TALK ME OFF THE LEDGE

[spammenotinoz]

So we've had some friendly discussion about VPN's and alternative. I question what someone like myself (classic noob) should do since I have zero experience implementing anything like this and I get the feeling I might be well over my head in trying. I think I can handle most of the sourcing and install aspects and some of the basic setup features with BI and the home networking. But when it comes to more complex security tasks like OpenVPN or alternatives, I have no idea if I'll be able to comprehend how to do that. So would setting up some simple port forwarding be better than nothing at all? Or should I strive to do something more secure which would require more technical intuition? Appreciate the insight.

Context please.


Do you images contain compromising / sensitive data? If so neither VPN it port forwarding are suitable. If you use port forwarding you will need stunnel to encrypt the images/audio.

Are you an android/iOS user who uses gif alerts? Port forwarding only

Do you want secure access to other systems besides BI? VPN

Do you want Multi-Factor Authenticator? VPN

Whichever way you go, compliment with whitelisting. Ie: configure your router/firewall to only accept traffic from addresses you trust.

with regards to port forwarding, It is widely used , you will find that dynamic forwarding is likely in use at your home forwarding to many devices including your pc. I would def turn that off and just manually forward any ports.

always use a dedicated device with different credentials to anything else on your network and you can’t go too wrong.

 

[TL1096r]

So we've had some friendly discussion about VPN's and alternative. I question what someone like myself (classic noob) should do since I have zero experience implementing anything like this and I get the feeling I might be well over my head in trying. I think I can handle most of the sourcing and install aspects and some of the basic setup features with BI and the home networking. But when it comes to more complex security tasks like OpenVPN or alternatives, I have no idea if I'll be able to comprehend how to do that. So would setting up some simple port forwarding be better than nothing at all? Or should I strive to do something more secure which would require more technical intuition? Appreciate the insight.

it is not so bad if you have an asus router. This small write-up I did with basics of setting up a BI system might help:
Newbie Starter Guide to IP Cam System – VPN setup – Computer Hardware – Blue Iris – Dahua Cameras

Scroll down to ----Security---- purchase an asus router and follow this:
Randy : OpenVPN on a Asus router

What part are you stuck on?

 

[windguy]

Context please.


Do you images contain compromising / sensitive data? If so neither VPN it port forwarding are suitable. If you use port forwarding you will need stunnel to encrypt the images/audio.

Are you an android/iOS user who uses gif alerts? Port forwarding only

Do you want secure access to other systems besides BI? VPN

Do you want Multi-Factor Authenticator? VPN

Whichever way you go, compliment with whitelisting. Ie: configure your router/firewall to only accept traffic from addresses you trust.

with regards to port forwarding, It is widely used , you will find that dynamic forwarding is likely in use at your home forwarding to many devices including your pc. I would def turn that off and just manually forward any ports.

always use a dedicated device with different credentials to anything else on your network and you can’t go too wrong.

Thanks for the reply and info.
I don't know enough yet to answer these questions very well, if at all, and that's my issue. I'm not familiar with this technology. Not sure I'll ever be very competent.
I can say that video images we plan to capture will not contain sensitive information. I could care less if someone can see that info.
Regarding mobile phones, I am an Android user but don't know what a GIF alert is. I would want to get alerts on my mobile phone and my wife's and potentially check video clips if necessary. So there would only be two outside devices accessing the home network and maybe a laptop if possible if needed. That's it. Thanks!

 

[windguy]

it is not so bad if you have an asus router. This small write-up I did with basics of setting up a BI system might help:
Newbie Starter Guide to IP Cam System – VPN setup – Computer Hardware – Blue Iris – Dahua Cameras

Scroll down to ----Security---- purchase an asus router and follow this:
Randy : OpenVPN on a Asus router

What part are you stuck on?

Thanks for the reply and info. I'm not stuck on any one specific item at this point other than needing to source a new wired router and if it should support OpenVPN, as often recommended on this forum. The selection of basic wired routers that supports OpenVPN seems limited. The one I was looking at is the Linksys LRT214. No need for wireless since it's going in an existing modem cabinet sitting in a wall. I will check out the write-ups you referenced. Appreciate your steering me in the right direction. I'll hop off the ledge for a while and do more reading once that pigeon gets out of my way. Shoo!

