OpenVPN question

D

dryfly

Getting the hang of it
May 25, 2015
258
46
I recently setup an OpenVPN tunnel and I'm using Hikvision IVMS4200 app on an Iphone for remote viewing. I had a lot of problems connecting originally but found the issue was in the Asus router. I had set "Block Internet Access" to ON with NVR's IP address to prevent the NVR from "phoning home". This apparently also blocked the NVR's ability to communicate through the tunnel VPN. I resolved my remote access issue by turning the option to OFF.

My question is, in an Asus router, can I accomplish preventing the NVR from phoning home, and at the same time enabling remote access??
 
Sounds like your IVMS4200 app isn't using the vpn connection to get to the nvr. Do you still have the port fowarded for the NVR in your router?
 
If OpenVPN is working, when you are not at home and VPN in, then there is a setting or something you need to adjust because it should be like you are sitting at home accessing your system. So if it isn't working that way, you have to make a change somewhere.
 
Last edited:
That's how it works on the Asus (and most) by default. What happens is that when using the VPN you appear to work as a local client connection but you don't truly receive an internal IP address (e.g., 192.168.1.x). The incoming connection is assigned a 10.8.x.x address which then is routed over to the internal ethernet interface and subnet. So it still sees the VPN connection as coming from the outside from the perspective of the firewall which does the block ahead of that.

You can make changes at the command line and using other firmware to pass traffic over the VPN interface in a way that it won't be blocked but not simple to do and I'm not sure how persistent in the case of stock firmware.

As simple things that you can do to prevent phoning home while not completely blocking it, you can use nonsense values for the gateway and DNS (usually the host's own IP will work if it forces you to use some address).

Other than that, you can come into the network on the VPN, access the router, and flip that access switch on/off as you want. Which works OK for a cam not accessed directly much but not really for an NVR that you want to hit as your main host.

Here's a thread that explains and shows the rule and changes that need to be made (For Merlin firmware but applies in the same way. Others if you want to search.):

www.snbforums.com

Can't access LAN device from VPN when device set to block Internet access

I have a ASUS RT-AC68R with Asuswrt-Merlin on firmware 384.7_2 I have a IP cam I have blocked Internet access using the button on the Network Map page. I would like to VPN in from my phone using OpenVPN (which is set up and working) and use the IP cam app on my phone to access the IP cam. I'm...
www.snbforums.com www.snbforums.com
 
Last edited:
  • Like
Reactions: SouthernYankee
Mike A. said:
That's how it works on the Asus (and most) by default. What happens is that when using the VPN you appear to work as a local client connection but you don't truly receive an internal IP address (e.g., 192.168.1.x). The incoming connection is assigned a 10.8.x.x address which then is routed over to the internal ethernet interface and subnet. So it still sees the VPN connection as coming from the outside from the perspective of the firewall which does the block ahead of that.

You can make changes at the command line and using other firmware to pass traffic over the VPN interface in a way that it won't be blocked but not simple to do and I'm not sure how persistent in the case of stock firmware.

As simple things that you can do to prevent phoning home while not completely blocking it, you can use nonsense values for the gateway and DNS (usually the host's own IP will work if it forces you to use some address).

Other than that, you can come into the network on the VPN, access the router, and flip that access switch on/off as you want. Which works OK for a cam not accessed directly much but not really for an NVR that you want to hit as your main host.

Here's a thread that explains and shows the rule and changes that need to be made (For Merlin firmware but applies in the same way. Others if you want to search.):

www.snbforums.com

Can't access LAN device from VPN when device set to block Internet access

I have a ASUS RT-AC68R with Asuswrt-Merlin on firmware 384.7_2 I have a IP cam I have blocked Internet access using the button on the Network Map page. I would like to VPN in from my phone using OpenVPN (which is set up and working) and use the IP cam app on my phone to access the IP cam. I'm...
www.snbforums.com www.snbforums.com
Click to expand...


Thank you, that definitely explains the situation. Since I would seldom use remote access, I like the idea of switching the router settings remotely. I don't think I'm savvy enough to go much further, but I'll check out the link.

Also, I may be a little conservative about worrying that the NVR is actually going to phone home. I'm just not to trusting.

I'll use your direction to work on it.
 
dryfly said:
Also, I may be a little conservative about worrying that the NVR is actually going to phone home. I'm just not to trusting.
Click to expand...

Good to be cautious about it. I've seen many things that don't behave well regardless of settings on the device and do some sketchy stuff. I block everything that I can just as a matter of good practice.

Being practical about it... You have the VPN up and working so that's good. Block your cams. Fudge the easy gateway and DNS entries on the NVR to make it harder and make sure that you turn off everything that works as a service like that. Leave the NVR so you can access it. If something wants to be more aggressive about it, then it could get around that in some ways but most won't.

You could Wireshark things to see what's actually going on on your network and as far as the NVR specifically. Worth doing just to learn how.
 
Mike A. said:
Good to be cautious about it. I've seen many things that don't behave well regardless of settings on the device and do some sketchy stuff. I block everything that I can just as a matter of good practice.

Being practical about it... You have the VPN up and working so that's good. Block your cams. Fudge the easy gateway and DNS entries on the NVR to make it harder and make sure that you turn off everything that works as a service like that. Leave the NVR so you can access it. If something wants to be more aggressive about it, then it could get around that in some ways but most won't.

