New internet service coming - VPN options

[Virga]

Currently I have Starlink Internet service, and over the last few days got Blue Iris remote access working with zerotier and UI3 – thank you those who mentioned zerotier, posted a link to a helpful video, and noted that UI3 does most everything to use BI remotely.
Over the next couple of months new Charter/Spectrum service is coming over buried co-ax cable. They are starting infrastructure construction in the next couple of few weeks.
I asked the construction supervisor what kind of IP address will we have once their service goes live - he used to be a network technician.
He replied “Dynamic-IP WAN link PPPOE and DHCP.”
What kind of VPN options will that give us?

 

[wittaj]

You simply set up a DDNS so regardless of what the WAN IP address is, you can get back to it.

 

[Virga]

Sounds like a router based VPN will become possible, which seems to be the preferred option around here.

 

[wittaj]

Yes. With Spectrum you can ask for just the modem (currently no fee) or request a modem/router and pay a monthly rental, but then have restrictions and workarounds to use your own, plus your wifi then becomes part of their free network.

If you get just their modem, you can use whatever router you want and currently no restrictions on VPN.

 

[SpacemanSpiff]

Over the next couple of months new Charter/Spectrum service is coming over buried co-ax cable. They are starting infrastructure construction in the next couple of few weeks.

God forbid they think ahead and build out fiber backbone

 

[Virga]

I use a Ubiquiti Unifi Dream Machine, which is a capable unit, and am hoping to stay with it.
Even with Starlink, I put the router that came with the kit aside, and use my own UDM.
We (neighbors) signed up for a "bulk purchase" with Spectrum, for what started as a 7.5 year term and ended up being 6-plus years.
Decent price, but the important part is that in exchange for the contractual commitment they are building out the infrastructure (so far we only have over-the-air service).
The contract includes their modem and wireless router (and one TV set-top box, a basic set of TV channels that is part of the bundle).
Don't know what modem/router they will show up with, but I'll try to "down grade" to just a modem.

The project is the culmination of a multi-year neighborhood effort.
For years we could not even get a carrier to talk with us.
Then we got a proposal from Spectrum and we were told by a non-technical neighbor who was the point of contact that it was going to be fiber.
When the construction supervisor came around and I queried him on the what and the how, it was clear within a minute it was coax, and in all fairness, the formal documents which only a few people have seen never said fiber.
The construction guys prefer fiber.
However, the business/sales people dusted off an old system design from more than 10 years ago and it is coax.
So our choice was bale out, or settle for what they are doing.
It was a no-brainer to take what we can get, because there is no other proposal in sight.

 

[mikeynags]

This looks really interesting as an alternative to traditional VPN.

 

[tangent]

Currently I have Starlink Internet service, and over the last few days got Blue Iris remote access working with zerotier and UI3 – thank you those who mentioned zerotier, posted a link to a helpful video, and noted that UI3 does most everything to use BI remotely.
Over the next couple of months new Charter/Spectrum service is coming over buried co-ax cable. They are starting infrastructure construction in the next couple of few weeks.

Zero Tier or Tailscale would continue to work and remain good options.

With SpaceKarenInternet (starlink), I believe you're behind CGNAT. That isn't the case with Charter, but zerotier and tailscale are still easier to set up than many of the alternatives.

 

[Virga]

Many have opined here that better to have your VPN run on your own device(s), if possible.
Yes, Starlink is CGNAT (I did look up the SpaceKaren reference).

 

[tangent]

Many have opined here that better to have your VPN run on your own device(s), if possible.

If it's on your own devices, you need a pretty good understanding of what it takes to keep things secure. If some other service is involved you have to worry about their security.

Best practice is multiple layers of security. Running your own VPN server isn't the solution for everyone.

 

[bensocket]

I just switched a customer's Blue Iris PC to starlink today. Using tail scale and is working great!

 

[Virga]

I take the point about needing a good understanding.
Always willing to take on new learning challenges.
However, once in a while I have to pause and ask myself what my goal is.

For the fun of it I might try Tailscale. Zerotier was straightforward to set up.

 

[bp2008]

Some spectrum customers get a standalone modem, some get a combo modem/router. I think it depends on the plan you sign up for. When I signed up for the gigabit plan they sent a standalone modem which doesn't even have a web interface. It probably gives Spectrum some kind of management/monitoring capabilities, but from my end it is just a transparent bridge. I never even plugged in the Spectrum Router, and just used my own. With cable you generally can buy any modem on the ISP's support list and have them activate it for your service, so if you end up with a modem/router combo without a bridge mode, you aren't forced to use it.