 

[TL1096r]

Thanks for the reply and info. I'm not stuck on any one specific item at this point other than needing to source a new wired router and if it should support OpenVPN, as often recommended on this forum. The selection of basic wired routers that supports OpenVPN seems limited. The one I was looking at is the Linksys LRT214. No need for wireless since it's going in an existing modem cabinet sitting in a wall. I will check out the write-ups you referenced. Appreciate your steering me in the right direction. I'll hop off the ledge for a while and do more reading once that pigeon gets out of my way. Shoo!

Ya, you will get there. We all started here. Why not go with an asus router? It is the easiest setup for openvpn. It takes seconds to setup and load to you openvpn app on phone and then you are all set there.

 

[SouthernYankee]

WindGuy
Before buying a router look at how many post and websites are available to help you set up OpenVPN for that product.

I used an ASUS router for OpenVPN, it took about 3 hours to get it up and running, that includes the learning curve, and the first android phone. I use a older RT-AC66U_B1

The hardest part of using the asus router was getting my Xfinity modem/router into bridge passthru mode, so that it was only a modem and provided no router functions.

My advice on advice, keep it simple and listen to only one person talking you through it.

 

[looney2ns]

Having a secured connection is not about worrying about someone seeing your video. It's about the fact that they could hack anything on your home network and or turn devices on your network into a botnet for all kinds of mis-deeds.
Don't use port forwarding.
VPN Primer for Noobs | IP Cam Talk
Randy : OpenVPN on a Asus router
How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

 

[spammenotinoz]

Having a secured connection is not about worrying about someone seeing your video. It's about the fact that they could hack anything on your home network and or turn devices on your network into a botnet for all kinds of mis-deeds.
Don't use port forwarding.
VPN Primer for Noobs | IP Cam Talk
Randy : OpenVPN on a Asus router
How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

You need context, port forwarding BI is secure.

More VPN exploits..
Vulnerabilities Exploited in Multiple VPN Applications | CISA
again not against VPN but you need to keep on top of the bugs

 

[windguy]

Having a secured connection is not about worrying about someone seeing your video. It's about the fact that they could hack anything on your home network and or turn devices on your network into a botnet for all kinds of mis-deeds.
Don't use port forwarding.

Thanks for the reply and info. I've seen that message a few times and understand the issues. Poster Spammenotenoz was asking specifics about the video content.
I certainly don't want to open up our network to the outside so I'm game for locking it down with whatever methods I can handle setting up.

 

[Holbs]

As a noob as of a couple months ago, using Asus or Linksys routers with OpenVPN is better than not using any VPN. Very easy to set up thanks to Youtube video's for both of these hardwares. Are they 100% secure? Eh dunno but I assume they are better than simply port forwarding alone. Am I more comfortable? Yes.
I guess it boils down to what/who do you want to deny/prevent from hacking in. Kiddie scripts and roaming vans with WIFI sniffers are my concern. China/Russia hackers using 20 people to get into my network? Not really If Putin wants to see me walk around in my robe and slippers....well....

 

[windguy]

WindGuy
Before buying a router look at how many post and websites are available to help you set up OpenVPN for that product.
I used an ASUS router for OpenVPN, it took about 3 hours to get it up and running, that includes the learning curve, and the first android phone. I use a older RT-AC66U_B1
The hardest part of using the asus router was getting my Xfinity modem/router into bridge passthru mode, so that it was only a modem and provided no router functions.
My advice on advice, keep it simple and listen to only one person talking you through it.

Thanks for the reply and info. Very good advice about your advice on advice.
I think you should add those two points to your standard intro footer Quick Start list (or "Southern Yankee's Rules").
"Before buying a router look at how many post and websites are available to help you set up OpenVPN for that product." ADD THAT TO RULE #14
My advice on advice, keep it simple and listen to only one person talking you through it. NEW RULE #16 or at the end in your closing tips.

