Switch from VPN to Port forwarding

jmurph44 · Nov 11, 2021

I'm considering switching from VPN to Port forwarding for remote access and wanted opinions on convenience vs safety risks. Currently using VPN on a UDM-Pro, but Android 12 doesn't allow L2TP and UDM-Pro doesn't support IKEv2, so I'm at an impasse. I have looked into ZeroTier and Tailscale, but so far haven't been able to replicate the same VPN experience. Setting up a Wireguard or OpenVPN server on windows may be beyond my skill level. Wife would probably prefer ease of port fowarding, just one less button to hit.

Blue Iris is on a static IP Windows machine which is also used for Plex (which has a port forwarded), HomeSeer home automation, and family data backup. The server is on our main LAN as opposed to a vLan so the home automation and data backup is easier to use. The camera IP's are firewalled where they can only communicate to the Blue Iris machine.

If I open up a port for Blue Iris, but in the UDM-Pro block most of the suspect countries in Geo Filtering, would that help mitigate attacks? If for some reason the Windows machine was compromised, would only the Blue Iris software accessible, or could someone access other data on the server (i.e. our data backups, home automation, etc)? Someone seeing the feed of an outside camera is one thing, but having access to data is another.

user8963 · Nov 11, 2021

Why is it beyond your skill level?
You just have to install the wireguard software onto your blueiris windows machine, open it, paste something in, and voila.

(you need to forward one port to your windows machine)

You can also use many other devices like raspberry pi if you dont want to run it onto your blueiris machine

https://www.smarthomebeginner.com/wireguard-windows-setup/

(you dont need to use preshared keys)

Also you should open a ticket on ubiquiti to get a solution.
its complete scam to sell udm pro for 400USD and deliver it with outdated software which is not compatible with anything

wittaj · Nov 11, 2021

Only if you want people to watch you...

ever do a Blue Iris search and turn up random cameras with real people in them?

Holy port forward

ipcamtalk.com

(The links to the BI feeds were removed from this thread, but it is really simple to find them....)

When is Port Forwarding Safe? What devices/programs/apps or Never?

So we get quite a few posts every month about someone thinking they have been hacked, or someone not understanding the vulnerabilities with allowing their cameras on the internet. I searched here and couldn't find that "one thread" that we could point people to or have them find in a search, so...

ipcamtalk.com

wittaj · Nov 11, 2021

Someone having similar issues with Android 12 and ubiquiti...

FYI for Android users who have upgraded to Android 12 and use VPN

Google decided to remove L2TP VPN, which is what Ubiquiti uses (at least in the UDM series for their RADIUS servers). I can manually connect, but 'always on' does not stay. This not only applies to Ubiquiti but various other situations such as Windows, Wireguard, ExpressVPN, etc. Dang it. Just...

ipcamtalk.com

pete_c · Nov 11, 2021

An OpenVPN server running on your firewall is easy to configure. That and see now you can generation a configuration for import to iOS, Windows, Android and Linux.

It is much easier to configure an OpenVPN server now a days versus an L2TP / IPSec connection.

Recently noticed an update to the OpenVPN client on my Android phone and it works fine.

user8963 · Nov 11, 2021

pete_c said:
An OpenVPN server running on your firewall is easy to configure.

He is using ubiquiti equipment as router/firewall. They are not able to use openvpn, only L2TP.... and android12 killed L2TP connections.

jmurph44 · Nov 11, 2021

user8963 said:
Why is it beyond your skill level?
You just have to install the wireguard software onto your blueiris windows machine, open it, paste something in, and voila.

(you need to forward one port to your windows machine)

You can also use many other devices like raspberry pi if you dont want to run it onto your blueiris machine

https://www.smarthomebeginner.com/wireguard-windows-setup/

(you dont need to use preshared keys)

Also you should open a ticket on ubiquiti to get a solution.
its complete scam to sell udm pro for 400USD and deliver it with outdated software which is not compatible with anything

Thank you for the response. I looked at the tutorial you linked and will try to work my way through Wireguard tomorrow. I did touch base with Ubiquiti support about their abysmal VPN options.

jmurph44 · Nov 11, 2021

wittaj said:
Only if you want people to watch you...

ever do a Blue Iris search and turn up random cameras with real people in them?

Holy port forward

ipcamtalk.com

(The links to the BI feeds were removed from this thread, but it is really simple to find them....)

When is Port Forwarding Safe? What devices/programs/apps or Never?

