the best guru.

    I have changed the wireless broadband router to bridge and now it seems to work fine, but as I am at the local place with the asus vpn server/router and the camera it is a little difficult to test everything from Remote before I return home in the end of the week.

    The client1.ovpn work on the laptop and on my Huawei mobil and on the last one I found that I must disable the wifi and use mobildata instead to get the Openvpn to work. Login in from the mobil to asus router and camera also work fine. On the laptop I can open Openvpn, but am of course not able to test the camera-connection as it overrides by the direct local ip-connection. The laptop has only wifi.

    The question is still if the "Both" is wrong and it had be better to use "Internet" in the VPN-server (and client1.ovpn). The fact that my mobil openvpn don't work when I am on the same wifi can be caused by this setting "Both", or am I wrong?

    Her is the client1.ovpn:

    ovp.jpg

    But I like to use my ipad too, but it don't work with the client1.ovpn file.
    Going to the settings in Openvpn in the ipad there is more information I haven't seen before:

    VPN Protokol, set the protocol used for Connection, adaptive, tcp eller udp. Used UDP.
    IPv6, NO preference, combined ipv4/ipv6 tunnel, Ipv4-only tunnel. Used Ipv4-only tunnel.
    Connection timeout. 30 sec.
    Allow compression. NO.
    AES-CBC ciper algorithm. Checked
    Minimum TLS Version: Disabled, profile default, Tls 1.0, Tls 1.1, Tls 1,2. Used Profile Default.
    DNS Falllback. Checked
    Connect via, Any network, Wifi only, Cellular only. Used Wifi only.
    Layer 2 reachability. Checked.

    Can one ore more of these settings cause my problem with openvpn on the ipad?
     
  8. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    969
    Likes Received:
    588
    Hi @llarsx, no worries. the setting "Both" or "LAN only" are the ones you need, otherwise you will not be able to reach to your camera's. If you don't want to "waste" bandwidth on your cam location's internet, you should set "LAN-only" (so when you "surf" to eg google.com on your mobile, that traffic will not go through the OpenVPN server onto the internet towards google.com). But both options will do what you want them to do.

    I do however suggest you verify one thing: if you have (for example) 192.168.0.x subnet configured behind your asus router, you have to make sure you don't use that same subnet at your home ASUS. This to avoid the aforementionned routing issue. My advice: change every location you "own" to something unique (eg 192.168.200.x at home and 192.168.201.x at remote location). So you won't run into any issues further down the road. Do not forget to change the ip's too on the cams etc.

    Regarding your iPad: only strange thing I see is the "allow compression: NO". For bandwidth reasons, I would say "allow".

    Hope this helps!
    CC
     
    llarsx likes this.
  9. llarsx

    llarsx Getting the hang of it

    Joined:
    May 7, 2018
    Messages:
    105
    Likes Received:
    7
    Thanks again catcamstar.

    I have not the same subnet home and on the camera location. This is something I have been advised before, may be by you. I shall also change the "allow" on the ipad.

    Using the "Both" should not cause wasting bandwith/use data on the camera location, I think, because I will not use Openvpn to reach the camera when I am in the cameras local lan. I only need Openvpn when I am remote and wish contact with my camera or the asus in the same lan.

    Or am I wrong and use data on the camera lan when I google etc. from remote when the Openvpn connection to the camera lan is open? I thought this is the case when I have Openvpn on both lan.

    By the way, is there as simple method to setup a second vpn server? Copy?
     
    Last edited: Apr 9, 2019
  10. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    969
    Likes Received:
    588
    With "Both" you'll indeed consume bandwidth of your ISP were the cams are located, but only when the VPN tunnel is active AND when not being on the local lan.

    Do not "copy over" vpn server configurations, because when your certificates get compromised, your two setups are vulnerable. In your ASUS router, setting up the VPN is not that complicated.

    Hope this helps!
    CC
     
    llarsx likes this.
  11. llarsx

    llarsx Getting the hang of it

    Joined:
    May 7, 2018
    Messages:
    105
    Likes Received:
    7
    Very good, catcamstar.

