Site to Site VPN access issues

[Didact74]

I have a Unifi UXG-Pro on one end and a Unifi USG-Pro on the other. No double NATs just the Unifi routers.
The tunnel works fine both ways, I can access/ping all equipment from both sides as well as the Dahua NVRs. Everything works as expected. However, I can not ping/access the GUI for the cameras from across the tunnel. I can ping/access them from within the same LAN, but not across the tunnel. I am ruling out the VPN setup as everything else works fine, its just the Dahua cameras that are the issue. Its strange that I can access the NVR GUI's across the tunnel, but not the cameras. Is there a setting in the camera GUI that I am missing to allow VPN access? Any help would be appreciated.

Thanks,

 

[Mike A.]

I don't use Unifi routers but generally the way that VPN works is that the traffic will be considered external to your local network by the firewall. The router takes the separate IP of the VPN and maps that to an internal IP. But from the perspective of the firewall, which sits ahead of the VPN, the traffic remains external. So if you have the cams blocked from external traffic but the NVR not blocked then that would explain it.

 

[Didact74]

For giggles, I forwarded a port directly to the IP of one of the cameras, and still no luck. I haven't "blocked" anything, so not sure where the interruption is residing.

 

[Mike A.]

There's no setting in the cam that I can think of that would affect it. It sees the VPN traffic as local so if it works locally, then the problem's likely not there. Are the cams on some separate VLAN or anything like that? You don't restrict cams on your network in some way?

 

[CCTVCam]

Never port forward.

 

[fenderman]

Lots of people seem to mindlessly repeat this mantra.

How do you provide a website (or any other internet service) without port forwarding?

There is always a shmuck like you who takes everything literally and then feels the need to attack others just because. The context of his advise is important. You knew that. Dont be an asshole. The op would have to be a fool to port forward his dahua NVR. There are 10 different secure ways to remotely access a dahua nvr without port forwarding.

 

[wittaj]

Lots of people seem to mindlessly repeat this mantra.

How do you provide a website (or any other internet service) without port forwarding?

The differences are those devices in theory are constantly being updated with latest antivirus, vulnerability fixes, etc.

Ironically, but security cameras are not very secure from an internet perspective. NVRs and cameras are not updated to that same frequency (or at all), so you have a device sitting on your network that is completely exposed by allowing port forwarding to get into it with basically zero to minimal virus or hacking protection measures in it. At that point, the router simply opens the door and lets it in and none of the firewall or other protections in the router is used.

 

[CCTVCam]

Port forward and your device announces itself to every internet search engine in the world and is especially visible in the ones hackers use. It tells them what device it is, exactly where it is located down to your street address (from the WAN IP info of your router), which also then gives them the info they need to hack it, which in many cases is simple for anyone with programming experience. From there it can be used as a bot to attack other pc's / organisations, to gather blackmailing evidence against you and your family eg family pics, to surveille your home so they know when you are out if eg they want to burgle, to attack your wider network and other pc's to gain financial info, or simply if kiddies they may choose instead to brick your equipment by uploading the wrong / damaged / altered firmware.

You secure by your routers VPN - read the wiki.

 

[danletkeman]

I have a Unifi UXG-Pro on one end and a Unifi USG-Pro on the other. No double NATs just the Unifi routers.
The tunnel works fine both ways, I can access/ping all equipment from both sides as well as the Dahua NVRs. Everything works as expected. However, I can not ping/access the GUI for the cameras from across the tunnel. I can ping/access them from within the same LAN, but not across the tunnel. I am ruling out the VPN setup as everything else works fine, its just the Dahua cameras that are the issue. Its strange that I can access the NVR GUI's across the tunnel, but not the cameras. Is there a setting in the camera GUI that I am missing to allow VPN access? Any help would be appreciated.

Thanks,

Do you have a static IP set on the camera? If so have you set the gateway to your router IP?

 

[CCTVCam]

Accuracy of IP address to street address varies. Wildly?

In my previous house it normally reported a physical location about 30 miles away. Sometimes it would flip to a different city 200 miles away. For my current house the reported location is now almost 300 miles away.

On a recent cruise ship the address was many thousands of miles away....

