Opening Ports vs VPN

Discussion in 'NVR's, DVR's & Computers' started by Fastb, Mar 24, 2016.

Share This Page

  1. Fastb

    Fastb Known around here

    Joined:
    Feb 9, 2016
    Messages:
    1,212
    Likes Received:
    727
    Location:
    Seattle, Wa
    All,

    Newbie here, setting up my first system. It's intended for my General Contractor (GC) friend for his residential home remodel job site, job after job. The GC and his workers plan to self-monitor the job site. If someone arrives to steal tools at night (again), they want to be notified, then remotely view the site with phone/tablet/PC, call 911 about a burglary in process, and give info about the thieves, their vehicle, etc.

    I started using P2P. It was easier than opening ports, getting DDNS set up, etc. And it would be easy for the GC (and his workers) to use gDMSS to remote view.

    I've since educated myself of the drawbacks of P2P. Latency (varies). P2P server dependent, and the P2P outfits come and go, etc. So I thought I'd open ports and use DDNA. It seemed like an accepted and common practice.

    Then I heard of the VPN alternative, based on posts of @nayr . (https://www.ipcamtalk.com/showthread.php/9745-China-tried-to-login)

    Which led this post. Relevant details:
    - The GC plans to use his customer's broadband connection at the job site. eg: Comcast. This keeps internet access simple by avoiding a cellular modem. With high bandwidth for remote viewing (nice)
    - This "job site security system" may or may not need to co-exist with the homeowner's network. For bigger projects, the homeowner moves out when the house is "stripped down to studs". For smaller projects, the homeowner (and their home network) may stay.
    - The "job site security system" is an NVR, POE switch, cameras, sensors, strobes, sirens, etc. The system doesn't a PC, or valuable info worth hacking. Just camera footage. High security not necessary.
    - However, if I connect my "job site security system" to a customer's network, I fear I could degrade their security.
    ---- Comcast cable modems only support one IP device. So there's one Cat 5 cable from the cable modem to a router.
    ---- I will connect my "job site security system" to the homeowner's router. I could have my system use a separate subnet address than the homeowner. If that helps security. (?)

    Or I could use a VPN. Not because I need a VPN to keep my job site video safe from hackers. Instead, to keep the homeowner's network secure (if my NVR port forwarding exposes them to risk) (?)

    On the other hand....
    If I use a VPN, that might add complexity for the GC and his workers? As he says, he swings a hammer for a living, and wants a remote viewing solution that is easy to use. (on a variety of devices, owned by his crew). I will check if gDMSS supports VPN, if not, we need another android app...

    Q: I'm convinced to ditch P2P. Should I swithc to VPN or Port Forwarding for this job site application?

    Thanks for your patience, I'm hooked to a fire hose and learning this stuff as fast as I can!
     
    Last edited by a moderator: Nov 5, 2016
  2. Benjamin Blanco

    Benjamin Blanco n3wb

    Joined:
    Mar 14, 2016
    Messages:
    12
    Likes Received:
    3
    As far as I know, as long as you only expose the cameras via port forwarding, there shouldn't be any risk other than the camera's feed and/or controls being accessible outside the network. I suppose the cameras could be hacked and used as an attack vector for the rest of the network, but that's not something I know much about. I guess you could add another firewall/router between your cameras/nvr and the customer's router, to prevent communication to any ports/IP addresses other than ones you specify, but that may be considered excessive.
     
  3. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,346
    Likes Received:
    5,246
    Location:
    Denver, CO
    my Comcast business modem has built in VPN Server.. setting it up is really no harder than forwarding ports, other than you have to setup the devices that can connect.. but its actually simpler because the gDMSS uses the same addresses from anywhere and dont have to have two profiles, one for remote and one for local.. and if I had end users that would be pretty important.

    as long as the router has the VPN setup it should move from site to site, connection to connection without too much headache.. most companies have all sorts of tech illiterate users click <connect to vpn> before they can reach email or anything else at work.. you'll want some sort of dynamic dns service so people can find the latest IP.

    Once setup all they do is connect to the VPN before opening the app to view a live stream, you can still have sms alerts and emails go out without requiring VPN.. its built into there phones/tablets/laptops already you wont have to install anything more than likely.
     

    Attached Files:

    Last edited by a moderator: Mar 25, 2016
  4. DigitalPackrat

    DigitalPackrat n3wb

    Joined:
    Dec 12, 2015
    Messages:
    23
    Likes Received:
    3
    I prefer a VPN myself but for simplicity, port forwarding just the necessary ports to the DVR with a good password.

    There is another concern that you should think about before using the customers connection especially with Comcast. Comcast caps home connections. You may not hit their cap with just occasional remote viewing but if the customer is already close to the cap and you add your equipment it could put you at risk of going over. Most users don't understand what a cap is and could blame you for any issues that come up even with their consent.
     
