Port forwarding for remote camera access

HuskyLover

n3wb
Joined
Apr 30, 2020
Messages
5
Reaction score
0
Location
Ohio
Hello all. Not sure if this is the correct topic to post this under, and if it is not, please let me know and I will delete. My issue is, I have spent literally 2 months trying to get my Netgear Nighthawk R7000 to port forward with no luck. I really want to smash this thing into a million pieces, but I need it! I am not what I would consider proficient in computer talk, but I'm not stupid either, I was able to port forward on my old N series Netgear router with very little trouble and run the cameras through my no-ip ddns account. I need to be able to have myself, and people from the outside, be able to access the cameras (with 2 different log-ins of course) outside of the LAN. We raise dogs and I need people to be able to watch the puppies whenever they want. I know there is a security risk in doing this, but not too concerned with my buyers hacking into our network. Short of port forwarding, are there any other suggestions how I can accomplish this?
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Hello all. Not sure if this is the correct topic to post this under, and if it is not, please let me know and I will delete. My issue is, I have spent literally 2 months trying to get my Netgear Nighthawk R7000 to port forward with no luck. I really want to smash this thing into a million pieces, but I need it! I am not what I would consider proficient in computer talk, but I'm not stupid either, I was able to port forward on my old N series Netgear router with very little trouble and run the cameras through my no-ip ddns account. I need to be able to have myself, and people from the outside, be able to access the cameras (with 2 different log-ins of course) outside of the LAN. We raise dogs and I need people to be able to watch the puppies whenever they want. I know there is a security risk in doing this, but not too concerned with my buyers hacking into our network. Short of port forwarding, are there any other suggestions how I can accomplish this?
Woah, I personally would opt for destroying my router than opening any (unsecure!) ports to my internal systems. Even with (only?) 2 names log-ins, you are unsure that there aren't any other (hidden? system?) accounts available that nobody knows off. Any system can be "hammered" until there is a memory leak (or any other kind) and then your whole network is exposed.

Your netgear might already have an OpenVPN service onboard, so if I was you, I'd create two (separate) VPN client logins, which can connect to your network. Limit their access to the HTTP port of that NVR and off you go.
 

HuskyLover

n3wb
Joined
Apr 30, 2020
Messages
5
Reaction score
0
Location
Ohio
Woah, I personally would opt for destroying my router than opening any (unsecure!) ports to my internal systems with (only?) 2 names log-ins, you are unsure that there aren't any other (hidden? system?) accounts available that nobody knows off. Any system can be "hammered" until there is a memory leak (or any other kind) and then your whole network is exposed.

Your netgear might already have an OpenVPN service onboard, so if I was you, I'd create two (separate) VPN client logins, which can connect to your network. Limit their access to the HTTP port of that NVR and off you go.
Yes, the router has VPN function, but I have no clue what to do with it. I have even read through the VPN for dummies, still lost! I suppose I could mess around with it and if I screw something up just factory reset the router for the 50th time :) Do I still need no-ip?

How I had it set up before was in the Foscam settings, a log-in for me and a "guest" log-in for the buyers.
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Yes, the router has VPN function, but I have no clue what to do with it. I have even read through the VPN for dummies, still lost! I suppose I could mess around with it and if I screw something up just factory reset the router for the 50th time :) Do I still need no-ip?

How I had it set up before was in the Foscam settings, a log-in for me and a "guest" log-in for the buyers.
I fully understand that you want to give your buyers first-line view access to their puppies, but be aware that 99% of the internet are not user-friendly and are scanning all these devices 24/7/366 for vulnerabilities, for hacking, netbots etc. So I'm already happy you want to think of alternatives to port forwarding, and I'll grant you 5 minutes of my time to quickly bring you up to speed.