It appears to report the business address of the ISP provider being used? YMMV?

It would be interesting to see what typical accuracy is for most people.

Try using OSINT tools and then see what results you get. Ultimately, I'm not going to argue. People on here have been hacked. Port forwarding is a fools errand. Always use a VPN.

 

[looney2ns]

How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

VPN Primer for Noobs | IP Cam Talk

(6) Hikvision Honeypot Hackathon | IP Cam Talk

ZeroTeir with Blue Iris

 

[Didact74]

Thanks for everyone's input. It turns out that when I originally set up the cameras at that location, I set the gateway out of range so they could not reach the internet. I fixed that and now everything is fine. It was my error.

I know not to use port forwarding for access, I was simply trying anything I could to figure out what the issue was at the time. I keep an "always on" site to site VPN server going for access to these networks.

I set up a new traffic rule to reject any attempts at WAN in or out for the camera VLAN. All good now.

Thanks,

 

[Keizer]

ZeroTeir with Blue Iris

I've been using Zero Teir for remote access and it works really well. I have T-Mobile home internet so I was happy to find a way to do this.

 

[CCTVCam]

I did not mean to argue. I am here to learn. I am simply stating facts as they apply to my small world and my limited experience.

I am always interested in understanding how a specific situation may be different for others.

I can not think of any mechanism that will reliably convert an IP address into a street address. To get my physical service address (as opposed to the billing address) you would need to be able to access the current operational system of my ISP. A static IP means an attack would only have to look access once while a dynamic IP address would require real time access to the ISPs service database.

Living in a rural area adds the challenge of actually locating the address. Google maps has no idea where my current address is. Everytime Amazon switches delivery drivers we get delays until the driver phones us for delivery directions. In my prior world Google was only a few houses off and I was continually amazed at the taxi drivers and delivery people who could not seem to read house numbers.

I agree that VPNs are a good idea.

I couldn't find the one I wanted. In that one the Black Hat hacker demonstrates various break ins to systems using cctv and also a yachts navigation system which because it has GPS, allows you to pinpoint it's location. You can say your router doesn't have GPS which is true. But then again, your IP can put you pretty close when broken down to it's street level and if someone gains access to your wider network through a CCTV camera or similar, anything connected that has GPS could be hacked / interegated to provide the location eg a mbile phone connected wireless to your network. Alternatively, just getting access to your pc will reveal letters you've written and thus your street address. Don't make the mistake of thinking access to your cameras is just access to your cameras. Once they have root and full control they have a gateway to your network unless you have it secured by a physical disconnection.

Here's a few just for cameras though:

 

[fenderman]

I like to calmly think things through and understand them as opposed to getting concerned by "wild" speculation.

As already indicated, my IP address information provides street level info on the ISP being used, not me. My cell phone currently puts me 250 miles west of my location and the local wifi puts me over 400 miles north of my location. These are street level addresses, but in the wrong place. One of my clients utilizes several VPN services that report your location and they place me 60 or 100 miles away, or in a different country...

I can not believe I am unique and assume that IP address to "my street address" is not possible. This means I currently ignore any hand waving about "them" finding my house from my IP.

I could be wrong? So I am interested in how accurate other people's experience is.

You keep harping on this minor issue but that's not really danger of port forwarding. The danger of port forwarding is direct access to your network. These NVRs and cameras are extremely easy to manipulate... It's been proven time and time again... Once they have a device running on your network it's all downhill from there.

However if you want to go down that route access to your outdoor cameras can provide me with detail to find you relatively quickly. For example I can run your license plate. Or if I am familiar with your town I can identify the street. Some cameras capture street signs.
As a side note my IP address places me within a few miles of my actual location. This is the same for my home and office The ISP's break it down by town generally there are of course exceptions.

 

[looney2ns]

I like to calmly think things through and understand them as opposed to getting concerned by "wild" speculation.

As already indicated, my IP address information provides street level info on the ISP being used, not me. My cell phone currently puts me 250 miles west of my location and the local wifi puts me over 400 miles north of my location. These are street level addresses, but in the wrong place. One of my clients utilizes several VPN services that report your location and they place me 60 or 100 miles away, or in a different country...

