Safest way to view NVR away from home

[Andy M]

Hi I have a Virgin SuperHub 3, Reolink POE Doorbell and NVR2108HS-8P-1.

I have setup the doorbell to record to the NVR via onvif.

I will be using the reolink app for the doorbell functionality and potentially the dahua app from LAN & WAN.

So my question is the best/user friendly way to access these app remotely whilst minimising security concerns.

I don't want BI or anything that requires constant tweaking. Hence the NVR. I have seen a few ethernet switches with vpn functionality. Is this something I could hook them upto and then ethernet into my router?

Thanks
Andy

 

[wittaj]

Just to squash a misunderstanding - BI doesn't require constant tweaking. It is just many tinker with all the settings and possibilities. But one can set it up and be done with it if they choose.

For maximum security you need a system that doesn't require the internet to work and a system that you can VPN back into your system to review remotely. This is not a paid VPN. Or use something like ZeroTier.

But doorbells are the wildcard and moat will not work as a true doorbell camera without internet access.

 

[TonyR]

I don't want BI or anything that requires constant tweaking. Hence the NVR.

For the record, BI requires no more initial or periodic "tweaking" for optimization of performance than a NVR does.

Also, your comment "....I have seen a few ethernet switches with vpn functionality" I believe you are referring to a "router" with such features.

 

[Andy M]

For the record, BI requires no more initial or periodic "tweaking" for optimization of performance than a NVR does.

Also, your comment "....I have seen a few ethernet switches with vpn functionality" I believe you are referring to a "router" with such features.

Hi Yes that's correct. My mistake a ethernet router with vpn.

Is that something that I could use? I don't want to have to put the VM hub into modem mode if I don't have to.

 

[Andy M]

Just to squash a misunderstanding - BI doesn't require constant tweaking. It is just many tinker with all the settings and possibilities. But one can set it up and be done with it if they choose.

For maximum security you need a system that doesn't require the internet to work and a system that you can VPN back into your system to review remotely. This is not a paid VPN. Or use something like ZeroTier.

But doorbells are the wildcard and moat will not work as a true doorbell camera without internet access.

I think my thought was around setting it up without making my network vulnerable. I have heard of 2 NIC's that wont work for me as i dont have a computer/server in the mix.

If i am honest if some twat wants to have a look at my cameras they can knock them selfs out. I just dont want to leave my self vulnerable to much more nasty stuff.

Any links or info for me broaden my understanding as to how to achieve this would be greatly appreciated.

 

[Andy M]

After a quick look at zero teir i realised an additional peice of info that might be rrelevantI have a raspberry PI4 running my heating that I may be able to utilise to run zero tier as well maybe?

 

[wittaj]

I think my thought was around setting it up without making my network vulnerable. I have heard of 2 NIC's that wont work for me as i dont have a computer/server in the mix.

If i am honest if some twat wants to have a look at my cameras they can knock them selfs out. I just dont want to leave my self vulnerable to much more nasty stuff.

Any links or info for me broaden my understanding as to how to achieve this would be greatly appreciated.

The two NIC route of the BI computer is not the issue as that is essentially what an NVR is doing - an NVR puts the cameras connected to the POE ports on a different subnet (usually 10.x.x.x.) than the home wifi. The NVR is acting as a sort of firewall of sorts and is taking the place of the dual NIC of a BI computer.

It is the access to the VMS system, whether it is the computer with BI or an NVR or any other VMS system, that you then have to mitigate so that bad actors don't get into your system.

That is where OpenVPN or ZeroTier comes in.

The bad people don't care about your video feed - they want your internet to perform DDoS attacks or get into your system and steal banking info.

NVRs are notorious for being easily compromised. There is essentially no virus or firewall protection on it and many have backdoor vulnerabilities that allow folks to get into your network.

 

[Andy M]

To be honest. Remote access to the NVR is not essential. Just the doorbell.

As for VMS sorry for my ignorance. What is this?

As for the openVPN. My knowledge is limited to the commercial ones. I have expressVPN. I was at one point looking to get a router with the vpn installed on it to encrypt all the traffic before it goes onto the Internet.

