Openvpn, Blue iris and VPNbook , is this correct?

[Cor]

Hello all,

Untill now I have opened a port to view my cameras remotely, finally I had yesterday the courage to look into VPN and set it up . not rocket science , but so many options . But it works.

I have setup OpenVPN on the blue iris computer at home (windows 11) , with credentials from VPNbook (using the .........-tcp80.ovpn) and the free VPN account.

I do have a couple of questions, I hope someone can answer them., I am unable to find the answers myself.

1) I assume , this is much safer as opening a port ( the port is now closed and I have acces with Blue iris and also can use Microsoft remote acces), but also using the free VPNBook account? , is this still safe?
2) The IP adress which is assigned with OpenVPN , will that IP adress stay the same , or does it change? and when I reboot the server? ( this to setup the blue iris app for my family).
3) I noticed it is not very fast, quite a bit slower as when I connected with opening a port, will a paid service make a difference ? will that be "safer" as well? any suggestions here?
4) I have setup the server now on the blue iris server, all is working , but I see I can also use my router to run OpenVPN instead of the Blue iris server (with openwrt) , does that have a benefit?

many thanks for the help,
Cornelis

 

[bigredfish]

I’m not a security pro so just my $.02

Yes using OpenVPN is much safer
Yes you should ideally use it on the router if possible
The IP address the OpenVPN is looking at is your WAN address from your provider. If it changes, shit can break
Yes it’s slow as poop. I prefer WireGuard if it’s available to you. 10x faster

 

[Sybertiger]

I use OpenVPN which is built into my ASUS router. I could use another VPN or use WireGuard but since OpenVPN was easy I just stuck with it. Also, ASUS routers offer free DDNS to handle the issue if your ISP provides dynamic IP assignment (possibly changes every reboot). IPCAMTALK also offers free DDNS if you'd rather use theirs.

 

[Cor]

Thanks for the info,

I see on my Fritzbox modem there is also a wireguard option , I will look into that.

BUT, something is bothering me now. The idea is that my family is able to view the cameras, so I need to setup openvpn or wireguard on their phone.

Does this mean that all traffic from their phones is going via my homenetwork?
Obviously I want that for the cameras, but if my parents are chit chatting on whatsapp or watching netflix etc, that would not be desirable. I can not expect that everytime disable or enable the openvpn app ( or wireguard) and than open the bluebiris app, when done, disconnect the openvpn app again .... etc. Or is the client clever enough to know that only the local stuff (blue iris) is going through this VPN?

Any thoughts?

Many thanks,
Cornelis

 

[Sybertiger]

Yes, for OpenVPN you need to download the app on each device and upload the security certificate to each device. I normally have OpenVPN turned off on my phone. If I'm at home and connected to the network via WiFi I do not need to have OpenVPN enabled on the phone as you are viewing directly on your network. The only time I turn OpenVPN on is if I get an alert while away from home and want to watch the video footage or view the live stream of cams. The alerts come through as push notifications using PushOver.net and do not require OpenVPN to be enabled.

 

[Mike A.]

As many do, you're confusing "VPNs." VPN can be used in various ways. Services like VPNbook, etc. are for encrypting OUTGOING traffic from your network to the Internet. They operate whatever equivalent of OpenVPN on their servers and proxy/anonymize your traffic out over the Internet. For purposes here, you don't need that and that may be at least some of the slowdown you're seeing if you're layering that on top of OpenVPN running locally.

As it sounds like you've already done, you'll be setting up your own server to handle INCOMING traffic INTO your network from your mobile or other clients. You'll use DDNS to maintain a pointer to your outside IP. Yes, generally (but not always) better to run the VPN on your router/edge device. There is some overhead from the VPN but it shouldn't be noticeably slow. Yes, you can set up to only route certain traffic through the VPN if that's what you want. I run all of mine back through my network so that I have encryption and ad and other filtering on all of my devices wherever they may be but you can do that as you want/need.

