Dahua NVR W/ VPN Setup - Push Notifications

HereBull

Getting the hang of it
Joined
Jun 6, 2017
Messages
53
Reaction score
80
Hello all,

I got an awesome 32 channel NVR from EmpireTecAndy awhile back and it's been pretty good thus far. Recently I setup a VPN so that I could view it remotely without port forwarding and that has been going pretty good as well.

My question comes around the push notifications - Can anyone confirm if these only work if you use the app with P2P / adding the NVR via the QR code scan? I've tried both the old gDMSS and the new DMSS apps and unable to get notifications to occur at all - Turning to youtube, I noticed in all the videos I came across the NVRs were added via P2P.

Just hoping to get some feedback before I start to dig even deeper as I'd like to get notifications working but don't want to deal with the P2P aspect in order to get them. Right now I've obviously added the NVR as an IP device and have confirmed that locally on the NVR it is picking up on the tripwire/AI events, just can't seem to get any notifications to occur on mobile devices.

Thanks!
 

Flintstone61

Known around here
Joined
Feb 4, 2020
Messages
6,587
Reaction score
10,894
Location
Minnesota USA
I wonder if you'd consider "push" email notifications?
I think there is a menu area to input email server data to go outbound to your email on your phone. I've seen it on both Amcrest ( Dahua OEM) and Hik DVR/NVR's.
That's what i've got going on with my Blue iris recorder.
I get at least a hundred images a day via notifications, and i don't want that popping up on my phone. so i have them going to a separate gmail account..
 

HereBull

Getting the hang of it
Joined
Jun 6, 2017
Messages
53
Reaction score
80
I wonder if you'd consider "push" email notifications?
I think there is a menu area to input email server data to go outbound to your email on your phone. I've seen it on both Amcrest ( Dahua OEM) and Hik DVR/NVR's.
That's what i've got going on with my Blue iris recorder.
I get hundreds of notifications a day and i don't want that popping up on my phone. so i have them going to a separate gmail account..
That is actually a good viable option versus the push, I'll definitely have to check into that since it actually would be a more reliable notification method I think.
 

HereBull

Getting the hang of it
Joined
Jun 6, 2017
Messages
53
Reaction score
80
Just updating this for anyone else that follows:

It appears push notifications still require internet access for the NVR and device. Became clear as day when I noticed a flurry of traffic in the packet captures and firewall logs anytime motion was triggered on the devices in question.

IE even if you have everything fully connected but it is all in a closed environment, nothing occurs.

I found that the NVR was making calls to 216.239.36. 55

Once this IP was allowed in the firewall rules, the notifications started flowing. This also answers a curious question I had when I saw countless threads about people reporting that push notifications would randomly stop working, which would make no sense if it was device to device. It makes more sense now, knowing that the flow is:
NVR - > cloud server - > App

Even though the camera data can easily flow through a VPN setup. I'm guessing this was a decision that since they expected the majority of their users to use P2P, they didn't bother working in the logic for if it was entirely disabled/firewalled and in a private/air-gapped network.


So in the end, if your NVR is completely black-holed except for VPN use - You're gonna have to open it up for that IP address. Of course that is a major flaw in my opinion from a reliability standpoint and security, the better option would have been to allow these notifications to ride over the same path as the initial connection through the app to the NVR.
 
Joined
Sep 21, 2017
Messages
8
Reaction score
4
Location
Australia
For push notifications to work the NVR needs to know what the IP address of your phone is, or more specifically how to reach your phone. On a normal LAN or VPN your IP address will change constantly so that's why P2P is the only real option. Both Apple and Google (to a lesser extent) restrict app background activity so even if a connection was established in the app when open ,it will close and become unreliable soon enough. Likewise if you use a fixed IP address eventually iOS or Android would reject the background connection.

P2P gets unfairly demonized on this forum. If P2P is good enough to use on your phone, gaming console, laptop, PC and tv then it's good enough for your cctv system
 

Iemand91

Pulling my weight
Joined
Aug 12, 2016
Messages
251
Reaction score
196
Location
Netherlands
@HereBull Could you not setup a Wireguard server (on a NAS, router, Raspberry Pi etc.) and run a VPN connection on your phone 24/7?
On top of that; you could run a split tunnel VPN so that only the Dahua data goes through your Wireguard VPN tunnel and all other data traffic (on your phone, like email, browsing etc.) does not.

That way your Dahua system can be completely fenced from the internet, yet you can receive the push notifications everywhere on earth.
 

HereBull

Getting the hang of it
Joined
Jun 6, 2017
Messages
53
Reaction score
80
@HereBull Could you not setup a Wireguard server (on a NAS, router, Raspberry Pi etc.) and run a VPN connection on your phone 24/7?
On top of that; you could run a split tunnel VPN so that only the Dahua data goes through your Wireguard VPN tunnel and all other data traffic (on your phone, like email, browsing etc.) does not.

