Is a VPN as critical if you only access cameras via Blue Iris Web View?

[BlackLantern]

I've been reading the VPN n00b guide and I agree that a VPN is absolutely necessary if you are connecting directly to the cameras. But if my cameras are not open directly to the outside and instead can be viewed via Blue Iris server, is a VPN as necessary?

 

[DavidDavid]

How are you planning on accessing your blue iris machine from outside your home network?

 

[BlackLantern]

How are you planning on accessing your blue iris machine from outside your home network?

Ddns and a forwarded port. I figured Blue Iris works be more secure then a typical cheap ip cam.

 

[DavidDavid]

Why not just set up a VPN server on your blue iris machine?

 

[aristobrat]

Ddns and a forwarded port. I figured Blue Iris works be more secure then a typical cheap ip cam.

I got endless "feedback" from the rest of the family who use BI remotely about how much of a PITA it is to start the VPN first, so I'm also currently using DDNS and port-forwarding.

Looking into stunnel, it looks like I might be able to put a certificate on each of the family members phones, and have stunnel restrict incoming connections to only allow devices with that certificate. That won't do anything to encrypt the video streams being viewed remotely, but I'm not worried about that.

IMO, the worse case scenario with a forwarded port to BI is that someone figures out a vulnerability severe enough that they get remote shell access. Then they basically own the whole PC running Blue Iris, which then can use to try and push further into the house, or setup as a base for doing more bad stuff on the Internet (that gets traced back to the BI PC).

 

[DavidDavid]

Hmm. I use OpenVPN on my Android which has a shortcut button on my home screen. One touch and it connects and then closes itself. About as simple as it can get.

But.... That was too much for me even so i have Tasker automatically connect to my VPN when i leave the house and disconnect when i get home. Have Tasker automatically connect/disconnect your VPN connection

You could also have Tasker connect to the VPN when you open the blue iris app and close it again when you close the app if you don't want to be connected all the time.

 

[aristobrat]

All of the devices are iOS, so no Tasker. I've compared how to make iOS auto-connect to a VPN vs setting up stunnel to restrict incoming connections based on client certificates, and the later looks a lot easier.

 

[BlackLantern]

Hmm. I use OpenVPN on my Android which has a shortcut button on my home screen. One touch and it connects and then closes itself. About as simple as it can get.

But.... That was too much for me even so i have Tasker automatically connect to my VPN when i leave the house and disconnect when i get home. Have Tasker automatically connect/disconnect your VPN connection

You could also have Tasker connect to the VPN when you open the blue iris app and close it again when you close the app if you don't want to be connected all the time.

Hm, that's not a bad idea. My router (Ubiquiti EdgeRouter X) supports most of the VPN protocols, so I was thinking about trying to get L2TP going at some point. My biggest sticking point was the hassle of logging in/out of the vpn from my phone, but Tasker might make that less of a headache. It also means I won't be able to view the cameras on my workstation since they restrict access to VPNs.

 

[DavidDavid]

It also means I won't be able to view the cameras on my workstation since they restrict access to VPNs.

I've considered buying a cheap wifi tablet to have at work that constantly shows my cameras... But for me that's going a little too far. If i want to quick check on something I pull up the app on my phone. And I have my NVR push motion notifications to my phone too.

 

[crw030]

Did you see this thread: Able to view all live cameras/groups on Roku! in it he mentions that his BI server got hacked within a day of using it from cellphone and Roku.

Now it could be related to the Roku app, but do you really want to take the chance of random people on the internet logging into your BI camera feeds? PITA or not, I think there is strong evidence on these forums you don't want cameras, NVRs or BI servers exposed to the internet. VPN seems to be a pretty solid solution to the problem, and once configured it's a breeze to connect when you want to browse your private video streams.

Port forwarding is just asking to be part of a botnet or having someone in middle east/asia/americas watching you through your cameras.

 

[Mike A.]

To be fair, apparently that was after he disabled the secure connections setting for BI.

Nothing against BI and it's probably a lot better than most cams but with various web-facing services, lots of code, only one set of eyes looking at it, not being encrypted, etc., it's kind of inherently more likely to have potential issues (whether any actually exist or not).

Something like OpenVPN is much more limited in scope/function, open source/more eyes, and encrypted. But then it also has been subject to exploits too so....

The best working assumption is that nothing is truly secure but go with what provides the better odds and keep up-to-date with it.

 

[bp2008]

Nothing has a perfect track record on security.

