Dahua Remote Access

mosesman831

mosesman831

Young grasshopper
Dec 15, 2022
32
4
United Kingdom
I have just installed a new OPNsense firewall at home and I have put the nvr and all the cameras behind a VLAN that blocks all access to the outside world. I would like to access the NVR on the DMSS app without manually going to tailscale or wireguard and enabling the VPN. Are there any other methods that can achieve this except port forwarding?
I was using P2P before which was so simple and fast.
 
mosesman831 said:
I have just installed a new OPNsense firewall at home and I have put the nvr and all the cameras behind a VLAN that blocks all access to the outside world. I would like to access the NVR on the DMSS app without manually going to tailscale or wireguard and enabling the VPN. Are there any other methods that can achieve this except port forwarding?
I was using P2P before which was so simple and fast.
Click to expand...

If you're blocking All access to the Interwebs, VPN is your only choice.

If its a PoE NVR, a VLAN is a waste and unnecessary as the PoE switch in the NVR acts like a VLAN. Then you could use P2P

You could try P2P the way you have it (use the NVR serial number in Manual Add mode on DMSS) , I don't know if it will poke a hole or not?
 
I have seen posts here before that mentions vulnerabilities of P2P, and port forwarding is too dangerous, and vpn is too annoying to start every time…

I have a POR nvr but I use a POE switch as I can access the cameras directly.
 
mosesman831 said:
I need notifications, it wouldn’t work then right?
Click to expand...

As mentioned WireGuard works well. I use it sometimes to login to a camera behind the NVR Poe switch.

Nothing wrong with current Dahua P2P. Just as secure. Video does not stream over a 3rd party server. It’s your phone directly connected to your NVR.

Remotely with vpn enabled notifications would work same as at home.
 
  • Like
Reactions: flynreelow
bigredfish said:
As mentioned WireGuard works well. I use it sometimes to login to a camera behind the NVR Poe switch.

Nothing wrong with current Dahua P2P. Just as secure. Video does not stream over a 3rd party server. It’s your phone directly connected to your NVR.

Remotely with vpn enabled notifications would work same as at home.
Click to expand...
i thought Dahua P2P was always frowned upon and unsafe?

has something changed?
 
flynreelow said:
i thought Dahua P2P was always frowned upon and unsafe?

has something changed?
Click to expand...
I think so, for 2 things. One that Dahua has trended to be more security consious, and the other is the realization that P2P in itself isn't inherently insecure, but instead dependent on the implementation.
 
  • Like
Reactions: flynreelow and bigredfish
flynreelow said:
i thought Dahua P2P was always frowned upon and unsafe?

has something changed?
Click to expand...

They had a security issue with their discovery/P2P servers as well as how SmartPSS and some NVR FW sent unsecure data back and forth to them.

That was resolved in Aug '24 by AWS demanding they use AWS infrastructure and killing off SmartPSS and updating NVR FW

I watch it pretty darn close via a firewall and the only data that leaves is to ping the AWS P2P server to find out where the remote access device is.
pretty much exactly how Wireguard/Tailscale works
 
Last edited:
  • Like
Reactions: mosesman831, quiet.tea and flynreelow
bigredfish said:
They had a security issue with their discovery/P2P servers as well as how SmartPSS sent unsecure data back and forth to them.

That was resolved in Aug '24 by AWS demanding they use AMS infrastructure and killing off SmartPSS

I watch it pretty darn close via a firewall and the only data that leaves is to ping the AWS P2P server to find out where the remote access device is.
pretty much exactly how Wireguard/Tailscale works
Click to expand...


this is great to hear.

appreciate it.
 
bigredfish said:
They had a security issue with their discovery/P2P servers as well as how SmartPSS sent unsecure data back and forth to them.

That was resolved in Aug '24 by AWS demanding they use AWS infrastructure and killing off SmartPSS

I watch it pretty darn close via a firewall and the only data that leaves is to ping the AWS P2P server to find out where the remote access device is.
pretty much exactly how Wireguard/Tailscale works
Click to expand...
Thanks for your detailed reply, could you tell me how to find the AWS P2P server, I understand the IPs might be different due to different locations, but a port number could help a lot. I have tried to check my firewall logs, it is around 3-4 requests from the cameras and NVR every second.
 
Firewall blocked mainly these 2 addresses from my VLAN
47.91.73.128:10000 47.91.73.128 IP Address Details - IPinfo.io
8.214.15.85:15301 8.214.15.85 IP Address Details - IPinfo.io

They are both Alibaba Cloud services, one based in Singapore and one based in Germany.

When I turned P2P off, 47.91.73.128:10000 disappears from my firewall, which should be the P2P server. Then what could the 8.214.15.85:15301 be?


Location is United Kingdom.
 
Restarted the NVR after adding firewall rules, the address and port seemed to have changed again, I can't find one static IP that is used.

Also it uses Alibaba for me, not AWS.
 
Colditz said:
I took the liberty to take this from our documentation. Hope this helps :)

But as jarrow has said before me. If you can, use the VPN Method. It's a bit more finicky to set up but safer in the long run.



1.device that integrates only the P2P function.

To use UDP hole punch technology for remote access, the firewall output of the device must allow the following ports:


● UDP ports: 0-65535

● TCP ports: 9116, 9118, 12366, 12367

● Dahua servers use dynamic IP addresses, their domain names and functions are:

Domain NameFunction
easy4ipcloud.comDevice login and registration
easy4ip.comDevice login and registration


2.Device supporting P2P and Cloud Business

To use UDP hole punch technology for remote access and normal operation of video surveillance services, the firewall output of the device must allow the following ports:


● UDP ports: 0-65535

● TCP ports: 443, 9112, 9113, 9116, 9118, 10000, 12367, 15100, 15101, 15301, 15600, 15900, 16759

● Dahua servers use dynamic IP addresses, their domain names and functions are:


Domain NameFunction
easy4ipcloud.comDevice login and registration
easy4ip.comDevice login and registration
dms.easy4ipcloud.comDevice login and registration
paas-dms-edge-fk.easy4ipcloud.comDevice login and registration
smartdeviceproxy-edge-fk.easy4ipcloud.comDevice login and registration
devaccess.easyipcloud.comDevice login and registration
dus.easy4ipcloud.comCloud upgrade of device firmware
aktualisieren.easy4ip.comCloud upgrade of device firmware
update.easyviewercloud.comCloud upgrade of device firmware
vrs.easy4ipcloud.comUpload device images and videos
pps.easy4ipcloud.comUpload device messages
das.easy4ipcloud.comUpload device messages
das-fk.easy4ipcloud.comUpload device messages
devicelogserver-fk.easy4ipcloud.comUploading device log
Click to expand...
I have just found this message, may I know which domain I will have to place in my firewall rule?
Also do I put the rules in WAN or LAN?
 
I’m not a network engineer, but

- there is no need or benefit to having P2P turned on on the cameras if you have it enabled at the NVR.

- With P2P off ( NVR and cameras) after a few hours the pings will give up and die

- easy4ipcloud.com

- 3.97.89.x are AWS servers for me. Each region will have different ones.

- it also pings a 165.154.178.x ip which shows to be Oracle. Not sure of the routing , I’m guessing the AWS server directs it to a Dahua controlled server, again different depending on your location

A typical hour
IMG_9159.png
 
Last edited:
I shut off P2P at 9:10pm

Zero activity since as expected

I’ve yet to see P2P do anything other than contact the relay servers providing the route to handshake. This is exactly the way VPNs such as WireGuard work

IMG_9160.png
 
  • Like
Reactions: flynreelow
You must log in or register to reply here.
Top Bottom