When you look at your router, you might find 2 types of "VPN configuration". You have to look for the right one.
  • VPN Client configuration: for this, your ROUTER throws out (as a client) a VPN connection towards a VPN server (somewhere in the US/UK/Africa), this to encrypt and more importantly, pop-up your Internet traffic (ISP traffic) to these VPN Endpoints. This is typically done for hiding your ass (eg "maliciously" avoid location detection services for (as an example) Netflix and other location based services - to avoid "blocking" by location - access to certain series). This is not what you are looking for in your use case.
  • VPN Server configuration: this is exactly what you need: if you activate this service (full procedure on ), you'll have to deploy an OpenVPN CLIENT on each of your (remote) devices (eg your buyers). You'll have to pass them your login information (eg credentials/certificates), but from there on, you don't need these insecure port forwards.

On the other hand, if you enable OpenVPN, these buyers are entering your local network. If you don't have any other security measurements in place (eg vlans/firewalls), they can also access your Plex server/NAS/... So I think an OOTB OpenVPN Server setup will open other pitfalls, but for that, you might need to do some additional reading too.

I hope this helps!
CC
 

HuskyLover

n3wb
Joined
Apr 30, 2020
Messages
5
Reaction score
0
Location
Ohio
I fully understand that you want to give your buyers first-line view access to their puppies, but be aware that 99% of the internet are not user-friendly and are scanning all these devices 24/7/366 for vulnerabilities, for hacking, netbots etc. So I'm already happy you want to think of alternatives to port forwarding, and I'll grant you 5 minutes of my time to quickly bring you up to speed.

When you look at your router, you might find 2 types of "VPN configuration". You have to look for the right one.
  • VPN Client configuration: for this, your ROUTER throws out (as a client) a VPN connection towards a VPN server (somewhere in the US/UK/Africa), this to encrypt and more importantly, pop-up your Internet traffic (ISP traffic) to these VPN Endpoints. This is typically done for hiding your ass (eg "maliciously" avoid location detection services for (as an example) Netflix and other location based services - to avoid "blocking" by location - access to certain series). This is not what you are looking for in your use case.
  • VPN Server configuration: this is exactly what you need: if you activate this service (full procedure on ), you'll have to deploy an OpenVPN CLIENT on each of your (remote) devices (eg your buyers). You'll have to pass them your login information (eg credentials/certificates), but from there on, you don't need these insecure port forwards.

On the other hand, if you enable OpenVPN, these buyers are entering your local network. If you don't have any other security measurements in place (eg vlans/firewalls), they can also access your Plex server/NAS/... So I think an OOTB OpenVPN Server setup will open other pitfalls, but for that, you might need to do some additional reading too.

I hope this helps!
CC
Thank you but you have lost me in the last paragraph. All that I'm aware I have is the firewall in the router and the one in my pc's. No complicated network here, just an Arris modem from the cable company and my router, then the wireless devices we use (desktop pc, laptop, 2 cell phones, printer and the cameras.).

So, if I'm understanding correctly, I want a VPN server, not a client?
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
My last paragraph in other words: port forwarding does what it means: a mobile device can only connect to one single port (eg http service) in your intranet. If that service is not "trusted" (eg hidden backdoors), you are at risk. Opening a VPN tunnel places the mobile device IN your local network, just at the device would connect to your home wifi. And that device can then see ALL your "intranet" devices (eg NAS/media devices/...) unless you have secured these devices (eg with username/password/virtual lan/ ... ).

So, indeed, your netgear need a VPN server, and your "customers" need to deploy a VPN client to connect to your VPN server.

Hope this helps!
CC
 

HuskyLover

n3wb
Joined
Apr 30, 2020
Messages
5
Reaction score
0
Location
Ohio
My last paragraph in other words: port forwarding does what it means: a mobile device can only connect to one single port (eg http service) in your intranet. If that service is not "trusted" (eg hidden backdoors), you are at risk. Opening a VPN tunnel places the mobile device IN your local network, just at the device would connect to your home wifi. And that device can then see ALL your "intranet" devices (eg NAS/media devices/...) unless you have secured these devices (eg with username/password/virtual lan/ ... ).

So, indeed, your netgear need a VPN server, and your "customers" need to deploy a VPN client to connect to your VPN server.

Hope this helps!
CC
Yes, I understand better now, appreciate that. It's all a bit much for what I need and I don't want the customers having to download things just to see them. I need a way for them to just log on and watch. The cameras are only operational for a few weeks twice a year. Thanks for the help in explaining the vpn though!
 
Top