    Thank you again. Regarding the ipad I have read this:
    FAQ regarding OpenVPN Connect iOS | OpenVPN
    I must dig deeper in this when I am back home and hopely I'll find a solution for the openvpn on ipad.
     
  12. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    969
    Likes Received:
    588
    If your pc and android are already working, you can already watch the camera feeds. What did annoy me most on iOS, was the certificates. In the end, I included them all in the .ovpn file (which renders that file into a security flaw: everyone with that file can login) and that works like a charm.

    Good luck!
    CC
     
    llarsx likes this.
  13. llarsx

    llarsx Getting the hang of it

    Joined:
    May 7, 2018
    Messages:
    105
    Likes Received:
    7
    Thanks, catcamstar.
    Now, back home I easily changed the client1.ovpn file there and got Connection. I also doing some test with broadband comsumption and that was a big surprise. I used my asus at the camera locations Qos to Qos configuration and had set the camera to 5 Mb/s both down- and upwards. A big failure as one hour watching give the result 2.09 GB. A "little" to high for a monthly limit on 50 GB.

    I of course changed the cameras bandwidth to 0.2 Mb/s both ways, but it seems not to have any effect as the Qos bandwidth monitor in the asus router at the camera shows higher comsumption - from 0.8 MB to 1.4 MB with quite low settings in the camera (framerate 12 and bitrate 1024). Best video (framerate 25 and bitrate 8192) both 1920*1080p resolution, use about 9 MB/s. My favourite setting is framerate 12 and bitrate 2048.

    The traffic Analyzer now (Qos 0.2 MB) shows about 150 kb/s for the low settings and about 1100 kb/s for the high. Strange, because I thought 0.2 was the limit. ("Traffic Analyzer is to analyze the network traffic").

    I am quite unsure if this give me control over the data compsumption on my wireless broadband at my camera. There seems to be a big difference between the bandwidth monitor and the traffic (internet) analyzer.

    There is also another problem with data use. The one hour test last evening give 2.09 GB in the traffic analyzer on the asus router, but the wireless broadband provider had 2.7 GB up and 0.6 GB down for the same hour. The difference is very hard to understand - at least for me. Can analyzing it self cost me money?

    Today I did a test with low settings and the 0.2 Mb/s configuration for one hour (with nothting else and no analyzing loaded) and expect it to give me less numbers in the internet traffic. The result was really good, - only about 452 MB for one hour (from the traffic Analyzer in asus), but the wireless broadband has 199+525(down+up) total 734 MB. Next a test with 6 frames x 2048 bitrate (better video): Asus 1048 MB, wireless 213+1299 = 1512 MB.

    Difference about 50 % and of course I must accept the wireless and pay for their numbers. But I thought both frames and bitrate should count almost the same, meaning double or reduse bitrate or frames to the half should give the same result?

    The most acceptable remote view for me seems to be 6 frames x 2048 bitrate which give me 1 hour per day = 1.5 GB.

    The other question is really why the Qos limitation on 0.2 Mb/s don't give me lower / simular result as both test may reach the limit. Can resending of packages when the limit has been reached be the problem?
     