That way your Dahua system can be completely fenced from the internet, yet you can receive the push notifications everywhere on earth.
So due to my carriers double NAT of their network, I had to get creative (instead of just running OpenVPN on my PFSense router) -

So my setup involves a hosted VPS server in the cloud that is running OpenVPN, firewall rules and configuration allows client to client communications and I've got the routes setup to allow my PFsense router (Client A) to talk with my phone (Client B).

Originally, I had rules preventing my Dahua NVR from talking with anything outside internal networks and this worked flawlessly for viewing the cameras over the phone anywhere since traffic passed between the two.

What my results yielded though was that in order for the push notifications to work, even though DMSS was already communicating with the NVR - That I had to allow the NVR to talk to that public IP address "216.239.36. 55 ".


If you don't need push notifications, then the system works just fine without allowing the NVR to communicate to public address space - But it would seem that notifications require it to communicate to that address.

My theory is that since Dahua expects most people to setup with P2P, they probably hard coded the notification system to rely on that 3rd party hosted server to relay notifications - not expecting most people to setup their own tunnels and networks.

This also explains why in many posts, people mention that notifications sometimes took longer than expected or sometimes stopped working entirely - Due to the reliance on this central server to relay the messages.

In the end, I have it working - Granted I would have preferred that all features worked in a totally segmented environment but I can live with allowing access to that one IP address since it seems to only relay the message - As far as I can tell, no other data seems to be flowing to/from that server.
 

Iemand91

Pulling my weight
Joined
Aug 12, 2016
Messages
251
Reaction score
196
Location
Netherlands
What my results yielded though was that in order for the push notifications to work, even though DMSS was already communicating with the NVR - That I had to allow the NVR to talk to that public IP address "216.239.36. 55 ".

If you don't need push notifications, then the system works just fine without allowing the NVR to communicate to public address space - But it would seem that notifications require it to communicate to that address.

My theory is that since Dahua expects most people to setup with P2P, they probably hard coded the notification system to rely on that 3rd party hosted server to relay notifications - not expecting most people to setup their own tunnels and networks.

This also explains why in many posts, people mention that notifications sometimes took longer than expected or sometimes stopped working entirely - Due to the reliance on this central server to relay the messages.
That's odd. I've blocked my camera and NVR from internet access (parental control in TP-Link router) and DMSS notifications work fine.
When I'm home and (via OpenVPN on the same router) when I'm away.
 

Andy112

n3wb
Joined
Oct 13, 2021
Messages
10
Reaction score
1
Location
Australia
OP this is exactly the situation I've found myself in!
I'm not wanting my NVR to have internet access in any way and so have setup a Wireguard VPN on my OPNsense router which works beautifully for playback & recording on mobile devices when out and about... However I am not getting any IVS tripwire notifications via DMSS.

That's odd. I've blocked my camera and NVR from internet access (parental control in TP-Link router) and DMSS notifications work fine.
When I'm home and (via OpenVPN on the same router) when I'm away.
lemand91, please can you explain how you've configured your setup to allow for notifications via the DMSS app?

Thanks.
 

awonson

Pulling my weight
Joined
Feb 7, 2020
Messages
146
Reaction score
147
Location
Australia
@Andy112 , I have blocked my cameras and NVR from the Internet. I am not using P2P - it is disabled in the NVR and Cameras and I am not using port forwarding. I have a Unifi USG Pro 4 router and created a group in the Unifi Controller with my NVR and camera IP addresses in the group. I allow traffic for the Camera/NVR group OUT through only ports 2195, 2197, 8888, 587 and 443 - all other traffic IN and OUT is dropped. I also allow the NVR and Camera group to have access to 17.0.0.0/8, which is assigned to Apple. In my syslog server, when a notification is sent from my NVR and comes to my phone, I see traffic on only ports 2195 and 8888 going OUT from my NVR and going to an AWS server (122.248.231.110). When the email is sent from either my cameras or NVR, traffic is sent OUT from the NVR or cameras via port 587 to my email provider.

I have OpenVPN and WireGuard running on two Raspberry Pi. I receive notifications when I am connected via my LAN or via cellular. When I am on cellular and I receive a notification on my iPhone, I connect via OpenVPN (or WireGuard) and can view the cameras via the DMSS app. If I leave OpenVPN running on my phone, I still receive the notification and emails on the phone.

In the DMSS app, I enable the Alarm Subscription in the NVR and then choose the cameras for each alarm - eg Motion Detection, Intrusion Alarm, Tripwire Alarm etc. An example image is provided below. Also, on the Dahua NVR, enable the "Mobile Push Notification" which is located under "System Service" under the Security tab. On your cameras, enable "Mobile Push" under the System | Safety tab.

