How to get back ui3 w/OpenVPN on Android?

[tibimakai]

Messed with the PC(did some maintenance) and addresses have changed, and now I can't get back ui3 on my phone.
I'm using an Asus router, that has Openvpn built in.
The vpn part seems like it is working, if I disable wi-fi on the phone, and enable Openvpn on my phone, the Asus router GUI shows that is connected.
At home, I can view the cameras on the phone via wi-fi.
I'm also updating the Openvpn file from the router to the phone's app.
It seems like I don't have an open port, but on my phone Openvpn shows that is connected. So, it seems like I have an open port afteral.
When I use the wizard, the last step fails.
In the past I have always managed to fix it, but this time I'm out of ideas.
Any help would be appreciated.

I have tried at troubleshooting, but nobody answers there.

 

[looney2ns]

If the VPN is configured and working properly, all you need to do is to use the IP address of the BI computer in a web browser.
Look at the log in the phone app to see if it offers any clues.

 

[tibimakai]

That is what I'm trying, but it won't come in. In the past it worked. Should I use tunnel as well?

 

[The Automation Guy]

Generally speaking, you need one port on your firewall/router forwarded to the VPN service for it to work. Whether or not this is handled automatically when you set the VPN service up on the router is unknown. The default port used by OpenVPN is 1194 (UDP). So you should see some indication that port 1194 is being forwarded to the VPN service. I suspect that you are not doing this, so while you can connect to the VPN service while on the local network, you loose access to it while remote.

What makes this safer than forwarding a port directly to the cameras/NVR is that this port is forwarded to the OpenVPN service which requires a valid certificate and user name/password before traffic is passed to the rest of the network. Without those items, traffic is dropped vs letting any/all traffic onto the network through an unsecure forwarded port.

 

[tibimakai]

Openvpn connects outside the home network.

 

[The Automation Guy]

OK.

So in the BI Network Settings, you should leave the the "Remote, external (WAN, internet) access" area blank. (This isn't the problem, but since you are using a VPN service, there is no need to have anything listed in this section).

Also in the BI Network Settings -> Advanced section: do you have anything in the "limit access by IP address" box? It may be that you have your normal local network address range listed here, but not the VPN tunnel network address range. If this is the case, you won't be able to connect over the VPN. I'd say you are safe to leave this blank, especially as a test to ensure this isn't part of the problem.

If these are set up correctly, the same address you use to access the BI system locally (ie 192.168.1.100:81) should also work on the VPN. Be sure that you are using the exact address - don't drop the ":81" for example in the address.

 

[tibimakai]

I will check these when I get home from work.
Thanks for now.

 

[tibimakai]

Here it is how it shows the advanced tab:

 

[tibimakai]

Web server tab(I have xed out my address). I don't know, if I should use Stunnel, or not.
My second card is for the internal - no internet - camera network, which is on 192.168.10.1 address.

 

[The Automation Guy]

Those BI Advanced Webserver settings look fine. Obviously you are using a non-standard port for Ui3 access, but if it is working on the local network, it should work over the VPN assuming you are using the exact same local address to access it. Again, if you are using a VPN, you don't need to set anything in the "remote access" area of the regular Webserver settings. I would uncheck and clear out all of those entries (including your public IP address) for security purposes. The whole point of the VPN connection is to make your remote connections function as if they were on the local network. When the VPN is working correctly, there will never be a "remote" connection as far as BI is concerned.

Can you access anything else on your local network over the VPN remotely? It's quite possible that a mistake in your VPN settings or routing will allow you to "connect" with the VPN, but not actually have access to your local network over the VPN connection. I think this is the most likely issue you are facing right now.

 

[tibimakai]

I have never tried accessing anything else on my network, I don't even know how would I do that.
I will try the "new settings" and I will let you know about the change that it makes.

 

[The Automation Guy]

I have never tried accessing anything else on my network, I don't even know how would I do that.
I will try the "new settings" and I will let you know about the change that it makes.

Clearing out the "remote access" setting isn't going to change the functionality of your VPN. However if you don't need the remote access functionality (and you don't when you are using a VPN), then it's better to leave that section empty in my opinion. It's really just a extra security measure.

As far as testing to see if you have access to other parts of your network over the VPN, you can pull up a web interface of another device/service on your network or connect to a computer on the local network via RDP while connected via the VPN. At the very least you should be able to pull up your router/firewall GUI while connected this way. You should also be able to "ping" other devices over the connection even if they don't have a web GUI.

 

[tibimakai]

If I remove the WAN address, the wizard show red X on some pages. The first steps are in green.

 

[looney2ns]

If I remove the WAN address, the wizard show red X on some pages. The first steps are in green.

But does remote access work for you now?
If so, ignore the errors and move on.

 

[tibimakai]

I have just tried accessing my router and it popped in, on my phone(no wi-fi, just data).

 

[The Automation Guy]

If I remove the WAN address, the wizard show red X on some pages. The first steps are in green.

Red it good in that case. Those settings are specifically for setting up remote access to the BI computer via port forwarding. This is NEVER recommended, and completely unnecessary with a VPN. Red means it isn't working which is good. You should also triple check to make sure your router doesn't have any ports forwarded other than the port the VPN is using. There may be "old" port forwarding settings that need to be removed now that you are using VPN.

 

[tibimakai]

I don't have any port forwarding enabled in the router's settings.
OpenVPN server port is 1194, that shouldn't be the same as in BI, 811?

 

[tibimakai]

Anybody has any more ideas?

 

[The Automation Guy]

Your VPN server configuration needs to have a port selected (as noted the default port for OpenVPN is 1194). When you set up the VPN configuration at the client end, you need to use this same port in the setup. (The port would already be included in a "setup" file if you export this type of configuration file from your VPN server). However once that is set up, you don't need to manually enter that VPN port anywhere. If your BI server is located at 192.168.1.100, your IP address to access the BI feeds should be 192.168.1.100:81 (assuming you are using the default web server port in BI) whether you are on the local network or connected remotely via the VPN connection.

 

[tibimakai]

I have two networks, one for Windows(has internet access) and the server does not have access. The Windows part has 192.168.1.16:811, and the server address is 192.168.10.1. I have 811 instead of 81.
At the router, that 1194 was there all the time, I haven't changed it.