Menu
What's new

OpenVPN and RDP

C

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
I have OpenVPN up and running on my Asus router (RT-AC86U) and can access the BI remote GUI outside of my LAN. The desktop is currently connected directly to my router.

It all works fine and when I am away from my property and I just turn OpenVPN on and insert the local ip and port number into a browser and it fires up flawlessly. But what I am missing at the moment is remote access to the desktop which I understand I can achieve by downloading RDP.

I have never used RDP before and am wondering how I set it up correctly on the same BI server which is a HP Elitedesk running windows 10. What’s confusing me is how I would access it. Do I download the app and the open up OpenVPN and place the IP address of the server into a browser, does the app have the IP address of the server, or how does it work in practice? If I can visualize this it will make it easier for me to instal and I won’t end up with unnecessary clutter on my desktop.

I am a little hesitant to just go about installing RDP as I understand that as a stand-alone App it opens ports and I am trying to avert unnecessarily opening ports.

Can someone please tell me the steps to both installing RDP (is it just a standard installation) and how to use it with OpenVPN.

I am hoping that I can use RDP to access the HP server remotely so that I can resolve any problems that I might have while I am away. I read that there is a way to see the entire desktop which would work perfectly for me. At the moment OpenVPN is just setup to connect via the router with the BI GUI.

Thanks.
 
fenderman

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,905
Reaction score
21,278
RDP server is built into your windows pro machine. If you are using a pc remotely just connect to the vpn then launch the RDP client (preinstalled on your windows home or pro machines) and use your local ip. No ports are opened.

As an aside, its best to connect the blue iris pc to the sames switch as the cameras or a switch that comes off that switch. Connecting to the router can overwhelm some routers and cause issues.
 
C

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
fenderman said:
RDP server is built into your windows pro machine. If you are using a pc remotely just connect to the vpn then launch the RDP client (preinstalled on your windows home or pro machines) and use your local ip. No ports are opened.

Thanks for your reply Fenderman. The bit above is the bit that is confusing me. So I launch OpenVPN and then launch RDP and then key in the bI server IP to a browser. Is that correct?

As an aside, its best to connect the blue iris pc to the sames switch as the cameras or a switch that comes off that switch. Connecting to the router can overwhelm some routers and cause issues.
Click to expand...
At the moment I have router - BI server - switch - cameras.

Are you suggesting router - switch - BI server and camera’s?

Thanks
 
C

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
What happens if you type (on another windows pc):
Bash: 
mstsc IP_BI_pc /console
This should pop-up the "RDP" console.

Few tips:
  • this requires (at least) Windows Pro on BI
  • this requires (at least) RDP ports to be opened
  • try first on your LAN, if succesful, then try over VPN (to avoid VPN being a blocking factor due to any possible reason)
  • this does also work on mobile devices but is tedious to work in
  • it might not be that smart to play videos through this interface

Alternatively, look at "teamviewer" or "VNC" - all good options!

Good luck!
CC
 
C

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
Thanks catcamstar. I have it all up and running on my remote laptop and ipad (access via OpenVPN) but I will take the opportunity to ask you one question that has me wondering.

When I toggled RDP on the host Computer it states that the app is running on xxxx port number. I am accessing this app only via OpenVPN. Does this mean that the app is running on this port when I’m on the LAN or on OpenVPN but the same port is not open externally? I’m a bit confused after seeing that as I understand from fendermans reply above I shouldn’t have open ports.

In terms of settings I have checked NLA, keep PC awake and make PC available on private network. Is that correct?

Just want to make sure that I have it setup securely.

Thanks.
 
C

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
CV350 said:
Thanks catcamstar. I have it all up and running on my remote laptop and ipad (access via OpenVPN) but I will take the opportunity to ask you one question that has me wondering.

When I toggled RDP on the host Computer it states that the app is running on xxxx port number. I am accessing this app only via OpenVPN. Does this mean that the app is running on this port when I’m on the LAN or on OpenVPN but the same port is not open externally? I’m a bit confused after seeing that as I understand from fendermans reply above I shouldn’t have open ports.

In terms of settings I have checked NLA, keep PC awake and make PC available on private network. Is that correct?

Just want to make sure that I have it setup securely.