 

[Sybertiger]

And to further clarify since I have set up a BI security cam system at my parent's house (500 miles away) plus I have my own BI security cam system. I receive PushOver alerts from my parent's system just so that I can monitor as they are elderly. If I want to view their video alerts or want to see their live stream then from my home computer I turn on OpenVPN to connect to their network then can view the footage from my home computer. If I'm not home then I turn on OpenVPN on my cell phone to connect to their network to view their stuff.

I did setup OpenVPN on my Dad's cellphone and his tablet/computer so he can view his own stuff when he's not home. He knows to only turn on OpenVPN only when he's not home. Although he can keep his OpenVPN turned on all the time if he wants all traffic to go through his home network.....and some members here do keep it on all the time.

 

[97JeepXJ]

Set up WireGuard on the device with no DNS server and Allowed IPs set to the NVR IP address/32, (x.x.x.x/32). All other web traffic will be routed as normal.

 

[wittaj]

As many do, you're confusing "VPNs." VPN can be used in various ways. Services like VPNbook, etc. are for encrypting OUTGOING traffic from your network to the Internet. They operate whatever equivalent of OpenVPN on their servers and proxy/anonymize your traffic out over the Internet. For purposes here, you don't need that and that may be at least some of the slowdown you're seeing if you're layering that on top of OpenVPN running locally.

As it sounds like you've already done, you'll be setting up your own server to handle INCOMING traffic INTO your network from your mobile or other clients. You'll use DDNS to maintain a pointer to your outside IP. Yes, generally (but not always) better to run the VPN on your router/edge device. There is some overhead from the VPN but it shouldn't be noticeably slow. Yes, you can set up to only route certain traffic through the VPN if that's what you want. I run all of mine back through my network so that I have encryption and ad and other filtering on all of my devices wherever they may be but you can do that as you want/need.

This exactly. VPNBook is not needed in this application and thus running the two VPNs is likely the cause of the slowdown.

As mentioned, what router do you have? Many install OpenVPN on the BI computer mistakenly if the router supports it.

When you are on your mobile network what is the speed with OpenVPN disconnected and connected?

 

[Cor]

Thanks for all the info. It is quite a forest you run into with this VPN.
I probably have set it up wrong.

What I did:
1)Install openvpn on the blue iris server
2)setup openvpn on the blue iris server with the VPNbook credentials
3)install openvpn on my android device
4)connected openvpn on my android device
5)directed the blue iris app the the "local ip adress" of the blue iris server

This worked well and I will also be quite happy to pay for a service if it is better/faster.

BUT, I need to setup also blue iris on my parents (android) devices , who live somewhere else , other internet providers , other countries etc. I do not want them to connect and disconnect the openvpn app everytime , they are getting a bit old , I want to make it them as easy as possbile. Also diverting al their traffic first to my house doesn't sound right. ( for me and my wife that is fine offcourse).


I see also in a previous post something about DDNS, I use now no-IP: http://XXXXX.hopto.orgort but with portforwarding on my modem.

If I understand correctly it is possible to set all up so that:
1)the blue iris server is secure ( no portforwarding anymore)
2)My family can also view the cameras remotely without the need to use 2 differerent apps and connect-reconnect all the time.
3)only traffic for blue iris goes through me with VPN and not all the other traffic like whatsapp, netflix websurfing etc.


I would need some help setting it up, since I thought I did it correctly with openvpn and vpnbook , obviously not .

Looking at my modem a Fritzbox 4040 , there is an option VPN wireguard , but I expect when I set it up like I did on the Blue iris server with openvpn , it will be exactly the same
Thanks,
Cor

 

[Sybertiger]

What I did:
1)Install openvpn on the blue iris server
2)setup openvpn on the blue iris server with the VPNbook credentials
3)install openvpn on my android device
4)connected openvpn on my android device
5)directed the blue iris app the the "local ip adress" of the blue iris server

