Double NAT - working but secure ?

skjom

Young grasshopper
Joined
Jul 3, 2015
Messages
88
Reaction score
4
Hi

So I went about trying to enable VPN on my router today. First issue detected was that my WAN IP was private. My router connects to an antenna which the ISP controls , so I guessed they are doing a NAT on their side and giving me back a private address.

Rang them up and they said their standard practice for this for package I'm on is to forward all traffic that hits 195.x.x x address to a 192.168.x.x address they tell me to set on WAN of my router.

So I set up OpenVPN on my router and edited the config file for the remote entry to the 195.x.x.x address. VPN connects and I can RDP into one of my Linux servers.

Had two questions on this though:

1./ Is what they have done not insecure?, if their Router was in my control I would have just opened a port for open incoming open VPN connection. I'm guessing that in past they were blocking connection attempts but now it's wide open and traffic could hit my router other than my own VPN attempts.
2./ Connection is terrible slow when I try to use VPN in testing , my upload is approx 3.5 Mbs but couldn't even move mouse on Linux box through OpenVPN. Need to investigate why, but any pointers are helpful.

Thanks.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
1. All kinds of traffic would be hitting your router if you were directly connected to the Internet anyway. As long as you don't open up ports other than the VPN and your router isn't otherwise compromised in some way then you should be OK.

2. Can't really help much with that but generally speaking you shouldn't be dragging ass just because you're using a VPN. There is some overhead but shouldn't kill things. What type of connection, what speed is your link, what type of router, etc? Is it just RDp that's slow or does something like accessing a cam directly over the link also appear slow?
 

skjom

Young grasshopper
Joined
Jul 3, 2015
Messages
88
Reaction score
4
Thanks

Ya I was thinking it's same as having a public IP on WAN side anyway.

I'll run some speed tests , traceroutes were hopping quite slow.

Didn't try it with camera , I couldn't access the cameras at all for some reason.Couldnt even ping them.

I turned off a bunch of stuff on the HiK cubes when I set them up to try to secure them not sure what I killed on them. I can ping the Linux machine , the windows machine once through VPN but not the cameras ,once VPN is active

Need to check out what's going on with cameras and why can't ping them but can other devices.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
If you blocked Internet access for the cams at your router then that would stop you from accessing them. At least the way that it works on the Asus routers and most others. The VPN doesn't really provide a local IP address. It provides a 10.10.10.x (by default, or whatever other range used) address which then is routed by the VPN from outside to your internal net. So for purposes of the access blocking it's seen as an outside address and blocked. If you need to access the cam directly when blocked then you can access the router first, toggle the block off temporarily, do what you need to, and then toggle it back on.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Couple of things to take into considerations when using VPN and experiencing slowness:
- did you enable encryption & compression, if the latter: which level of compression. You didn't state which router you are running the OpenVPN server on, but if it's a low range, you can't expect lightning fast speeds with the router cpu on 100% because it tries to squeese all the VPN packets. Eg 128bit encryption is faster than 256bit.
- on which line are you testing the VPN connection from (as in: where is your openVPN client running): as you are doing your tests with RDP, I'm "assuming" you have your smart phone on 4G and creating a local hotspot on which your PC is connecting through? In that case, you have quite some "pitfalls" on these different "jump"points.
- are you running VPN on TCP or UDP? UDP is slightly faster.

All questions for you, and more stuff to "try out" :)

Hope it helps!
CC
 

skjom

Young grasshopper
Joined
Jul 3, 2015
Messages
88
Reaction score
4
If you blocked Internet access for the cams at your router then that would stop you from accessing them. At least the way that it works on the Asus routers and most others. The VPN doesn't really provide a local IP address. It provides a 10.10.10.x (by default, or whatever other range used) address which then is routed by the VPN from outside to your internal net. So for purposes of the access blocking it's seen as an outside address and blocked. If you need to access the cam directly when blocked then you can access the router first, toggle the block off temporarily, do what you need to, and then toggle it back on.
Thanks , I have a blank gateway on the HiKs camera's NICs.

The 10.x address is coming I guess as the VPN is in TUN mode and is routing between the VPN LAN and the local LAN.
How do you block the cams in firewall having internet access yet not have to go toggle the access rule off each time. that wouldn't be option for wife.
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Thanks , I have a blank gateway on the HiKs camera's NICs.

The 10.x address is coming I guess as the VPN is in TUN mode and is routing between the VPN LAN and the local LAN.
How do you block the cams in firewall having internet access yet not have to go toggle the access rule off each time. that wouldn't be option for wife.
Right. It's routing across the TUN interface setup by the VPN and the router's inside LAN interface. So even though a client through the VPN functions effectively as a local address it's not really when it comes down to the internal firewalling of the interface.

The blank gateway on the cam works to block/fail out-going traffic originating from the cam but shouldn't affect in-coming traffic to its known address.

You probably can't on most using the built-in interface for most consumer routers since they don't provide for exceptions or the granularity required. I'm not much of a Linux guy and it's been forever since I've done it but if you can get lower-level access via some other firmware (like Merlin) or using terminal mode to access the router, then you can set up your own blocking and exceptions using iptables. Search around some along these lines and you should find info:

https://www.google.com/search?q=iptables+asus+router+vpn+tun+block

Alternately, which is what most do, you can use some server like BI to aggregate the cameras and then access it. Cameras remain isolated, only the BI or whatever other server has outside access. You may still need to do the toggle to access the cameras directly now and then for some specific reason but not on a day-to-day basis just to view/control.
 
Top