Problems with Remote viewing of security cameras without firewall hole punching

[Onlooker777]

Hello - I'm a new member of the forum and would like to air some frustrations regarding remote mobile viewing of security cameras.

In general, with many people, I dislike the idea of viewing my security camera live video feed using port forwarding, indeed any method which requires hole punching within my LAN firewall. I thought I had the solution using NordVPN where Meshnet was available. Simply using NordVPN and Meshnet on host (iMac) and remote iPhone, one could it was stated simply log into my LAN remotely over the VPN, enter the host computer name and security camera port and, hey presto, video footage available without any port forwarding. It turns out however that my security camera (Reolink) uses Adobe FLV which has been discontinued since 2020. No web browsers (Google, Firefox, etc) support decoding through FLV and so whilst the Reolink site can be entered, no video footage is available (Onion browser apparently still supports FLV, however it insists on loading its own VPN - so no go).

I note on many discussion forums dealing with secure live video viewing the statement made is "do not allow p2p, UID, port forwarding, etc as they are not secure due to firewall hole punching. Must use VPN for excellent security. However, from my own example above, this does not seem to be possible. Can anyone therefore advise how to implement secure live video viewing through a VPN. Many thanks.

 

[SpacemanSpiff]

Sounds like your biggest frustration is with the deprecation of adobe FLV, which is certainly understandable. Any chance you've seen these yet?

How to Secure Your Network (Don't Get Hacked!)

Many camera networks are unsecure, even those installed by professionals. This guide gives basic instruction in how to secure a camera network from the most common types of attacks. Perhaps the most important rule of securing a computer network is to not forward ports to unsecure services...

ipcamtalk.com

VPN Primer for Noobs

The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video...

ipcamtalk.com

 

[Onlooker777]

Hi SpacemanSpiff - many thanks for your help. Will be reading recommended texts and attempting to learn more. I have a PhD in applied physics and so technically aware, but am definitely a NOOBie when it comes to the current topic

 

[Onlooker777]

One thing I still find puzzling. The recommendation is to avoid port forwarding and set up a VPN on your LAN router. Now I know all access to one's LAN must go through the router. Ordinarily external applications are, or are not, allowed to enter the LAN through permission granted by your LAN firewall. So how does the VPN interact with the firewall? (if not through port forwarding). In my earlier question I had NordVPN (admittedly on iMac and iPhone separately) and was attempting to use Meshnet for remote access by external iPhone to internal (on LAN) surveillance camera. This was intended to allow external access to my LAN without port forwarding (which I will not use). This system did not work for reasons stated earlier. NordVPN/Reolink could not suggest any other way I could access my surveillance camera other than by port forwarding (although I could still access my LAN, just not the surveillance camera). It appears however that I am advised that external access may be achieved if I install NordVPN on my router (which NordVPN allow). If none of the available browsers support Adobe FLV I still wont be able to view the camera video. There does not seem to be any surveillance cameras wich use an available alternative to FLV, so I'm still back to port forwarding. Am I missing something here?

I have no particular reason to use NordVPN, which is quite expensive and OpenVPN looks like a free alternative, which can be installed on a router. On the downside a VPN installed on my router will not provide secure cellular mobile phone access to internet searches, etc. What are the recommendations regarding security when using mobile phones in general (VPN?).

 

[SpacemanSpiff]

Now I know all access to one's LAN must go through the router. Ordinarily external applications are, or are not, allowed to enter the LAN through permission granted by your LAN firewall. So how does the VPN interact with the firewall? (if not through port forwarding).