You could Wireshark things to see what's actually going on on your network and as far as the NVR specifically. Worth doing just to learn how.
Click to expand...

This is getting away from the OP question, but when you say you block everything you can, what all on your network are you blocking besides you camera system? Other threats?

Also, I have my cameras connected directly to my NVR. My network IP is 192.168.50.xxx, while my cameras are 192.168.254.xxx. How could the cameras be effectively blocked?
 
Cams mostly. Beyond that not so much threats per se just things that have no need and/or that I want to keep away from my main network. Mostly IoT stuff that either gets blocked or put into a guest network, a Samsung printer that phones home, etc. FIOS TV stuff which needs out-going access is behind my router in a separate address space; otherwise, if up front it opens a bunch of ports and Verizon can control it, so no in-coming traffic can get to it that way. Ad blocking, tracking, and site blocking done on router, Pihole, in browsers, etc.

I don't use an NVR but not sure that you can in that case unless the NVR provides for that. But it's on a separate subnet within the NVR so it's limited in some way at least. Can you get to the network settings for individual cams or is that all fed via DHCP from the NVR?
 
Mike A. said:
Cams mostly. Beyond that not so much threats per se just things that have no need and/or that I want to keep away from my main network. Mostly IoT stuff that either gets blocked or put into a guest network, a Samsung printer that phones home, etc. FIOS TV stuff which needs out-going access is behind my router in a separate address space; otherwise, if up front it opens a bunch of ports and Verizon can control it, so no in-coming traffic can get to it that way. Ad blocking, tracking, and site blocking done on router, Pihole, in browsers, etc.

I don't use an NVR but not sure that you can in that case unless the NVR provides for that. But it's on a separate subnet within the NVR so it's limited in some way at least. Can you get to the network settings for individual cams or is that all fed via DHCP from the NVR?
Click to expand...

The cameras have ability to set the address manually. But I'm not sure if this overrides the NVR or not. Looks like the only thing you can do is set the NVR's Internal NIC IPv4 address. Not sure if I see any advantage in changing that from the default 192.168.254.xxx.
 
Last edited:
dryfly said:
The cameras have ability to set the address manually. But I'm not sure if this overrides the NVR or not. Looks like the only thing you can do is set the NVR's Internal NIC IPv4 address. Not sure if I see any advantage in changing that from the default 192.168.254.xxx.
Click to expand...

Not any advantage really. I meant more for the gateway and DNS so the cams don't have an easy way out on their own. Guess those all come from the NVR. Not sure that you can change without setting up differently.
 
Mike A. said:
Not any advantage really. I meant more for the gateway and DNS so the cams don't have an easy way out on their own. Guess those all come from the NVR. Not sure that you can change without setting up differently.
Click to expand...

I can specify the gateway and preferred DNS server on the Hik cams. But then I'm not sure how to handle this change at the Hik NVR. Do I then change the DNS server and default gateway in the NVR to match the cameras? OR.......are we talking about two completely different sets of settings here?

As you can see, it doesn't take long for me to get over my head in networking stuff.

I'm really interested in learning as much as I can about network security, but at the same time, unless it really makes a difference I try to stay simple.
 
Again I don't know NVRs very well. You should be able to change the gateway/DNS on the cams without causing any problems. Gateway is the main one since that provides the pathway out for traffic. There are ways that things can get around if determined but less likely. You still will be able to access the cam since your traffic is incoming to it not outgoing attempts initiated by the cam.

As far as the NVR goes, the settings numbers don't really matter much between cam/NVR. You can use the same or different ones. Just want something that the device will accept and that isn't valid. Some won't require anything and will accept a blank entry. Some will want to see an IP address. Easy in the latter case to just use the cam's own IP. Or you can use some unassigned IP on your network (e.g., 192.168.x.254). Again, you your own requests to it still will reach it, you're just sending traffic initiated from it to a door out that doesn't exist.

Time services may be affected if the NVR doesn't have a valid pathway out. Not sure how that works on yours. I guess you could set up a local NTP server that doesn't have a pathway out beyond it if you had to. DDNS for your whole network to find it for remote access will run on the Asus so that should be good so you don't need any DDNS on the NVR itself.
 
Thanks for the tips. I will play around with some of the settings and see what happens. I feel pretty secure at the present just not port forwarding and tightening up security on the router. But..........you can never be too safe.
 
I have an Asus router as well with OpenVPN. When I'm home (using wifi) I can access my NVR thru the DMSS app on my phone without the need for OpenVPN. But when away from home (on cellular) that's when I flip the OpenVPN switch and tap on DMSS to access the NVR. No "block internet access" settings in the router needed. If you are worried about your NVR and IPCs calling home, just disable those services listed under their "Network" settings and I think you'll be okay.
 
Last edited:
Tic said:
...If you are worried about your NVR and IPCs calling home, just disable those services listed under their "Network" settings and I think you'll be okay.
Click to expand...

Unfortunately, lots of cams ignore settings and do unwanted things no matter how you have things set. That's the reason for blocking Internet access and otherwise isolating them to the extent that you can.
 
You must log in or register to reply here.
Top Bottom