Blue iris massive security flaw!!!! All your recordings are visible to all users
BlueIris 4.5.1.4 - Denial of Service

Granted, neither of those vulnerabilities would have been of much use to a hacker. The first one required you to log in to gain access to recordings, and the second one requires you to connect BI to a malicious/fake FTP server.

 

[Jrh]

My router (Ubiquiti EdgeRouter X) supports most of the VPN protocols

I am using an EdgeRouter X also. I have it configured to run the cameras and Blue Iris on a separate sub network to the private Lan and have setup firewall rules to prevent any access from the camera network to either the private Lan or router. I have a L2TP VPN setup also but at the moment for similar reasons to above I'm happy to have direct access to the BlueIris Webserver through an open port rather than through the VPN. I certainly keep an eye on the system log page though.

 

[BlackLantern]

I am using an EdgeRouter X also. I have it configured to run the cameras and Blue Iris on a separate sub network to the private Lan and have setup firewall rules to prevent any access from the camera network to either the private Lan or router. I have a L2TP VPN setup also but at the moment for similar reasons to above I'm happy to have direct access to the BlueIris Webserver through an open port rather than through the VPN. I certainly keep an eye on the system log page though.

Yea, I was thinking about a subnet (I am network-dumb beyond the basics), but my BI instance is running on a home server that also manages file storage/backups, home automation, media streaming, etc; so all that stuff needs to stay connected. I'd have to either build a new dedicated box to run only BI or add another NIC to the server box and spin up a dedicated VM for BI that is only connected to the new NIC, and subnet just that. While I can explain that with relative knowledge, I am not sure how to actually do it in practice.

 

[Jrh]

Yea, I was thinking about a subnet (I am network-dumb beyond the basics), but my BI instance is running on a home server that also manages file storage/backups, home automation, media streaming.

In that case I would definitely setup a VPN. Good videos on EdgeRouter setup here. Quick Configs - Ubiquiti - YouTube

 

[NoloC]

Yea, I was thinking about a subnet (I am network-dumb beyond the basics), but my BI instance is running on a home server that also manages file storage/backups, home automation, media streaming, etc; so all that stuff needs to stay connected. I'd have to either build a new dedicated box to run only BI or add another NIC to the server box and spin up a dedicated VM for BI that is only connected to the new NIC, and subnet just that. While I can explain that with relative knowledge, I am not sure how to actually do it in practice.

Actually you can set up a vlan for the cams and make the BI machine a member of that vlan as well as the vlan that has internet access. Requires a managed switch. The cams would be isolated on their own vlan. I think this is fairly trivial to do, but perhaps others with more networking knowledge will chime in.

 

[DLONG2]

I heard that with the use of one PC, a person can set up a virtual machine connected to a separate VLAN, which would then allow separating the BI server and cameras from the other network items. If anyone can offer any pointers on VM and VLAN, I would appreciate it.

 

[bp2008]

I heard that with the use of one PC, a person can set up a virtual machine connected to a separate VLAN, which would then allow separating the BI server and cameras from the other network items. If anyone can offer any pointers on VM and VLAN, I would appreciate it.

Blue Iris is not the best thing to run in a virtual machine because Intel Quick Sync hardware acceleration does not work in them. You don't actually need a VM to isolate your cameras from the other network items. You just need a second network interface in the Blue Iris computer. One network interface for the isolated camera network, and the other for your normal LAN/internet.

 

[crw030]

I heard that with the use of one PC, a person can set up a virtual machine connected to a separate VLAN, which would then allow separating the BI server and cameras from the other network items. If anyone can offer any pointers on VM and VLAN, I would appreciate it.

I more than likely did it wrong (but it was less complicated than VLANs). I went with dual-network cards in this configuration, after someone recommended it on these forums because VLANing the whole network was too new to me. In my case it was a laptop so I grabbed a USB-to-1G Ethernet (good for about 550MB), plenty for even a dozen camera streams.

home network (video lan)--------- Blue Iris PC (1G-nic 1) ~ Blue Iris PC (1G-nic 2)---------------HP1910 PoE------cameras.

Maybe it will lead to problems down the road, but in this arrangement I feel certain the cameras cannot reach the actual internet, Blue Iris can reach the cameras. Blue Iris machine can be viewed over VPN or from other home PC's that will traverse firewall rules that allow access to only those ports required for BI web server. If this had been a desktop PC, that extra NIC would add maybe $20 cost.

 

[randytsuch]

FWIW, I have a managed POE switch, and with my switch it was easy to setup VLANS to isolate cameras
Simple Port based VLAN

I have it setup with a vlan for each camera, so each camera can only talk to the BI PC. When I need to configure a camera, I have to add access to the router for that vlan, and then I can get at the camera.