1) I don't have OpenVPN installed on my BI machine because I use OpenVPN on my Asus router. If you want to use WireGuard instead of OpenVPN then that's an option for you.
2) Not sure why you have VPNbook installed on your BI machine.
3) Yes, install OpenVPN app on any device you want access to your network only for when you are not connected directly to your network at home.
4)
5) I have the Blue Iris app but rarely use it as I find it inferior to using UI3 which can be opened on any device that has a browser on it.

p.s. my Dad is 88 years old....not very hard for him to remember for him to connect to OpenVPN ONLY when not at home and only when he wants to view the alert video from the Pushover app. You could tell your parents just to have the OpenVPN connection all the time at home or away if you think it'd be easier. Unless they are super serious internet surfers from the mobile device then I don't see it being a problem. I lose about 4 to 7mbps if I have OpenVPN turned on. Not a major loss in bandwidth.

 

[Cor]

1) I don't have OpenVPN installed on my BI machine because I use OpenVPN on my Asus router. If you want to use WireGuard instead of OpenVPN then that's an option for you.
2) Not sure why you have VPNbook installed on your BI machine.
3) Yes, install OpenVPN app on any device you want access to your network only for when you are not connected directly to your network at home.
4)
5) I have the Blue Iris app but rarely use it as I find it inferior to using UI3 which can be opened on any device that has a browser on it.

p.s. my Dad is 88 years old....not very hard for him to remember for him to connect to OpenVPN ONLY when not at home and only when he wants to view the alert video from the Pushover app. You could tell your parents just to have the OpenVPN connection all the time at home or away if you think it'd be easier. Unless they are super serious internet surfers from the mobile device then I don't see it being a problem. I lose about 4 to 7mbps if I have OpenVPN turned on. Not a major loss in bandwidth.

1) I will look into wireguard the next days since this is an option on my modem.
2) I used VPNbook , since I thought this is neccesary to get acces to BI without using portforwarding. It says everywhere "do not open ports", but use VPN , after lots of googling I found that the easiest way were OpenVPN and Wirguard , watching youtube videos I think all of them used than the VPNbook config file with credentials.
5) if there is no other option to connect to wireguard/openvpn that is something they will have to do than.


But now I have no clue anymore how to set it up , I though I did a good job with OPenVPN, VPNbook with their config file and credentials. Can someone guide me what the correct way is. The only thing I would like is to close the port and still have acces to BI when I am away from home.
I do have an account with no-IP with the open port I login with : http;/xxxxx.hopto.org:yy where yy is the open port en xxxx my account name.

Many thanks,
Cornelis

 

[wittaj]

Where did you see that VPNbook was needed for BI/OpenVPN - Porno's Are Us LOL.

The whole intent of OpenVPN is YOU are hosting the VPN service and thus are not hiding your IP address for illegal streaming and porno. That is how you are able to get back onto YOUR network like you are sitting at home on your couch when you are actually somewhere else like Panera or work.

VPNs like VPNbook, NordVPN exist to HIDE YOUR IP address for illegal streaming and porno LOL. This doesn't allow you to get back to YOUR IP address because it is being hidden.

In layman's terms, keep in mind that opening a port for a VPN service is much different than opening a port for an unsecure device like a camera or NVR or straight to BI.

In fact, by default routers and computers have ports open like 22 (SSH for secure remote access), 25 (SMTP for email), 80 (HTTP for web browsing), and 443 (HTTPS for secure web browsing), etc. are common open ports. Go to your computer firewall and you will see many more open ports.

With OpenVPN, the open port is like offering your home address but the router/OpenVPN then confirms those knocking have a key (the encryption key of the VPN service) and is still protected by the firewall/antivirus; whereas opening a port that goes straight to BI/NVR/Camera is offering your home address and the front door is open with free access to go to town on getting in.

So running the two in tandem is mucking things up and may potentially even up you up to vulnerabilities.

At a minimum get rid of VPNbook. It is not needed. Nobody here uses it with OpenVPN. See what happens to your speed then.

Then it sounds like your router doesn't support OpenVPN but does Wireguard. If you decide to go that route, then simply enable Wireguard on the router and follow the steps it asks for. You are overthinking this.