Port forwarding does not discern whom is coming through the open port... it is open for anyone that finds it. VPN only allows in those with an invitation, AND who are also on the guest list to enter

 

[wittaj]

One thing I still find puzzling. The recommendation is to avoid port forwarding and set up a VPN on your LAN router. Now I know all access to one's LAN must go through the router. Ordinarily external applications are, or are not, allowed to enter the LAN through permission granted by your LAN firewall. So how does the VPN interact with the firewall? (if not through port forwarding). In my earlier question I had NordVPN (admittedly on iMac and iPhone separately) and was attempting to use Meshnet for remote access by external iPhone to internal (on LAN) surveillance camera. This was intended to allow external access to my LAN without port forwarding (which I will not use). This system did not work for reasons stated earlier. NordVPN/Reolink could not suggest any other way I could access my surveillance camera other than by port forwarding (although I could still access my LAN, just not the surveillance camera). It appears however that I am advised that external access may be achieved if I install NordVPN on my router (which NordVPN allow). If none of the available browsers support Adobe FLV I still wont be able to view the camera video. There does not seem to be any surveillance cameras wich use an available alternative to FLV, so I'm still back to port forwarding. Am I missing something here?

I have no particular reason to use NordVPN, which is quite expensive and OpenVPN looks like a free alternative, which can be installed on a router. On the downside a VPN installed on my router will not provide secure cellular mobile phone access to internet searches, etc. What are the recommendations regarding security when using mobile phones in general (VPN?).

The simple answer is NordVPN is used to HIDE your IP address for illegal streaming and porno LOL.

Hiding your IP address then makes you not able to see your cameras without punching holes thru the router with port forward.

OpenVPN puts you back into your own system. So once you VPN back in, you are using your LAN IP addresses. This is the type of VPN application that banks and companies have for their employees to work remotely and access the internal network.

Can it be hacked. Yes anything touching the internet can be hacked, but short of no internet access, VPN is proving to be the most secure and certainly way more secure than port forwarding.

You only think using something like NordVPN is providing you with secure mobile phone access to internet searches. The reality is all of your internet browsing is going thru unknown servers to get from your home to whatever webpage you are looking at. So any banking you are doing is now going thru who knows what servers and isn't secure. No reason to use a paid VPN unless it is for illegal stuff to mask/hide your IP.

 

[concord]

Your router may have an option to use openVPN, otherwise you would need a local system to act are your openVPN or Wireguard server and you would open a port to allow traffic thru on your router.

Other options that don't require opening a port are TailScale, ZeroTier, TwinGate, no cost for personal/low # connections.

 

[concord]

I believe MeshNet is a free addon to NordVPN to do similar, like TwinGate, TailScale, etc,

Connect to your remote devices securely with Meshnet. It’s free.

Connect to remote devices on the go, manage access to your private network with a click, or simply grab a file from miles away with Meshnet. It’s free and incredibly easy to get started.

nordvpn.com

 

[tigerwillow1]

So how does the VPN interact with the firewall? (if not through port forwarding).

Open VPN uses port forwarding.

 

[Onlooker777]

Port forwarding does not discern whom is coming through the open port... it is open for anyone that finds it. VPN only allows in those with an invitation, AND who are also on the guest list to enter

That's interesting - so how does the VPN present an invitation. What apects of my internet presence is used to uniquely identify me?

 

[Onlooker777]

Open VPN uses port forwarding.

View attachment 170685

But everyone here has stipulated that one definitely should not use port forwarding?

 

[wittaj]

That's interesting - so how does the VPN present an invitation. What apects of my internet presence is used to uniquely identify me?

OpenVPN creates a certificate and along with a username and password, if whatever is knocking at the firewall door doesn't have those credentials, it isn't let in.

 

[Onlooker777]

The simple answer is NordVPN is used to HIDE your IP address for illegal streaming and porno LOL.

Hiding your IP address then makes you not able to see your cameras without punching holes thru the router with port forward.

OpenVPN puts you back into your own system. So once you VPN back in, you are using your LAN IP addresses. This is the type of VPN application that banks and companies have for their employees to work remotely and access the internal network.

Can it be hacked. Yes anything touching the internet can be hacked, but short of no internet access, VPN is proving to be the most secure and certainly way more secure than port forwarding.

You only think using something like NordVPN is providing you with secure mobile phone access to internet searches. The reality is all of your internet browsing is going thru unknown servers to get from your home to whatever webpage you are looking at. So any banking you are doing is now going thru who knows what servers and isn't secure. No reason to use a paid VPN unless it is for illegal stuff to mask/hide your IP.

