How to Secure Amcrest HD IP Cams?

[eyal8r]

I just got a couple cams hooked up in my kids' rooms, and want to make sure no creepers can spy on my cams. My wife just logged into the app away from home and could see the cameras just fine. What do I need to do to make sure all outside traffic is blocked, while allowing my wife & I to log in and see the cams when we want when away from home?

Thanks guys!

 

[nayr]

Run a VPN Server on your Router and dont forward ports to IPCameras; your putting them on the internet for anyone who has the skill.

 

[eyal8r]

Not sure how to run a VPN Server on my router. Any pointers on doing that?

 

[nayr]

depends on your router.. RTFM is a good start; if it has it built in good chance someone made a youtube video showing you how to set it up..

if your router does not support it you have 2 options, install an OpenSource firmware on it like DD-WRT or Tomato.. or replace your router w/one that has a VPN Server out of the box.

 

[Mr-Gizmo]

I would also change the default passwords in your Amcrest IP cameras for any user accounts in System -> Manage Users.

 

[eyal8r]

passwords changed... I wanted to change the default login, but don't see where to do that.

I have a Netgear WNDR3700. I'm RTFM now and seeing how this all works- I'll post with more questions as they come up.

Thanks for the help!

 

[eyal8r]

ok, it appears as if my Netgear WNDR3700 only supports 3rd party VPN services. Is it BEST to just get a new Router that has its own VPN already built in? I want to avoid as many future potential problems and issues as possible...

Can you recommend any?

Thanks!

 

[nayr]

http://www.dd-wrt.com/wiki/index.php/Netgear_WNDR3700

 

[eyal8r]

Thanks for the reply. I guess my question is this: is running a router flashed with DD-WRT sub-par to a router that has its own VPN functionality native? Or, is flashing DD-WRT just as good?

Thanks guys!

 

[nayr]

IMHO, Flashing DD-WRT is better than any of the default shit you'll get on every consumer grade device.. You have to pony up for Enterprise/Carrier grade equipment to find comparable feature-sets.

 

[eyal8r]

Awesome. I'm reading up on it all now. Just so I'm clear- all I need is to install DD-WRT, don't need a 2nd PC specifically for this network, or a 3rd party service, correct?

Thanks a lot for all your help!

 

[nayr]

Yep just figure out what revision you have, follow upgrade instructions.. usually its as simple as logging into it, finding the firmware upgrade screen and giving it the DD-WRT file..

You'll have to set it up again for your network as it'll be all defaults, so RTFM and get all that done up but dont do any port forwarding this time around.. then use one of the many tutorials online for setting up OpenVPN on DDWRT and configuring your client devices.. I suggest you create a VPN user for each device, like eyal8r-phone, eyal8r-laptop, etc.. this way if one gets lost you dont have to change all the credentials since you have more devices than end users.

No 3rd party services or anything is required, Your phones/laptops/tablets will get an OpenVPN app installed and when you want to access something on your home network while your away, just enable the VPN Tunnel and its like your on your home wifi.

 

[eyal8r]

DAMN. That is soo cool! So, I have V1, and I'm reading that it's pretty common to have very weak signal due to faulty hardware. That explains A LOT of my issues! I've had to piggyback a 2nd router off this one just to have merely 1-bar of signal in this house! So, I think I'm just going to pick up a new router now... I'll either ebay this one, or, use it as an access point at the other end of my house, garage, etc.

Any router you recommend?

 

[nayr]

I did a bit of research for someone else, and the ASUS RT-AC56U looks like a good router for putting DD-WRT on.. Its capable of VPN Speeds of ~20Mbps which is more than most residental upload speeds.

 

[eyal8r]

OK. I actually just installed a Netgear Nighthawk R7000 ac1900. It's working fine, and *I THINK* I got a VPN setup on it. I need to setup individual users like you suggested- but am a little confused on the overall purpose, especially when it comes to IP Cams?

So, when I'm home, on my network, or my kids on their devices- I just connect to my standard wifi, correct? No need for the VPN? My IP Cams are all connected to the network, and running BI (demo for now) to view them.

BUT- when I'm away from the home network - I can use OpenVPN to connect, correct? ie- music files, documents, etc- I can connect directly to the network or home PC- much like my own personal Google Drive or Dropbox, correct?

So, in regards to the IP Cameras and what started this entire discussion- how do I use the VPN to make sure they're secure, and creepers aren't spying on my kiddos?

Thanks for all the help! I really appreciate it!

 

[nayr]

when you are away, the VPN is a secure tunnel back to your home network.. when its enabled, your private LAN (192.168.X.X) will be fully accessible.

for additional security configure your firewall to prevent traffic both too and from any of your IP Cameras; with something like DD-WRT I believe you can setup a group of your camera's IP addresses, then a firewall rule that default blocks all external traffic for that group..

with the VPN Server running, and firewall configured correctly to prevent the cameras from accessing the internet.. your cameras will be safe and secure.

 

[eyal8r]

Awesome- great explanation, definitely gives me good direction. THANK YOU!!!!!

 

[eyal8r]

OK- question...

Let's say I do that- setup a VPN, put all IP Cams into a group and block all external traffic to/from. If I use BI on my cell phone, I assume I need to use the VPN so that I have the tunnel through the firewall. Is the OpenVPN like a wifi connection at that point, where I have to connect to it FIRST before starting the BI App? Or, how exactly does that work?

Also- Since my other IP Cams are running directly to the NVR, how do I go about finding their specific IP Addresses so that I can include them into a firewall group?

Thanks again- this is such cool stuff!

 

[nayr]

when you are on a remote network, you will have to connect the VPN Client first, or else you wont get a connection..

IP's should be in your NVR configs

 

[richms]

I have generally found that most routers that can take openwrt have performance issues and you end up having to dig about finding how to re-enable things like the hardware nat acceleration.

Unless you are on a really slow connection, check what thruput people are achieving on any router that you plan to get. Many are quick enough with the manufacturers firmware but were super slow on openwrt.

The other option is to get a device like a synology nas that can do VPN on it, and foward the protocols thru to the nas. That will then take the incoming VPN and terminate it and your router is still on its stock firmware so performance shouldnt change.

People also use raspberry pi's and other single board computers as a target for VPN, just watch the performance tho as the pi has a 100 megabit lan interface and it cannot even achieve that with VPN when I last tried.