NAS for Dahua Camera through VPN server

M

mike31

n3wb
Feb 18, 2019
16
1
France
Hello, i have a Dahua camera installed at home and it is connected to a VPN server installed on an old router. That means the camera do not have any acces to internet, and it is necessary to connect to the vpn and then access the camera.
I am questionning myself on installing a NAS for home usage and for the camera storage.
For example, the Synology DS220+ which have two ethernet ports. But i am not sure if it is possible to connect both vpn and home networks on this NAS without having communications between those networks to not connect the camera on internet through this NAS.
It seems possible to configure the NAS as a VPN client to my router and then to connect the second port to my home network, and to be sure, disable the internet access from the internet box for this port.

Does anyone already configure as this or similar? Does it seems able to works as this on this NAS?

Thanks.
 
Haai!

To my understanding, these dual-ethernet NAS'es only work in LAG (link aggregation) or failover, meaning that basically, if one port/link breaks down, the other one takes over. Combined they provide a double bandwidth to your backend switches.

However, that should not stop you from doing what you want to do: from WAN, you haul into your LAN through VPN, and you watch the surveillance station on the NAS. But you will need to tweak iptables/routing inside the router & NAS to make sure that your camera still not get outside.

My regular advice remains in place: it may be easier to drop your cams in a vlan, and with a NAS with vlan access, it's even easier to separate all traffic.

Good luck!
CC
 
Hello,

Thanks for your reply.
I tried to check the documentation of the DS220+ and it is not clear how the dual-ethernet is supposed to work. It seems possible to set differents IPs like it was separate networks.

That behind said, what you said should also works with one network if the VPN could be set in the NAS to let it connect to the VPN server. The only problem is that it will be also necessary to connect first the VPN from the home network to be able to reach the NAS (as it is for the camera). My goal was to make this easier with two separate networks and if needed tweak the internet access with iptables as i already did for the camera.
Or maybe i missed something and it is still possible to tweak the home network of the nas to let it connect to the VPN and home lan but disable the internet access?
 
If you missed something, is rather difficult from this side of the keyboard :-)
The best way is to ... draw a nice topology. For networks, there are 2 ones: the physical one (how are the wires going, which cable goes into which port of router/switch) and a logical one (how are the subnets/vlans/gateways configured, and how is everything stitched together).

Don't share anything blindly on the internets.

But as you wrote: your CAM is already "blocked" from the internet. And you do already have a VPN Server on your "inside" network (I suppose/assume on your router). The only thing you would need to do, in the simpliest deployment model, is install the NAS. Add an internal fixed IP address. Open that IP address in your router for the OpenVPN port (eg UDP119X), disable VPN on your router. And that's it: Surveillance station should see your camera on the LAN side (just like your pc for example). And when you are are outside/4G/abroad: you VPN dial in, and look at the cam directly, or access the vids on the NAS.

Is this the "best" approach? Certainly not. But it's the easiest one.

I personally would never expose a NAS (with precious cat pictures on it for example) in the same network of a (chinese) camera. Hence my suggestion with the vlans and work with an "onionlayered" networking approach: WAN = dark & dirty, CAMS = dark grey, guest wifi = grey, Playstation = light grey, NAS = white. The more bright, the lesser the restriction outbound etc.

Bonne chance!
CC
 
Ah yes that is what i missed^^
You mean that the NAS will be used to access to the camera in fact, using Synology tool, but that is not necessarly what i would like to do, but yes i understand ;).

Just to clarify, currently, there is one router with a vpn server running on it, the camera is connected to this router (and nothing else), and this router is connected to the internet box. I configured Iptables on the router to not let the camera access to the internet. Therefore, i cannot access to the camera without dial in the VPN, even from my home network, and that is intended. The purpose with the NAS would be to keep this and just add the network storage for the camera, and network storage for home usage, separately. That is why, in a first approach, i was thinking about two physical networks.
 
mike31 said:
Ah yes that is what i missed^^
You mean that the NAS will be used to access to the camera in fact, using Synology tool, but that is not necessarly what i would like to do, but yes i understand ;).

Just to clarify, currently, there is one router with a vpn server running on it, the camera is connected to this router (and nothing else), and this router is connected to the internet box. I configured Iptables on the router to not let the camera access to the internet. Therefore, i cannot access to the camera without dial in the VPN, even from my home network, and that is intended. The purpose with the NAS would be to keep this and just add the network storage for the camera, and network storage for home usage, separately. That is why, in a first approach, i was thinking about two physical networks.
Click to expand...

Cool, so you actually made a "physical" (not virtual) LAN separately for you cam. Well done!

But it's not clear to me what you want to achieve: you only want to use the NAS as "storage dump space" for the camera, and you will continue to use the camera to view the footage?

Personally, if you already invest in a NAS, and certainly the Synology ones, do have a look at surveillance station capabilities: it has a native app, eventing and other nice stuff. Two licenses are included out of the box (for two camera's that is, $60 for additional ones to give a ballpark figure). Whether that is expensive or not, I leave it in the middle.

Now with your setup, you could actually allow an INBOUND rule FROM your NAS (in your home-LAN) towards the camera LAN (typically this is ONVIF being 8000), but you can open whatever INBOUND protocol and port. Then you can simply revert the VPN from your second router to the VPN on the NAS, and view footage over there.

If you want to expose a samba share, then you only allow your cam to connect to the NAS over samba, but nothing else (eg ssh) to avoid your camera going rogue on your NAS.

Hope this helps!
CC

PS. I wouldn't trust a two legged NAS with a leg in two physical networks. You may define some hocus pocus iptables stuff, but when it reboots or gets an update, and your cam can phone home, you're doomed.
 
Hey,

Yes it is physically separate with an iptable rules in the router to drop all internet connections from/to the camera ;).

What i would like to achieve is to use the NAS for storage mainly, for both camera and home usage. After that, if the NAS itself include native app it could be interesting also.

The best way would be to have 2x NAS but it is a little bit more expensive^^ And for the moment, i did not buy anything but just thinking about the best way to achieve what i want to.
I had also the idea to not allow the camera to access to the NAS, but to allow the NAS to do backups of the internal SD card of the camera.

I will think about it but i believe that your solution is the better one, thanks for helping anyway, i will check to buy the DS220+ and see what i can do when i received it ;)
 
having just woke up and a little fuzzy eyed, try looking into Zero Tier for your "vpn". I use it with a separate nic ( separate IP , does not see internet) on my blue iris machine and all of my footage goeas to my nas (TrueNas)
 
You must log in or register to reply here.
Top Bottom