Dahua gDMSS Plus and OpenVPN

M

Mike77.

n3wb
May 29, 2019
5
3
Havana, fl
I am new to the networking/cyber security and I've exhausted my google searches. I have 4 Dahua cameras installed at my house and when I installed them, I did not set up any network security. They are connected to a POE switch on my LAN, which connects directly to my router. I have been viewing the cameras remotely on my cell phone using the Dahua gDMSS Plus app.

I recently wanted to add some security to prevent the cameras from being hacked, so I decided to turn on OpenVPN on my TP-Link AC1750 router. I got OpenVPN set up and I thought I would be able to still use the Dahua gDMSS Plus app to access my cameras. It turns out that I can still access the cameras through the gDMSS app even when I don't have the OpenVPN turned on on my phone (I can access the cameras when not using the VLAN). Is this app able to bypass the VLAN? Will I have to delete the app and login directly to each camera if I want to use a VLAN to secure my cameras?

Thanks in advance for any feedback.

Mike
 
Turning on the VPN doesn't automatically turn off anything else that you may have set up. If you have P2P set up and whatever ports open, that all remains and the gDMSS app can still use those.

To stop that you'd turn off P2P in the camera(s) and turn off P2P on your router. Also check and shut down whatever port forwarding may be set up (assuming that you don't have some specific reason for intentionally opening any). Then you'd connect to your network using OpenVPN and use whatever application to access your cams as you would as a client on your local network. I don't know gDMSS to know whether it also supports that or not.
 
gDMSS can either connect to your infrastructure by IP address (if you put your local ip address of your cams/nvr, you HAVE TO open the VPN tunnel before it even can work) or, you connect by P2P, bypassing any security you may (or may not) have put in place on your home network. The latter does not need any VPN connection. But, P2P and Upnp, port forwards, these are concepts from 1980 when script kiddies were not born. Today, one should indeed know better than that.

So my advice to you:
- go into your cams: disable all P2P
- go into your cams: disable all Upnp
- go into your router: delete ALL port forwardings, Upnp config etc. If unsure how to do it: best way to factory reset your device.
- install and configure openvpn server on your router
- deploy the profiles (and certificates) on your mobile device
- configure gDMSS on your LAN with the internal fixed ips of your cams
- connect your mobile to 4g
- open VPN client
- open gDMSS
- voilà!

If you want to make it more secure: disable all outbound internet connectivity from your cams/nvr to the internets. BUT then push notifications won't work, for that you'll need to open outbound 2195TCP.

Hooray!
Good luck :)
CC
 
  • Like
Reactions: GaryOkie, dudemaar, civic17 and 2 others
catcamstar said:
gDMSS can either connect to your infrastructure by IP address (if you put your local ip address of your cams/nvr, you HAVE TO open the VPN tunnel before it even can work) or, you connect by P2P, bypassing any security you may (or may not) have put in place on your home network. The latter does not need any VPN connection. But, P2P and Upnp, port forwards, these are concepts from 1980 when script kiddies were not born. Today, one should indeed know better than that.

So my advice to you:
- go into your cams: disable all P2P
- go into your cams: disable all Upnp
- go into your router: delete ALL port forwardings, Upnp config etc. If unsure how to do it: best way to factory reset your device.
- install and configure openvpn server on your router
- deploy the profiles (and certificates) on your mobile device
- configure gDMSS on your LAN with the internal fixed ips of your cams
- connect your mobile to 4g
- open VPN client
- open gDMSS
- voilà!

If you want to make it more secure: disable all outbound internet connectivity from your cams/nvr to the internets. BUT then push notifications won't work, for that you'll need to open outbound 2195TCP.

Hooray!
Good luck :)
CC
Click to expand...


Very nice. And with this setup you can only use your gDMSS when your openvpn client is being used so you know it is only going through the VPN.
 
  • Like
Reactions: catcamstar
You must log in or register to reply here.
Top Bottom