Stuck trying to select cameras for someone else

[kolt_]

To start off, I have a similar setup to what most people have on here (BI, Andy cams etc.) and it's a good and secure setup. My friends and family know it's good, maybe better than a lot of "standard" residential cctv crap. I was asked to do a setup for a family member's friend (selecting cameras/nvr, installing) and it really struck me because I don't know what is best to recommend. My setup involves cameras on a separate, isolated VLAN, Blue Iris, and remote access via WireGuard on pfSense. But obviously this individual doesn't now how to maintain any of that, let alone set it up unless I become their dedicated IT support which is obviously not the goal. Even BI is complex and has it's issues. BI would be great with Dahua cams, but I was leaning more towards a Dahua NVR because I feel it would be dead simple for anyone operating it, but how would remote access work (I don't feel great exposing it to the internet and it calls for a VPN servers running somewhere else, another thing to fail). Then there is Unifi protect which is also dead simple and I believe uses Ubiquiti cloud for remote access which is better but you have to use their cameras (which isn't a big deal for a simple setup).

Anyway I am leaning towards Unifi to execute this but I wanted to hear out folks thoughts on this because I feel this is something at least some of you had to deal with and consider.

Thanks

 

[tech_junkie]

going the NVR route and using its remote access would be better than making vpn on a network that you will be tasked to fix after someone hacks it or it malfunctions.

 

[MTL4]

Definitely watching, same thing here.

We have some very unpleasant neighbours and the rest of the neighborhood is asking me for install suggestions. I know these folks aren’t all tech savvy and I don’t want to get stuck being tech support forever so I need something that’s alot more set it and forget it than what I have (mine’s almost identical to the OP - OPNsense/wireguard/Ubiquiti/BI/ET cams).

 

[The Automation Guy]

Opening ports to any device for remote access is unsecure, but even more so a IOT device like a NVR which is likely NEVER going to have it's firmware updated. I realize that is the easiest answer, but you should definitely be upfront with the person to let them know how unsecure it really is. They can decide if they want to use a more secure method like hosting a VPN connection.

PS - I found myself in the same type of situation recently when my in-laws asked for some help. In the end I decided to recommend that they simply expand their existing Ring camera setup by adding a couple more cameras for all of the same reasons you mentioned. It's not a super secure setup either, but I'm also not adding to the insecurity of their network by suggesting more Ring cameras.

 

[dudemaar]

Well I always use Andy’s cams and NVR’s for my family. I also get them an asus router and deploy Openvpn on their phones. But I did notice that the new ubiquity G5 cams have bigger better image sensors in them.
Falls right into the ok section of the chart.

Camera G5 Turret Ultra - Ubiquiti Store

Ultra-compact, tamper-resistant, and weatherproof 2K HD PoE camera with long-range night vision.

ca.store.ui.com

 

[tech_junkie]

Opening ports to any device for remote access is unsecure, but even more so a IOT device like a NVR which is likely NEVER going to have it's firmware updated. I realize that is the easiest answer, but you should definitely be upfront with the person to let them know how unsecure it really is. They can decide if they want to use a more secure method like hosting a VPN connection.

PS - I found myself in the same type of situation recently when my in-laws asked for some help. In the end I decided to recommend that they simply expand their existing Ring camera setup by adding a couple more cameras for all of the same reasons you mentioned. It's not a super secure setup either, but I'm also not adding to the insecurity of their network by suggesting more Ring cameras.

I think an NVR is more secure than a VPN which are easily hacked. The thing people don't do what they should is regenerate the certificates in the NVR and cameras before connecting it to the internet. That is the only way I ever encountered someone hacking a NVR/camera system and was hired to find and remove the security vulnerability.
First time I ever saw an IT guy do the Homer Simpson 'doh' hand face palm.

 

[TonyR]

That is the only way I ever encountered someone hacking a NVR/camera system and was hired to find and remove the security vulnerability.

FWIW, in 2017 had a client's Amcrest (Dahua) NVR hacked, no VPN, port forwarded in router. A f/w update later allowed it and another similar Amcrest NVR, also port forwarded, to stay online with no hacks since 2017 to date.

 

[tech_junkie]

FWIW, in 2017 had a client's Amcrest (Dahua) NVR hacked, no VPN, port forwarded in router. A f/w update later allowed it and another similar Amcrest NVR, also port forwarded, to stay online with no hacks since 2017 to date.

That is why port forwarding is a bad practice. But as far as blue Iris, it has to be set up on windows server instead of the consumer windows and security setting set up like a web hosting where there is no firewall (except its own). with a public CA cert. Right now I need to get a new copy for my backup computer that died but the version 2 years ago passed my security tests I perform on my hosting machines once I set up correctly. But since I use the hikconnect and BI was just a redundant backup, I stuck it back behind the cam network because I didn't need to make an external connect. For me it didn't cost me anything to set that connection up since I am the isp, name server and certificate signer on the web and I have leased a few IP addresses from my local isp so I had static connections to use.

Port forwarding is different from cloud connect, because the cloud server has a client certificate and tls stapling. When you go and regenerate your certificate in the NVR the cloud connect will request a client certificate as its already an athenticated user. That is why the cloud method (w/o forwarding) is more secure.