I cetrainly agree that use of a VPN does not protect you from what happens when you reach your desired internet destination. I guess thats why anti-virus is needed along with VPN. Surely in the present context the use of VPN is to protect unwanted interception of your message/data "during transit" between you and your selected destination.

 

[Onlooker777]

That's interesting - so how does the VPN present an invitation. What apects of my internet presence is used to uniquely identify me?

I guess the answer to my own question is: my defined user name and password to log in to the VPN?

 

[wittaj]

But everyone here has stipulated that one definitely should not use port forwarding?

Look at the firewall - there are lots of ports open. It is the device being used for port forwarding that is the problem.

Here are a few common ports assigned by the Internet Assigned Numbers Authority standards organization:

20 = File Transfer Protocol (FTP)
21 = File Transfer Protocol (FTP)
22 = Secure Shell (SSH)
25 = Simple Mail Transfer Protocol (SMTP)
53 = Domain Name System (DNS)
80 = Hypertext Transfer Protocol (HTTP)
110 = Post Office Protocol v3 (POP3)
143 = Internet Message Access Port (IMAP)
443 = Hypertext Transfer Protocol over TLS/SSL (HTTPS)

For instance, an email you send leaves your modem on port 110, bounces across multiple hops as it darts through the internet, and arrives at its destination. It then goes through that network’s router and is directed through port 110 before being officially received by the email client.

The difference is these ports are open going to a computer that should have up-to-date virus and security protection on it to minimize the risk. But there is still a risk for anything connected to the internet.

Now contrast that to a camera or NVR that isn't running virus protection and is rarely updated to fix security vulnerabilities.

By port-forwarding to your camera or NVR, you have essentially opened up the front door allowing anyone that knows how to exploit that device to get in without being checked at the router. Once they access that device, they can deploy BOT attacks or look at any activity you are doing on the web.

Ironically, but security cameras are not very secure from an internet perspective. NVRs and cameras are not updated to that same frequency (or at all), so you have a device sitting on your network that is completely exposed by allowing port forwarding to get into it with basically zero to minimal virus or hacking protection measures in it. At that point, the router simply opens the door and lets it in and none of the firewall or other protections in the router is used.

 

[concord]

I guess the answer to my own question is: my defined user name and password to log in to the VPN?

On your openVPN "server", you generate a certificate for your iPhone. This cert should be transferred to your iPhone and added to your OpenVPN Connect app. If someone tries to access your openVPN server and doesn't have a cert that is not in it's list, it will not allow access.

 

[SpacemanSpiff]

That's interesting - so how does the VPN present an invitation. What apects of my internet presence is used to uniquely identify me?

VPN server holds the 'guest list' which is populated as you create VPN profiles. During the set-up process, a certificate/key is created which is copied to the VPN client on the remote device (invitation).

 

[Onlooker777]

The simple answer is NordVPN is used to HIDE your IP address for illegal streaming and porno LOL.

Hiding your IP address then makes you not able to see your cameras without punching holes thru the router with port forward.

OpenVPN puts you back into your own system. So once you VPN back in, you are using your LAN IP addresses. This is the type of VPN application that banks and companies have for their employees to work remotely and access the internal network.

Can it be hacked. Yes anything touching the internet can be hacked, but short of no internet access, VPN is proving to be the most secure and certainly way more secure than port forwarding.

You only think using something like NordVPN is providing you with secure mobile phone access to internet searches. The reality is all of your internet browsing is going thru unknown servers to get from your home to whatever webpage you are looking at. So any banking you are doing is now going thru who knows what servers and isn't secure. No reason to use a paid VPN unless it is for illegal stuff to mask/hide your IP.

Hello again,
Just one more thing to check before I commit to new modem/router hardware for OpenVPN. You say NordVPN hiding IP address means camera video can’t be shown. But I could log in to the camera site using its IPaddress, where sites user name and password could be entered. However where video should be shown it was shown as paused. Do you still believe OpenVPN on router should solve problem?

 

[looney2ns]

Hundreds of users here use OpenVPN on their router, without issues'.
See more info here: Business VPN For Secure Networking | OpenVPN