  14. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    969
    Likes Received:
    588
    Hello @llarsx,
    couple of things I noticed whilst reading your post:
    - you are good with numbers, but pay close attention to Mb/s, MB, kB and kb/s. A factor 8 in your calculations gives already a world of difference
    - internet traffic is a "crazy" business: few protocols use "fire & forget" packet transmission, which means that for X-100 packets, there is always a (less offcourse) amount of Y packets which go retour (at least to stipulate if packets got trunkated, corrupted, need a resend etc). Multicast is for example one which is highly sender-friendly (eg comparable with TV broadcasting: the TV antenna is not making peer-to-peer connections with 1.000s of individual TVs, no, they are "broadcasting" (in TCPIP terminology: multicasting) all the packets for any willingly to listen and pick it up. Your TV will never send stuff back to "acknowledge" the reception. That's the reason why "internet tv"/"setop boxes" are so important (as data harvesting/mining) so now all statistics (are you watching BBC/NatGeo, when, for how long, etc etc) and at least being able to feed you annoying ads etc etc. But we're going off-topic, my point: having 2.7GB uploaded and 0.6GB download, is not that bad, as I suspect that due to the manipulations with your cam, and maybe not that good internet connections, some packets had to be "re-ordered".
    - there is a difference between QOS (quality of service) and "bandwidth limiters". Let's give an example: image you have VoIP telephone system for your company. When someone calls you, you want to have a decent video and audio channel (so the other one can hear you crisp and clear). To have this, your VoIP system needs (for example) 4Mbps to work decently. Imagine your ISP provides you 10Mbps up and downlink. Once you open your connection, it might peak to 8Mbps because you twiggled around with resolution, so far so good. But one of your colleagues discovers the world of (illegal) downloads, and starts downloading stuff. 10Mbps is easily filled. QOS does not interact yet. Until the phone rings: the 10Mbps download is squeezed until the "guaranteed limit" of the VoIP stream, so in theory, the 10Mbps goes down to 6Mbps, and the VoIP gets his "promised" 4Mbps. So back to your example: you first set it to 5Mbps, which is a lot. But when nothing else is "using" the internetz on the remote location, you'll never fill that up. Even with the 0.2Mbps, it will still go up to whatever the camera wants to send out. And to my opinion, the key to your success lies there: each cam has different "streams", for example, my main stream is (always) fullHD, which gets picked up by my NVR. But the substream is much lower resolution, lower bandwidth and less fps. When on-the-road, I instruct iDMSS/gDMSS to hook to the substreams (for obvious reason: my iPhone screen is useless with fullHD footage).
    - after some research: asus does have (well hidden) in QoS the feature "bandwidth limit" - this is "new" since 2016 -> do you have Rmerlin running or a version higher than 2016? Source: Bandwidth limiting? According to the FAQ: you have to ENABLE it first (some do reboot in this step) before adding the clients, otherwise it will not work. Source: [Adaptive QoS]How to control transmission speed of client device via Bandwidth Limiter? | Official Support | ASUS Global but it remains "flawky"
    - your QoS will definetly help if you have one cam which needs priority on another cam, so you can "guarantee" enough bandwidth for him.

    Bottom-line:
    - mess around with substream settings (eg use the pre-configured D1 setting)

    Hope this helps!
    CC
     
    himey97 and llarsx like this.
  15. llarsx

    llarsx Getting the hang of it

    Joined:
    May 7, 2018
    Messages:
    105
    Likes Received:
    7
    Fantastic informatic message, catcamstar.

    I may have mentioned earlier that I had adsl earlier and had to mess very much to get something remote. The upload was 1 Mb and I got 138-139 kb/s in the realtime traffic monitor in the asus which should be quite accurate (dividing with 8). As I wished a little better quality now I thought 0.2 Mb/s should be nice, but as written above, that was not what I got. I think you tell me that the bandwidth limit is minimum not maximum and that explains why my test use so much GB.

    I am very familiar with the sub and third stread and use the last one for remote on a computer and the substream on ipad or mobil. The bitrate is the parameter which to very much to the quality. I have also messed a lot with the rest of the parameters, but none of them seems to do much. And I always use Hd 1920*1080.

    I still hope for a method to set maximum bandwidth. Back in the adsl-world I could see that even better quality videos could be used, but I lost a lot of packages and had many stop in the stream. All up to 138 kb/s. If I set the maximum to 0.2 or 0.3 MB/s I would get about 0.5 GB per hour or less and that would be nice.

    I have also tried another Qos setting "Traditional" with the same 0.2 MB/s but now with dramatic result. After applying I got kicked out of the asus and when I tried to login again it took about 1 minute and everything was very very slow. May be here is the solution, but with a lot higher numbers.