Thanks.
Click to expand...
You are asking the right questions! But it might be easier to draw it on paper. Your network is like an onion with different layers. The brown ones (outside ones) are the ones "exposed" to the (ugly hacking & dirty) internet. There should indeed be no open ports. At least not to "secured" ones. If you would open that port xxxx on your router to allow RDP to your BI pc, you won't last a minute (or 2). So that's where the tip from @fenderman came from.
When you enabled RDP on the BI pc, it simply states that the service is listening on port xxxx, it did not open that port on your router. It simply means, anyone in your home LAN (pc/ipad) is able to hook up to that service. So far so good.
Now comes the "VPN" part in place. Looking at the onion analogy, your BI pc is in the heart of the onion. What you actually do, is open 1 port (and one port only) for your OpenVPN to drill through the outer layer and connect to the inside of your Onion. As if your device is located on the home LAN. So it connects to the BI pc on service port xxxx. Now you could wonder: stupid CC, you said: don't open ports in my onion. And that's true, but here's the difference: a VPN service port is more secured than any other port, first of, you can put it on UDP (and not on the default TCP), so it's more hidden for port scans, plus it enforces both identification and authentication, plus encryption of the channel with additional security enforcements (like HMAC) which are not present in a "simple" communication protocol like RDP. So the inside of your onion is well protected and only reachable through that VPN tunnel. As long as your certificates and passwords are not "publicly" available.

Hope this helps!
CC
 
C

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
catcamstar said:
You are asking the right questions! But it might be easier to draw it on paper. Your network is like an onion with different layers. The brown ones (outside ones) are the ones "exposed" to the (ugly hacking & dirty) internet. There should indeed be no open ports. At least not to "secured" ones. If you would open that port xxxx on your router to allow RDP to your BI pc, you won't last a minute (or 2). So that's where the tip from @fenderman came from.
When you enabled RDP on the BI pc, it simply states that the service is listening on port xxxx, it did not open that port on your router. It simply means, anyone in your home LAN (pc/ipad) is able to hook up to that service. So far so good.
Now comes the "VPN" part in place. Looking at the onion analogy, your BI pc is in the heart of the onion. What you actually do, is open 1 port (and one port only) for your OpenVPN to drill through the outer layer and connect to the inside of your Onion. As if your device is located on the home LAN. So it connects to the BI pc on service port xxxx. Now you could wonder: stupid CC, you said: don't open ports in my onion. And that's true, but here's the difference: a VPN service port is more secured than any other port, first of, you can put it on UDP (and not on the default TCP), so it's more hidden for port scans, plus it enforces both identification and authentication, plus encryption of the channel with additional security enforcements (like HMAC) which are not present in a "simple" communication protocol like RDP. So the inside of your onion is well protected and only reachable through that VPN tunnel. As long as your certificates and passwords are not "publicly" available.

Hope this helps!
CC
Click to expand...
That’s very clear. Thanks for taking the time to explain it CC.

If I toggle the OpenVPN port to UDP does it effect anything else meaning do I need to change anything else? Eg do I need to issue the OpenVPN cert again. Or is it as simple as just toggling it?
 
C

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
CV350 said:
That’s very clear. Thanks for taking the time to explain it CC.

If I toggle the OpenVPN port to UDP does it effect anything else meaning do I need to change anything else? Eg do I need to issue the OpenVPN cert again. Or is it as simple as just toggling it?
Click to expand...
You are welcome.

It requires 2 changes: one service side (changing the protocol from TCP to UDP) and one in your .ovpn file changing the same TCP to UDP. It does not require any other change (your certificates remain intact).

But, there are some consequences (which you may or may not discover soon): some enterprise-grade/public-(wifi)-networks do not allow all outbound protocols on all ports. It is a bit trial and error. I see many people, for that reason, running their OpenVPN on port 443 in TCP. For the simple reason that 99,99999% of the networks do allow outbound TCP 443 as that is https (SSL encrypted) webtraffic (eg for netbanking etc). If they would block it, it renders the internet "non-working". There is also a performance impact between VPN stream on UDP versus TCP (eg for a bit of lecture: OpenVPN over TCP vs. UDP | what are they and what should you use?).

If you are already using VPN on "default", you are already doing better than half of the internet!

Happy camming!
CC
 
C

CV350

Young grasshopper
Joined
Jan 11, 2019
Messages
73
Reaction score
12
Location
Thailand
catcamstar said:
You are welcome.

It requires 2 changes: one service side (changing the protocol from TCP to UDP) and one in your .ovpn file changing the same TCP to UDP. It does not require any other change (your certificates remain intact).

But, there are some consequences (which you may or may not discover soon): some enterprise-grade/public-(wifi)-networks do not allow all outbound protocols on all ports. It is a bit trial and error. I see many people, for that reason, running their OpenVPN on port 443 in TCP. For the simple reason that 99,99999% of the networks do allow outbound TCP 443 as that is https (SSL encrypted) webtraffic (eg for netbanking etc). If they would block it, it renders the internet "non-working". There is also a performance impact between VPN stream on UDP versus TCP (eg for a bit of lecture: OpenVPN over TCP vs. UDP | what are they and what should you use?).

If you are already using VPN on "default", you are already doing better than half of the internet!

Happy camming!
CC
Click to expand...
Thank you CC. I really appreciate the advice.
 
You must log in or register to reply here.
Top