So we get quite a few posts every month about someone thinking they have been hacked, or someone not understanding the vulnerabilities with allowing their cameras on the internet. I searched here and couldn't find that "one thread" that we could point people to or have them find in a search, so...

ipcamtalk.com

If someone found a backdoor into the Blue Iris software or just brute-forced my credentials to get in Blue Iris via the open port they could get access to video, change credentials, etc. However, could they get into the Windows system itself and access personal files, etc.? I've had a port opened for Plex on the UDM-Pro a couple of years.

Holbs · Nov 11, 2021

jmurph44 said:
Thank you for the response. I looked at the tutorial you linked and will try to work my way through Wireguard tomorrow. I did touch base with Ubiquiti support about their abysmal VPN options.

The Android update earlier this week broke my L2TP VPN on my UDM router. Wednesday, another update and my Android 'always on' VPN using L2TP has worked as it did for months. Check for update on your Android phone.
When I researched this issue, many said your old existing Android L2TP VPN profile will remain. However, you will not be able to create a NEW L2TP profile any longer.
Yes, it's time to find an alternative. I would not go the port forwarding route, though. Eww...

You actually talked to one of them....hewmans at Ubiquiti? What did they say about future VPN options?

jmurph44 · Nov 11, 2021

Holbs said:
The Android update earlier this week broke my L2TP VPN on my UDM router. Wednesday, another update and my Android 'always on' VPN using L2TP has worked as it did for months. Check for update on your Android phone.
When I researched this issue, many said your old existing Android L2TP VPN profile will remain. However, you will not be able to create a NEW L2TP profile any longer.
Yes, it's time to find an alternative. I would not go the port forwarding route, though. Eww...

You actually talked to one of them....hewmans at Ubiquiti? What did they say about future VPN options?

I upgraded phones, and that is the issue. It won't let me create a new VPN profile with the L2TP. Still works fine on the old phone which was upgraded from Android 11 to 12, just states that it is insecure.

I filed a ticket with Ubiquiti, likely in vain, but worth a shot. Hopefully they get a lot of similar feedback.

bp2008 · Nov 11, 2021

jmurph44 said:
If someone found a backdoor into the Blue Iris software or just brute-forced my credentials to get in Blue Iris via the open port they could get access to video, change credentials, etc. However, could they get into the Windows system itself and access personal files, etc.? I've had a port opened for Plex on the UDM-Pro a couple of years.

It is technically possible. Pretty much the worst case scenario would be if someone figures out a remote code execution bug in an API that does not require authentication. Then they could use the Blue Iris process to do anything on the PC (like install a keylogger or ransomware). The same applies to Plex of course. Or any remotely accessible software. Even a VPN server could have such a bug, although it is nice to think that VPN server code gets audited for security more rigorously than anything else.

Simpler hacks, such as brute force guessing a password are difficult with Blue Iris because BI by default will temporarily ban IP addresses that fail to log in repeatedly. So a brute force password attack would only really work if the hacker had access to a lot of source IPs. Or if your server was reachable via IPv6 (which it won't be if you only set up port forwarding with IPv4 as most people do).

If someone does get admin credentials, then the sky is the limit. Theoretically one could just connect to your BI server using the remote console capability and use it to remotely install malware on the system. I don't think it would even be hard. BI has the ability to run user-provided applications in response to camera trigger (among other things) so in theory a hacker could craft a set of actions that causes malware to be downloaded and installed on the system.

bp2008 · Nov 11, 2021

Dare I say it, Plex is probably more likely to be the target of a hack than Blue Iris is, just because of the relative popularity of the software.

By all means you can open ports if you think it is worth the risk. I do it myself, but I use high numbered ports that are not officially registered to anything, as those are much less likely to get scanned and noticed by bots. I am under no illusions that my BI server has never been noticed on its high port. In fact I would be surprised if my public IP and BI port number are not in some hacker's private database, if not even a public database somewhere, just waiting for a vulnerability to be discovered that is worth exploiting.

Holbs · Nov 11, 2021

jmurph44 said:
I upgraded phones, and that is the issue. It won't let me create a new VPN profile with the L2TP. Still works fine on the old phone which was upgraded from Android 11 to 12, just states that it is insecure.

I filed a ticket with Ubiquiti, likely in vain, but worth a shot. Hopefully they get a lot of similar feedback.

From a recent Reddit search I will have to investigate:

You can also run WireGuard on the UDM which is much faster than OpenVPN (WG ~1 Gbps throughput on UDM; OpenVPN ~300 Mbps). See wireguard-kmod.
Btw neither openvpn nor wireguard are officially supported by Ubiquiti and has to be done through SSH.

