Is a VPN as critical if you only access cameras via Blue Iris Web View?

[bobfather]

In my opinion, the safest way to expose Blue Iris to the internet is by setting up a reverse proxy. A reverse proxy exposes just HTTP or HTTPS ports (80, and 443) and doesn't give an attacker much of an idea what's behind those ports, reducing their ability to direct an attack against specific software.

If you're willing to run pfSense as a firewall/router, pfSense can run ACME to automatically fetch free SSL certificates from Lets Encrypt, and can also install haproxy natively to let you setup the reverse proxies. pfSense is an elegant solution, but it's no joke to setup and learn. Worthwhile to setup and learn, though.

Barring that, you could also spin up a Linux virtual machine of your choosing in Hyper-V on the same system that runs Blue Iris. Such a system would need a negligible amount of CPU time and 512 MB of RAM, or less. Then you can install NGINX or Apache and configure it to use a reverse proxy. The Linux install could even be configured to use ACME to automatically get SSL certs from Lets Encrypt, if you desired. This is a bit easier to setup than pfSense, but still requires knowledge of setting up virtual machines in Hyper-V, loading and then using a Linux distro, following instructions to install packages on that distro, and finally configuring your webserver correctly.

Unfortunately, achieving security requires effort. But in this day and age knowing how to do any/all of the above things is a useful way to avoid being the low-hanging fruit that gets picked...

 

[aristobrat]

I thought I saw some threads about Blue Iris not working with reverse proxies...

 

[bobfather]

Works fine. I'll post my Nginx config when I get home. The reverse proxy is even working fine through SSL, giving Blue Iris SSL without needing stunnel.

 

[aristobrat]

Cool to hear. Are you running the UI2 webpages from here too?

 

[bobfather]

Cool to hear. Are you running the UI2 webpages from here too?

Yes, and those work fine too.

 

[dmelle]

Hm, that's not a bad idea. My router (Ubiquiti EdgeRouter X) supports most of the VPN protocols, so I was thinking about trying to get L2TP going at some point. My biggest sticking point was the hassle of logging in/out of the vpn from my phone, but Tasker might make that less of a headache. It also means I won't be able to view the cameras on my workstation since they restrict access to VPNs.

I use Ubiquiti Routers as well, They are awesome. The L2TP VPN is super easy to get set up and works great!

 

[BlackLantern]

I use Ubiquiti Routers as well, They are awesome. The L2TP VPN is super easy to get set up and works great!

Can you point me to a tutorial that you used? The only thing clearly apparent in the GUI is PPTP...

 

[bobfather]

Here's my nginx.conf code that lets me reverse proxy Blue Iris. I was mistaken earlier though - UI2 does not work reliably through a reverse proxy, though the Blue Iris iOS (and I assume Android) apps work fine. Obviously modify the settings below to match your setup:

location ~ ^/blueiris($|./*) {
                        rewrite /blueiris/(.*) /$1 break;
                        proxy_pass http://<your Blue Iris internal IP address and port>;
                        proxy_set_header Host $host;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                }
                location ~ ^/blueiris$ {
                        return 302 $scheme://$host$request_uri/;
                }

This code also works:

location /blueiris/ {
         proxy_pass http://<your Blue Iris internal IP address and port>/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

 

[dmelle]

Here are the CLI commands that you should need to get it all set up. Bold, Italic, Underlined text is just me commenting...


set vpn l2tp remote-access authentication local-users username xxxx password 'xxxxx' - Set up username and password to authenticate to VPN
set vpn l2tp remote-access authentication mode local
set vpn l2tp remote-access client-ip-pool start 192.168.0.15 - You will use something in your IP subnet range
set vpn l2tp remote-access client-ip-pool stop 192.168.0.19 - You will use something in your IP subnet range
set vpn l2tp remote-access dns-servers server-1 192.168.0.111 - You will use a valid DNS Server in your IP subnet range
set vpn l2tp remote-access ipsec-settings authentication mode pre-shared-secret
set vpn l2tp remote-access ipsec-settings authentication pre-shared-secret 'yourpresharedsecrethere' - - Come up with a pre shared Key to use.
set vpn l2tp remote-access ipsec-settings ike-lifetime 3600
set vpn l2tp remote-access mtu 1492
set vpn l2tp remote-access outside-address yourpublicipaddress - You will use your public IP Address here

You can do the firewall part in the GUI if you would like, but here is my rule to allow VPN traffic

set firewall name WAN_LOCAL rule 50 action accept
set firewall name WAN_LOCAL rule 50 description 'Allow L2TP'
set firewall name WAN_LOCAL rule 50 destination port 500,1701,4500
set firewall name WAN_LOCAL rule 50 log disable
set firewall name WAN_LOCAL rule 50 protocol udp

 

[JRNAn30]

Here's my nginx.conf code that lets me reverse proxy Blue Iris. I was mistaken earlier though - UI2 does not work reliably through a reverse proxy, though the Blue Iris iOS (and I assume Android) apps work fine. Obviously modify the settings below to match your setup: This code also works:

location /blueiris/ {
         proxy_pass http://<your Blue Iris internal IP address and port>/;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }

I also found UI2 didnt work reliably through a reverse proxy. I run my reverse proxy through oauth2_proxy for additional security which reduces the need for VPN logins easing the ability to use it from work where VPNs are frowned upon and also less technically proficient family members.
We should ask bp2008 to see if he can update his files to work with reverse proxies as I think this would be a useful benefit. I'm happy to help test etc.