I'll check out the Asus routers. My preference is to add a wired router since it's inside a structured media cabinet. No need for wireless there. First glance at Asus showed all wireless routers. Will look further and also check out Netgear as you referenced in your Rules and other possible brands. Thanks!

 

[Holbs]

3 hours to setup? took me 30 minutes via youtube video

 

[windguy]

Ya, you will get there. We all started here. Why not go with an asus router? It is the easiest setup for openvpn. It takes seconds to setup and load to you openvpn app on phone and then you are all set there.

Thanks for the reply and input. Good pep talk. Per my reply to back to Southern Yankee, I'll check out all brands that offer wired routers and see what type of tutorials and support are offered concerning setting up an OpenVPN. I know I'm going to need some hand holding to get that part implemented.

 

[Holbs]

check it out for a couple minutes. Is what I used to setup OpenVPN on my Linksys Nighthawk router. I'm sure Asus video is just as simple.

 

[windguy]

As a noob as of a couple months ago, using Asus or Linksys routers with OpenVPN is better than not using any VPN. Very easy to set up thanks to Youtube video's for both of these hardwares. Are they 100% secure? Eh dunno but I assume they are better than simply port forwarding alone. Am I more comfortable? Yes.
I guess it boils down to what/who do you want to deny/prevent from hacking in. Kiddie scripts and roaming vans with WIFI sniffers are my concern. China/Russia hackers using 20 people to get into my network? Not really If Putin wants to see me walk around in my robe and slippers....well....

Thanks Holbs. Appreciate the insight. I will never get above NOOB status but will try my best to implement security measures because I don't wear a robe

 

[Holbs]

A couple months ago, I was overwhelmed with what I MUST do in regards to network security to the point that I was about to pick up pFsense firewall box. But really... we all gotta start somewhere. The above points give a great starting point as a beginner. Run with that. Later on, you can jump head first into Uber VPN security and firewall setup. For now, just get the basics out of the way else you will never get into it at all
I mean...don't get me wrong. I DID do some things right as in cameras on their own subnet!

 

[windguy]

Thought it might be useful to post a diagram of our current home network and the new network I've sketched out so far. Not finalized by any means but it's a ballpark for now.
Items in red on the new diagram will be additions or upgrades. Sorry for the crude diagramming skills.

 

[Holbs]

ohoh. Forgive my slight vodka intake...but looks to me as this is not the recommended way to go about things. Your cam switch is after your router and then feeds BI switch. Should be other way around. BI computer should connect to your switch after router...and thur a 2nd NIC card on BI computer, feed to a 2nd POE switch dedicated to cameras.

 

[SouthernYankee]

Yes 3 hours. I am old and slow, life is not a rush The hard part was getting the xfinity modem into passthru / bridges mode, a lack of documentation. Also I test the crap out of everthing.

 

[windguy]

ohoh. Forgive my slight vodka intake...but looks to me as this is not the recommended way to go about things. Your cam switch is after your router and then feeds BI switch. Should be other way around. BI computer should connect to your switch after router...and thur a 2nd NIC card on BI computer, feed to a 2nd POE switch dedicated to cameras.

Thanks for the reply and info. Rats! Did I fail my first quiz? I'm having trouble figuring out what you mean. Maybe I should have a shot of Vodka to decipher. It would be helpful if you can sketch that out and take a pic with your cell and post for me. From my readings on this forum, I picked up that the cam traffic should not go through the router, like in my diagram in my last post. I read about using dual NIC's on the BI computer if you want to go that route, not everyone is onboard with that methodology, but didn't think it had to physically be cabled directly to the switch the cameras are connected to. Just setting it up with a separate static IP address scheme. The structured media cabinet (SMC) is in a laundry room/mud room next to the garage where all the camera Cat 5E cables will feed to. The BI computer will be in an upstairs office that currently only has one Cat 5E cable going to the SMC. I have extra Cat5E cable in the attic that I could probably reposition one cable and send down the wall into the office to add a second dedicated LAN line if required but that's not my first choice to do. Sorry for being such a NOOB. Appreciate the help! Thanks.