I can not believe I am unique and assume that IP address to "my street address" is not possible. This means I currently ignore any hand waving about "them" finding my house from my IP.

I could be wrong? So I am interested in how accurate other people's experience is.

Did you not read the link that I posted about the hikvision Hackathon?

 

[wittaj]

Interesting. Seems like the expected type of intrusion attempts you would see on "well known ports".

Would be interesting to see if the author would experience any attempts on "not well known ports"?

yes because these bots can scan all the ports in seconds.

 

[Mike A.]

From my observations random high ports get scanned nearly at the same rate as well known ports. Other that 23 which always gets a ton for obvious reasons. Then comes whatever common wide exploit is running at the time. But beyond that it's pretty much randomness and it's constant every second 24x7.. Take a look at your logs sometime and you'll likely see the same. It's interesting if you have a good way to watch it. You can see groups of bots working together to probe things.

 

[fenderman]

Aaaa

It would be interesting to understand the science here.

How many ports are there? How long does it take to probe a port? I believe there are 65535 available ports?

A port with a running service behind it should accept TCP connection requests in under a few seconds. Slug like systems may take up to 10 seconds to respond. Let's use 2 seconds as a compromise.

That is 2178ish minutes to sequentially scan all ports (about 36 1/3 hours).

BUT. Very few ports have a running service behind them. So the bot needs to wait until the TCP connection request fails (2 minutes seems to be a popular default connection timeout?).

That bumps us up to 2178 hours (just over 91 days) to perform a sequential scan of all ports.

Using a massive bot farm will allow that time period to be shortened down, but not a lot, as any massively concurrent attack will either overwhelm our piddly router (and hence give false failures) or invoke DOS defenses.

It would be interesting to understand just how often "not well known" ports are probed.

I believe that well known ports on well known IP addresses are probed every few seconds.

This is laughable. While some only scan known ports many scan all ports. A full port scan can be accomplished in a 20 minuets or less. No system unless its intentionally set to will take 2 seconds to respond to a probe. It is measured in milliseconds.
For example gibson can scan over 1000 ports in less than a minuet and they are limited in resources. Shields UP!! System Error
Nmap can scan all ports in 20 minuets or less (add a bit for internet latency.
You literally puled 91 days out of your ass to perpetuate using unsafe port forwarding. Even with a limited setup anyone scan all your ports in an hour. Likely much faster.

Here is a shodan scan of dahua NVRS on the net. While most are using default ports thousands of units using high port numbers are easily visible and accessable to any hacker.

Shodan Facet Analysis

1,285,163 results found for search query: dahua

www.shodan.io

 

[fenderman]

Yes please check my math. Why is 91 days wrong? (65535 * 2 minute connection timeout). I do not understand how 1 system can be completely scanned in 1 hour? Please explain how this could be done.

I base this on the scanned system never responding to attempts to access blocked ports. This means the scanner never gets a connection request response and hence must wait for an arbitrary timeout to declare the port not open. Arbitrary timeout in my world is 2 minutes.

Try this link in your favorite browser ....

http://google.com:81/

Ability to scan is not the same as ability to be scanned. My math is based upon the ability of a system to be scanned. I believe there are lots of high performance scanning systems that can scan a very very few ports on many many different systems at a very high rate.

That does not mean they can completely scan a single system in a short period of time (9 women can not have a baby in 1 month).

I would be interested in seeing reports detailing scans of non standard ports (i.e. not normal http protocol ports).

I am simply observing that every public website in the world (plus lots of other systems) use port forwarding. It is common. And accepted. Don't do it to unsecure servers.

Because the bots dont wait two minuets for it to time out. Do NVRS and pc's wait 2 minuets to respond? As soon as there is no immediate response the bot moves on. Are you stupid or just playing a dumbass on the forum? The scanner doesnt HAVE to wait for anything. What is wrong with you? Surely you are trolling.
I explained how it could be done. Have you actually visited the gibbon website? Have you installed nmap?
You are completely clueless.

You dont understand the security involved in public websites. You are a fool. These NVR's are not secure not updated and some have deliberate backdoors. The makers do not patch vulnerabilities even after they are made aware of them.
20 min is probably a huge over estimation. Ill run some tests. Likely much quicker.