 

[bigredfish]

Actually NVRs are just about as secure as PCs nowadays*. The difference is many folks who dont know any better get an NVR and cameras with zero networking knowledge and port forward them to allow the world in. The problem isnt the NVR its the lack of basic network security


* With the possible exception of security updates. WHich after a period of time and 2X OS's down the road your PC will fall victim to also

 

[wittaj]

The issue is most doorbells need internet access to use SIP to allow the doorbell to function properly like you would expect it to - someone pushes the button and you talk to them over your phone.

VMS is Video Management Software, which is anything from an NVR, to BI to Synology to any type of program that manages surveillance video.

ExpressVPN is a paid VPN to hide your IP address for porno addictions and illegal streaming LOL.

You need a VPN that doesn't hide your IP address and puts you back onto your system. That is the difference. Something like OpenVPN puts you back onto your home LAN so it is like you are sitting on your couch.

 

[Andy M]

I'll have to do some reading about openvpn I just assumed it was similar to other paid vpns. As far as I was aware the commercial vpn is encrypting the traffic thus keeping bank details and alike safe. As well as allowing my to access video streaming.

 

[bigredfish]

Correct they do, but thats a different type of VPN, they arent protecting incoming to your network

 

[wittaj]

The difference is something like OpenVPN you are the host server.

With a paid VPN, you are putting your faith and confidence in someone else to host the server.

As such they can hide or mask your IP for streaming or what not by having your data appear to originate in another country, but even though it is a VPN tunnel from your network to their network, once it leaves their server to go to your bank, it is no more secure, and probably less secure, than if you just did it directly from your home network.

From your home network all the jumping of servers may be in your home country. When you use a paid VPN that masks your IP address, who knows what country that is originating in and how many different unsecure servers it will go thru to get back to your bank in your home country.

Paid VPN gives a false sense of security because they surely are not establishing a VPN connection directly with your bank...

 

[tigerwillow1]

For the record, BI requires no more initial or periodic "tweaking" for optimization of performance than a NVR does.

If I may disagree, I've done more tweaking of BI in the first 2 weeks than I've done in 6 years with the NVR, and I'm not finished. CPAI is responsible for maybe half of it. BI repeatably enabling motion detection on all the cameras took a lot of time to figure out and work around. With BI you have to figure out storage locations and sizes, a 100% non-issue with the NVR. Just 2 examples out of a lot more. BI is way more flexible and configurable, which leads to complexity and more opportunities to mess it up. After all that dumping on BI, I'm likely going to switch over to it because it's so.....ooo darn faster and easier to browse through the triggers. I agree that it should be easy once it's set up, but that setup is taking an awful long time with my 16 camera system.

 

[wittaj]

If I may disagree, I've done more tweaking of BI in the first 2 weeks than I've done in 6 years with the NVR, and I'm not finished. CPAI is responsible for maybe half of it. BI repeatably enabling motion detection on all the cameras took a lot of time to figure out and work around. With BI you have to figure out storage locations and sizes, a 100% non-issue with the NVR. Just 2 examples out of a lot more. BI is way more flexible and configurable, which leads to complexity and more opportunities to mess it up. After all that dumping on BI, I'm likely going to switch over to it because it's so.....ooo darn faster and easier to browse through the triggers. I agree that it should be easy once it's set up, but that setup is taking an awful long time with my 16 camera system.

You are also dealing with the advanced AI that isn't available on your NVR.

If you simply used the AI in the camera to do the triggering, you would be done and not messing with it.

Now I totally understand why you are messing with the AI so that you can do advanced capturing that the NVR lacks.

But once you get that figured out, you can let it be until BI adds another cool feature LOL.

My old NVR finally died (I was running it as redundancy), so instead of replacing it, my trusty BI computer that hasn't been touched or updated since May 2022 because it flat out works in my situation became my redundant and I picked up a computer on ebay and installed the latest version of BI and rebuilt/added the cameras from scratch and switching to CPAI and it took a few days of messing with that to get the triggers and ANPR to my satisfaction. The only time I have to touch it now is if/when I update it, which I will be more likely to consider now that I have another version running as my backup in the event something goes wonky.

And I am glad to see a long-time supporter/advocate of NVRs seeing the power of BI and making the switch

 

[TonyR]

If I may disagree, I've done more tweaking of BI in the first 2 weeks than I've done in 6 years with the NVR, and I'm not finished.

Sure you can and it's likely because I use no AI, no CodeProject and no Deepstack. I use the old-school built-in MD algorithms and tweak them a bit then leave'em be. Works for me.