    Pics of bandwith limiter and Traditional limiter below. I have almost the latest Asus Merlin, only a few months old.

    bandwidth.jpg

    Traditional.jpg
     
  16. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    969
    Likes Received:
    588
    Thanks for the background information. My advice would be to "stick" to something that is acceptable for the moment. I don't know if you already performed a factory reset before having applied the latest rmerlin firmware, although it is not mandatory, there is a trick here: the next time you are onsite (I repeat: do not do this remotely, you'll get locked out!), it might be a good idea to unplug the router from the internets, factory reset (either by the reset button, or through the web interface), and reset the router completely. Enable QOS and reboot again. Select the IPC and see if the settings stick. Configure the WAN block for the IPC so the cams can't dial home. Verify the Openvpn server profile. And then connect ASUS back to the internet. Then you're back to this thread and test the VPN connectivity. Maybe it works better then, but at least you'll have a clean plate with no "old" or "shadow" settings flying around.

    Good luck!
    CC
     
    llarsx likes this.
  17. llarsx

    llarsx Getting the hang of it

    Joined:
    May 7, 2018
    Messages:
    105
    Likes Received:
    7
    Hi catcamstar.
    Thanks for advice and warnings. I shall do as you suggest.

    The router was rebooted 10 days ago (with a mistake as I moved it and accidently shut off the power). Rebooting gave me an unexplained large (2GB) data use both down and up which I have tried to sort out together with asus support, but due to too long answerperiod (missed systemlog) this is a case to investigate when I next time do a reboot. I don't performed a factory reset before installing the merlin software, but has upgraded the merlin a couple of times after that.

    But as the router seems to work fine for all other use, I hope to avoid total reset of every setting. I will follow your advise and keep my working setting until I find a better solution. I have not mentioned that I have this last month to decide if I go back to adsl or permanent move over to the new wireless broadband. It is now 9 days left of this choice/option. Therefore it has been a pleasure and big help to receive your answers in this thread, catcamstar. Thank you very much.

    I have to investigate the "Traditional limit" with googling as it seems not to work as I expected. I put in 0.2 MB/s only for the camera, but after been shut out from the router the connection to the router also was very slow. May be something "old" setting is flying around as you mention. It is very pity that asus support has no knowhow of these limits. I have tried the asus forum also with no answers to my case, but don't give up.

    I travel to the camera location after Easter and do the upgrade then. If I receive more info about the "Traditional limit" and how it should work I can try it a day or two before I leave home. If it crashes I can fix it when I am at the camera location.

    One last question: Where can I "configure the wan block so the cam can't dial home" probably in att. pic.

    View attachment 41396
     

    Attached Files:

    • wan.jpg
      wan.jpg
      File size:
      216.4 KB
      Views:
      3
  18. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    969
    Likes Received:
    588
    One last answer:
    [​IMG]

    Or more easily: on your network map - click on "connected devices" - click on your IPC and choose: block internet access. Do not misclick on a wrong device, or you lock yourself out :)

    Good luck!
    CC
     
    llarsx likes this.
  19. llarsx

    llarsx Getting the hang of it

    Joined:
    May 7, 2018
    Messages:
    105
    Likes Received:
    7
    Thanks, catcamstar.
    I found it, but am afraid locking me out or do the config to stop what I want to use. My cam has 192.168.xx.52 and I use port xxxxx (changed from 80) to reach it from a computer and 8000 from mobil/ipad. I also need 443. These port has been config in the camera.

    Will blocking 192.168.xx.52 block me from receiving streams from my camera in the set period? Have I right when I must have 80 (xxxxx), 8000 and 443 open to reach my camera through openvpn or even when local. Or make the vpn channel a working around solution?

    Asus manual use Source ip 8.8.8.4 as an example (google?). Why?
     
  20. catcamstar

    catcamstar Getting comfortable

    Joined:
    Jan 28, 2018
    Messages:
    969
    Likes Received:
    588
    "Block internet access" does not mean "block local LAN access". It's meant for kiddo's who aren't allowed to surf the web, but if they are smart, they still can watch movies on the NAS. Being said that: I guess (but never tested myself, as my ASUS does not allow VPN anymore) that when your phone enters the "LAN" through VPN, you can still reach the IPC (as it would see you as you were coming from the LAN).

    Again, to be tested when onsite, in case it doesn't work, you can easily revert the settings.

    You have a lot to test next time you go onsite :)

    And please report back if VPN access still works with "blocked internet access", so I can learn something new too :)

    Good luck!
    CC
     
    llarsx likes this.