1.png

Here's an article from Apple about their push notifications: If your Apple devices aren't receiving Apple push notifications
 

Andy112

n3wb
Joined
Oct 13, 2021
Messages
10
Reaction score
1
Location
Australia
That is awesome, thank you so much for the detailed reply!!! I'll sink me teeth into this later tonight when I've got some time. I'll also do some research into Android (Samsung Galaxy) notification service so see whether I need to modify ports etc. I have no issue receiving any other notification so I don't expect for that to be an issue, but will report back when I know more.

Thanks again.
 

Iemand91

Pulling my weight
Joined
Aug 12, 2016
Messages
251
Reaction score
196
Location
Netherlands
lemand91, please can you explain how you've configured your setup to allow for notifications via the DMSS app?

Thanks.
Pretty much what @awonson said above.
I have a TP-Link C7 router with a OpenVPN server running on it. When I'm not home and I have OpenVPN open on my Android, notifications get through.
DMSS app is configured with the camera's/NVR IP-adress, not P2P.

Nowadays, I would probably run Wireguard (with split tunneling so only the Dahua app uss the VPN connection) or something like Tailscale.
But I can't be bothered to set that up, since I rarely use DMSS notifications.
 
Last edited:

Andy112

n3wb
Joined
Oct 13, 2021
Messages
10
Reaction score
1
Location
Australia
@Andy112 ,
Pretty what @awonson said above.
Thanks guys I'm making progress and making changes I previously hadn't made! For now I've disabled the firewall blocks for my NVR until I can get notifications working in a default state however no success just yet. NVR has internet access as confirmed by successfully checking for updates, however none of my cameras are able to.
I've realised though that my NVR has an IP of 192.168.1.70 set by me, yet all the PoE cameras connected to it have the default set 10.1.1.x which could be causing problems... Manually setting an IP of 192.168.1.7x for the cameras doesn't seem to work at and I lose access completely to the camera when trying to register it with the new IP...
UPnP is disabled for security.

I guess what I'm asking here is, is internet access for the individual cameras required for notifications to work, or is only the NVR required? Do you guys use the default IP's for cameras or set your own?

Thanks again,
Andy.
 
Last edited:

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,544
Location
USA
Thanks guys I'm making progress and making changes I previously hadn't made! For now I've disabled the firewall blocks for my NVR until I can get notifications working in a default state however no success just yet. NVR has internet access as confirmed by successfully checking for updates, however none of my cameras are able to.
I've realised though that my NVR has an IP of 192.168.1.70 set by me, yet all the PoE cameras connected to it have the default set 10.1.1.x which could be causing problems... Manually setting an IP of 192.168.1.7x for the cameras doesn't seem to work at and I lose access completely to the camera when trying to register it with the new IP...

I guess what I'm asking here is, is internet access for the individual cameras required for notifications to work, or is only the NVR required? Do you guys use the default IP's for cameras or set your own?

Thanks again,
Andy.
The NVR sets the IP address for the cameras on a separate IP Address subnet on purpose to prevent the cameras from talking to the internet. Except for special cases, it is best to let the NVR assign them.

Making them the same IP address as your LAN is not best practice and you have to change other things in the NVR to allow it to pass thru because the NVR is essentially acting as a VLAN to isolate the cameras.

All notifications come from the NVR.
 

TechBill

Known around here
Joined
Nov 1, 2014
Messages
1,770
Reaction score
1,175
P2P is not needed for push notification or even to view the devices using DMSS or other apps. I don't use (disabled) P2P and my DMSS receive push notification instantly also have full access to my NVR and cameras with no issue. I only use port forward 37777 with local setup. No cloud service or Dahua account.

My understanding that some features and functions will be not be available on DMSS unless you create an account but so far everything I needed works fine in DMSS as a local connection only (without using Dahua cloud). You will get a warning on Dahua that alert or alarm message will not be saved if app is closed. I am fine with just notification only and be able to click on the notification to view the screenshot or playback the video what triggering the alert.
 

paul@austins.tv

Getting comfortable
Joined
Dec 4, 2015
Messages
286
Reaction score
267
I as many I understand. Have had issues with anything apart from standard motion detection push notifications to the Dahua DMSS application. IVS and any AI notifications would not forward. This has been the case on firmwares above 7.1 for the NVR 5216.

Messing around on a rainy UK afternoon. I have discovered that if the P2P function is enabled. All notifications for IVS and AI are being received!
I don't want to use P2P as I have open VPN setup.

I presume P2P opens additional ports for IVS notifications.
 
Top