  5. Ion Barker

    Ion Barker Young grasshopper

    Joined:
    Dec 31, 2015
    Messages:
    58
    Likes Received:
    18
    What about adding a VLAN into the mix for extra protection?

    I'll be setting up a dedicated Win 10 - Blue Iris box with 8 Hikvision cameras at home. The box will be sharing internet with my Asus RT-AC66 router. I like the option of isolating the cameras from my home network.

    The ASUS website shows the AC66 can handle VPN and VLAN.

    Thanks
     
  6. nayr

    nayr IPCT Contributor

    Joined:
    Jul 16, 2014
    Messages:
    9,346
    Likes Received:
    5,246
    Location:
    Denver, CO
    if you can do it, then by all means go for it.. requires a bit more know-how than setting up a VPN Though, and the simplest way to isolate the IPCameras is to just put them on there own switch and use a multi-network NVR.

    mine are on a separate VLAN, it allows you a bit more network flexibility in the end depending on your router while still isolating them safely.
     
  7. Peekonu

    Peekonu n3wb

    Joined:
    Aug 5, 2017
    Messages:
    14
    Likes Received:
    1
    I'm having a bit of a conceptual problem with using a VPN. If work is 192.168.0.xxx and home is also on 192.168.0.xxx then a VPN connection doesn't allow home to see any devices at work. This is using Macs. Google searching seems to say that different networks are needed on the Mac (but not on Windows perhaps). So I changed home to 192.168.1.xxx and this solved the problem.

    However, the iPhone still cannot see any device on the work VPN. I'm not aware of a "network settings" on the iPhone where I could set an IP address. That seems to be between Apple and AT&T. How do I get my iPhone to be able to see devices behind the VPN without port forwarding?
     
  8. Mike A.

    Mike A. Getting comfortable

    Joined:
    May 6, 2017
    Messages:
    449
    Likes Received:
    273
    You don't typically need to set it but the IP on the iPhone can be set under Settings, touching "i" next to whichever wireless network, then selecting Static and entering the information. Typically it will be just pulled via DHCP either from your cell provider or your own internal network. Obviously, you can't set it in the case of your cell provider but that will never conflict with a non-routed range like 192.168.x.x.

    That shouldn't affect you connecting. The IP address on your phone coming in from the outside of the destination VPN can be anything (almost, an exception being as you note for duplicated IP ranges). Part of what the VPN client does is to create the internal routing between your device IP (whatever it may be) through it to the network inside the VPN when you connect through the VPN server. So it would take, for example, a 107.77.x.x AT&T cell IP, to a 10.8.0.0 address on the VPN (range as set up on the VPN server), to a 192.168.0.x address at some destination on your internal network.

    I don't know how the Mac side well enough to tell you how to do that part of it. But you shouldn't have to worry about setting the IP of the iPhone itself. It is what it is. The destination server will be set in the config file for the VPN client. The IP range of the VPN will be set on the VPN server.
     
  9. Peekonu

    Peekonu n3wb

    Joined:
    Aug 5, 2017
    Messages:
    14
    Likes Received:
    1
    Thank you, that helps a ton. I will refocus my bug tracking to something other than IP conflicts. I'll report back when I learn more.
     
  10. Mike A.

    Mike A. Getting comfortable

    Joined:
    May 6, 2017
    Messages:
    449
    Likes Received:
    273
    Is there any difference if your try to the work VPN from your phone when on cell vs WiFi? i.e., If you're not at home can you connect OK to the work VPN?
     
  11. Peekonu

    Peekonu n3wb

    Joined:
    Aug 5, 2017
    Messages:
    14
    Likes Received:
    1
    The behavior is the same on wifi or on cell. I can connect to the VPN no problem but cannot receive any services coming from behind the VPN. I'm sure I'm doing something else wrong. I will fiddle with the settings and see what I can come up with.
     
  12. Mike A.

    Mike A. Getting comfortable

    Joined:
    May 6, 2017
    Messages:
    449
    Likes Received:
    273
    Sounds more like it may be a basic config issue then. If you have a separate config/profile for the work VPN in your VPN client/iPhone and you select that one when you connect over cellular, then that should be pretty much completely separate from whatever you've got going on at home. Just to simplify things, you might try temporarily deleting the profile for the home VPN on your phone (can always pull it back in again later). Then you'll know for sure that there's no conflict related to anything related to your home VPN. If the work VPN doesn't work alone, then you know that something's not right on that side somewhere. Check the settings and recreate the config file/key and load that profile in again. Once that's working you can reload the home one and deal with any conflicts if there are.

    Just to check the obvious, are you sure that you're addressing the internal network by the new IP address scheme that you changed and not the old numbering that you may have had set up in whatever you're using?
     
    Last edited: Sep 24, 2017