That doesn't guarantee you'll get a public routable IPv4 address. Spectrum also offers IPv6, and if you can use that for inbound then it doesn't matter if your ISP uses CGNAT for IPv4. Because nobody uses NAT with IPv6 unless they hate themselves. With IPv6, every internet customer gets some multiple of 18,446,744,073,709,551,616 IP addresses, all of them publicly routable. I'm not even kidding. When they designed IPv6 they went perhaps a bit overboard on the size of the address space, but they were trying to be insanely future proof. The trick is, lots of internet connections do not have IPv6 connectivity enabled. Cellular service usually has IPv6. Random wifi hotspots will be hit or miss. Some small ISPs haven't bothered to set it up yet, but mostly it is just a matter of turning it on in the router. So that poses a bit of an obstacle.

 

[Virga]

Thanks for highlighting that if all else fails one could decline their device and simply buy one’s own modem.
Also, your post prompted me to re-visit and read up on IPv6, and I get the idea (concept only) of all having a publicly routable IP address.
For home users who are not subject matter experts on networking, it would be great if someone could outline a practical and sensible multiple layer VPN setup for a non CGNAT (most common) configuration.
Perhaps this has already been done in this forum and the wiki.
I do realize there will probably be an array of opinions on this topic.
In a few weeks I have come quite a ways on IP cams in this forum.

 

[Roger]

Zerotier will still work just as it has been. It could care less about how you connect to the internet.

 

[Virga]

Would be great to learn more about, "Best practice is multiple layers of security ."
For a home user, what might those layers be?

 

[SpacemanSpiff]

Would be great to learn more about, "Best practice is multiple layers of security ."
For a home user, what might those layers be?

Great place to start is right here in the IPCT wiki pages. I'll lead with the two below, but feel free to browse 'em all

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

VPN Primer for Noobs

The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...

ipcamtalk.com

 

[tangent]

Would be great to learn more about, "Best practice is multiple layers of security ."
For a home user, what might those layers be?

Basically that means isolating some devices on your network from each other. One option is multiple NICs in your Blue Iris PC, one connected to a switch for the cameras and one for the rest of your network. You can choose if ZT can only access the BI PC or if it can tunnel into your entire network.
Managed switches open up some possibilities but are harder to set up. Another option is some variation of the "three dumb routers" model for security.

Ideally some kind of firewall connected to the modem.

 

[The Automation Guy]

Spectrum does use a DHCP style connection (at least for IPv4). This means that pretty much every VPN connection type is going to work. Personally I host my VPN servers on my firewall (currently pfSense, but I'm trying out OPNsense in a lab setting with plans on moving to that soon). I currently run OpnVPN connections (both a full time tunnel connection to my parents house, and regular "on-demand" tunnels to access my home network), but I've also started playing with WireGuard connections in this lap setting. I suspect I will end up using Wireguard for all my connections moving foward.

As noted, public residential WAN addresses with Spectrum can/will change over time. Therefore you are going to need to use a Dynamic DNS service to ensure you can always access your network even if the public WAN address changes. There are plenty of free services that will do this. You'll point your VPN connections to a static domain name (perhaps "builder.dyndns.org") and the dyndns service will make sure it always redirects to your current public WAN address.

 

[Virga]

This is the kind of info I am hoping for, now I can research implementation details.

Multiple NICs would be simple to execute. I repurposed an older PC build to get started with BI, and intend to build/assemble with new components once I get to cruising altitude with BI and cameras. Over the last few years my builds are mini-ITX motherboards, and I always wondered why come motherboards come with two NICS. Now I know. Historical note: in the middle 1990's when home networking became a thing, safe networking practice was to install two NICs, and you bound TCP/IP to one card, and only NetBEUI to the other card which you used for internal PC connectivity. Best as I recall, the idea was that someone coming in over TCP/IP could not route over netBEUI to other PCs. Of course netBEUI bit the dust quite some time back. Guessing the concept of multiple NICs may be similar in intent.

Thanks for laying out how DDNS works once one signs up for a service.
Now I have to understand how to implement separating my cameras into a separate network, I believe my router can handle that.
Next is what is a VPN server, and how do I set one up. Here too my router (Unifi Dream Machine) may help out.

It does help to have a focus for further reading in order to move from concept to execution, thank you for the input.