105437 · Nov 11, 2021

I use Unifi for my security gateway, switches and APs. I created a firewall rule that drops all internet traffic from my camera IPs. Still doesn't protect everything, but at least my cameras can't talk to the internet.

jmurph44 · Nov 11, 2021

105437 said:
I use Unifi for my security gateway, switches and APs. I created a firewall rule that drops all internet traffic from my camera IPs. Still doesn't protect everything, but at least my cameras can't talk to the internet.

Got that one covered. Have my cameras and IoT stuff blocked from talking out, just trying to limit who gets in, ha.

I'm not very familiar dealing with SSH stuff. Hopefully, Ubiquiti will eventually up their VPN game.

pete_c · Nov 12, 2021

There are ways to add OpenVPN. IE: UDM-Patches

As mentioned above you can also just get an RPi inside of your network to do this stuff or even a micro router with OpenWRT on it. I am using a tiny 1" X 2" microrouter inside of my alarm panel today that has been working fine. Recently added a 32Gb USB stick to it for Python 3.0 and MQTT installation. It is a miniature marvel.

So this is a router configured inside of the LAN which can do all sorts of stuff today:

Code:

BusyBox v1.30.1 () built-in shell (ash)

  _______                     ________        __
 |       |.-----.-----.-----.|  |  |  |.----.|  |_
 |   -   ||  _  |  -__|     ||  |  |  ||   _||   _|
 |_______||   __|_____|__|__||________||__|  |____|
          |__| W I R E L E S S   F R E E D O M
 -----------------------------------------------------
 OpenWrt 19.07.5, r11257-5090152ae3
 -----------------------------------------------------

I use SSH as a "poor mans" VPN here sometimes to help peers.

Easy peasey:

1 - install OpenSSH server on a computer inside of your network (Linux)
2 - from the outside do SSH with a reverse proxy to the SSH server. Make sure you utilize a long password. You can configure SSH server to time out with one mistake et al.
3 - via command line type: ssh -D8888 root@internetIP or DDNS
4 - you will be able to access any device on the internal network via the reverse proxy port of 8888 which is inside of the regular SSH port of 22.
5 - for web browsing just configure your favorite web browser to use proxy port 8888.

Here is an SSH connection (using reverse proxy) to LAS from the Midwest. I can access any device on this network remotely. (IE: CCTV, NAS, router, switches wap et al)

From Midwest:

To LAS

Personally here have gone a la carte with all of my devices. IE: modem, PFSense, Ruckus WAPs and managed switches.

I have IPSec / L2TP VPN server, OpenVPN and Wireguard running today on PFSense. PFSense is free. I have it running on a Haswell based motherboard / 16Gb RAM and 6 Intel Gb interfaces. Ruckus is now owned by Commscope and they are a tad more and levels above the Ubiquiti stuff. Not knocking Ubiquiti here.

Site to site (PFSense to PFSense) have been using OpenVPN and it does the job. Using Wireguard now with PIA and it faster than using OpenVPN.

PFSense is running: Snort, PFBlockerNG (Maxmind geoblocking), DNS Resolver, DDNS (multiple), ....

opus too · Nov 29, 2021

I've been running a Raspberry pi with Tailscale for many months with BI and UI3, works perfect.. I just tested DMSS with it today and it also works great. No router ports forwarded or open, and all cameras ip's blocked at the router. DMSS set up as local only, all cam system services disabled including p2p. The cool thing about Tailscale is it's ability to punch through NAT routers. My brother in one place is behind 3 routers and Tailscale somehow makes it through.
John

Search

Switch from VPN to Port forwarding

jmurph44

n3wb

user8963

Known around here

wittaj

ever do a Blue Iris search and turn up random cameras with real people in them?

When is Port Forwarding Safe? What devices/programs/apps or Never?

wittaj

FYI for Android users who have upgraded to Android 12 and use VPN

pete_c

Getting comfortable

user8963

Known around here

jmurph44

n3wb

jmurph44

n3wb

ever do a Blue Iris search and turn up random cameras with real people in them?

When is Port Forwarding Safe? What devices/programs/apps or Never?

Holbs

jmurph44

n3wb

bp2008

bp2008

Holbs

105437

BIT Beta Team

jmurph44

n3wb

pete_c

Getting comfortable

opus too

Getting the hang of it