 

[mat200]

To start off, I have a similar setup to what most people have on here (BI, Andy cams etc.) and it's a good and secure setup. My friends and family know it's good, maybe better than a lot of "standard" residential cctv crap. I was asked to do a setup for a family member's friend (selecting cameras/nvr, installing) and it really struck me because I don't know what is best to recommend. My setup involves cameras on a separate, isolated VLAN, Blue Iris, and remote access via WireGuard on pfSense. But obviously this individual doesn't now how to maintain any of that, let alone set it up unless I become their dedicated IT support which is obviously not the goal. Even BI is complex and has it's issues. BI would be great with Dahua cams, but I was leaning more towards a Dahua NVR because I feel it would be dead simple for anyone operating it, but how would remote access work (I don't feel great exposing it to the internet and it calls for a VPN servers running somewhere else, another thing to fail). Then there is Unifi protect which is also dead simple and I believe uses Ubiquiti cloud for remote access which is better but you have to use their cameras (which isn't a big deal for a simple setup).

Anyway I am leaning towards Unifi to execute this but I wanted to hear out folks thoughts on this because I feel this is something at least some of you had to deal with and consider.

Thanks

Hi @kolt_

Are you also running the cables ?

Normally I am willing to help a friend, however not certain how far I would go with helping a friend of a friend.

Seen too many expecting favors beyond my reasonable limits.

That stated, if they have someone in the family who is a PC pro, then I'd get them setup with blue iris.

Not certain what I would do if they're a apple Mac family. Too many issues there that I would like to avoid.

Normally I like to train them to self support .. have to judge if they have enough skills to do that tho.

Do not mind recommending a dahua oem or hikvision oem nvr and camera setup. I just don't want to spend much time on support and setup anymore.

 

[tech_junkie]

Not certain what I would do if they're a apple Mac family. Too many issues there that I would like to avoid.

+1 with not using a mac to host an outside connection. There are lot of things you would have to turn off and secure and ones that Apple outdated, you better off installing windows server on a drive (then park the installation with sysprep /oobe), then install the drive in the mac computer.

I think they should make a linux version. Even though I probably could run the dotnet program with wine, but I imagine it would run better natively on that platform using QT which is similar to dotNet.

 

[kolt_]

Hi @kolt_

Are you also running the cables ?

Normally I am willing to help a friend, however not certain how far I would go with helping a friend of a friend.

Seen too many expecting favors beyond my reasonable limits.

That stated, if they have someone in the family who is a PC pro, then I'd get them setup with blue iris.

Not certain what I would do if they're a apple Mac family. Too many issues there that I would like to avoid.

Normally I like to train them to self support .. have to judge if they have enough skills to do that tho.

Do not mind recommending a dahua oem or hikvision oem nvr and camera setup. I just don't want to spend much time on support and setup anymore.

I actually haven't even spoke to them yet, but was notified about some type of camera installation and I am under the assumption that I am selecting hardware. At the very least, I will be running cables and mounting cameras. To clarify, it's not exactly a friend of a family member, just more of someone that they know and wants a CCTV install so I am likely not to speak with this person again (hopefully in a good way, not 24/7 support) so that's why I want them to have something somewhat solid and easy since I will feel a little bad leaving them with issues. Regardless, this sort of ask has happened before with others so that's part the reason I am posting.

Anyway, I think a Dahua NVR/cameras is the way to go as you mentioned, it seems like less of a hassle to maintain to the point where it should work until it dies - at least I think, never messed with NVRs except a very old Zomodo setup. I'll do my best to explain the options for remote viewing, and recommend just sticking to local viewing.

Thanks

 

[dudemaar]

Like I said earlier I’ve installed may of Andy’s cameras and NVR’s for family, friends and friends of friends. Once in awhile I will get a call or a text on how to do this or that. I usually refer them to a specific page on the dahuawiki.com site for instructions. For example yesterday I had someone ask me how to get motion (IVS) to record. So I sent them the link below.

DahuaWiki

dahuawiki.com

Of course this was a younger person so they figured it out on their own. Usually the older folks have more difficulty figuring it out, but if you set it up properly from the start, you won’t ever have to go back. Mostly I get people call me when they get new internet and it’s not on their phones anymore. So now I make sure I always put the NVR on DHCP.

 

[TonyR]

But as far as blue Iris, it has to be set up on windows server instead of the consumer windows and security setting set up like a web hosting where there is no firewall (except its own). with a public CA cert.

No, it's not necessary to for Blue Iris to be "set up on windows server instead of the consumer windows".

 

[tech_junkie]

No, it's not necessary to for Blue Iris to be "set up on windows server instead of the consumer windows".

There are too many flaws in the consumer versions of windows to host anything securely and its not due to this particular dotNet program.

 

[TonyR]

There are too many flaws in the consumer versions of windows to host anything securely and its not due to this particular dotNet program.

You're entitled to your opinion.

I disagree that Blue iris cannot be hosted securely on Windows Home or Windows Pro.....have done both versions successfully and apparently safely/securely on a half dozen machines for over 10 years now.