To Port Forward or Not To Port Forward?

Testing Blue Iris, new W7 Pro system build, test purposes only. Put on separate router with separate public IP address so it was isolated from everything else on the LAN. Enabled port forwarding to allow me to connect via the public address. Worked fine, BI seemed like a go project. We are replacing an old 8 (analog) camera system on a dedicated DVR. Only connections on that LAN is via VPN.


After a few days of operation, I realized that there were 2 new users on the system. "Admin" and "Reptal", both with administrator privileges and a registry entry that removed them from the log on screen (so they could not be seen at login), but as administrators they could be remotely logged in (port forwarding). The Admin account was created first and the other about a half hour later. I discovered this about 15 minutes after Reptal was created. The event logs and whois indicated that the connection was from New Caledonia (NC). Was mostly just curious about it because it is an isolated system on an isolated network. I have an image of the system, so recovery is simple. Further review of System Event Logs showed that IP address being disconnected from Remote Desktop. I am still evaluating logs and have my theories but nothing really concrete yet (other than IP of intruder, could be faked).
So far, note to self:
1. Set up your camera with it disconnected from the Internet.
2. Turn off P2P.
3. Change password and user ID if you can.
4. Do not use the same password on your camera, PC or BI.
5. Make sure your tin foil hat does not have any holes in it.
6. Oh yeah, listen to these people and use VPN if you have to Internet.

Mine was a careless operation but I didn't care since it was isolated and only for a max of 20 days for evaluation.
Don't be careless.
--
The universe is composed of electrons, neutrons, protons and......morons.
¯\_(ツ)_/¯
 
  • Like
Reactions: giomania
ChooChooman74 said:
My home, I use VPN. Customers, I use port forwarding, and tell them the VPN is the safer bet. Most are not interested. They don't want the added steps of tunneling in before connecting to the cameras. And, many times, it also means added equipment, like a new router. I do my best to make it as secure as possible for them. One thing I wish I could do is to change the admin user name to something else. I do put a strong password on it.
Click to expand...
Frustrated .... I purchased a subscription to a vpn and used the router software (ASUS) and everything works fine. It's great because I have a firestick, etc. However, when I asked customer support how to remotely access my home network, they said I would need a "site to site vpn" which they didn't offer?? I thought you could just access the vpn remotely as stated above? Am I missing something
 
blanch007 said:
Frustrated .... I purchased a subscription to a vpn and used the router software (ASUS) and everything works fine. It's great because I have a firestick, etc. However, when I asked customer support how to remotely access my home network, they said I would need a "site to site vpn" which they didn't offer?? I thought you could just access the vpn remotely as stated above? Am I missing something
Click to expand...

VPN Primer for Noobs

nayr said:
Do i have to pay for a VPN Service? No, this a common point of confusion.. there are services out there that will run a VPN Server for you on a remote network.. these are used to hide your location from public internet services.. such as watching Netflix from a US IP, or downloading Torrents without exposing your IP address to the swarm.. If you have an externally routable IP address you will run your own VPN Server on your own network, using free software.. so there are no subscription fees.
Click to expand...
 
  • Like
Reactions: giomania
I set up OpenVPN on my Ubiquiti EdgeRouter, and that device acts as the VPN server, while my phone is a VPN client that connects to the VPNserver. I had to set all this up myself. It sounds to me like your router is the client in this case, and the VPN service is hosting the VPN server.
 
blanch007 said:
Frustrated .... I purchased a subscription to a vpn and used the router software (ASUS) and everything works fine. It's great because I have a firestick, etc. However, when I asked customer support how to remotely access my home network, they said I would need a "site to site vpn" which they didn't offer?? I thought you could just access the vpn remotely as stated above? Am I missing something
Click to expand...
Asus routers have VPN server built in. I use the OpenVPN server. I did increase the encryption to 256 bit in the advanced section. Install the app, download the config from the router, import the configuration, and connect with your user name and password. You can add additional users.
 
I don't know for sure because I haven't tried, but I would assume you could run a VPN server on your router to connect to your cameras, and then use the router as a client to a paid service to get the benefits of hiding your IP address and such.

So it's not like you wasted your money exactly. At least now your ISP won't know what your doing.
 
DavidDavid said:
I don't know for sure because I haven't tried, but I would assume you could run a VPN server on your router to connect to your cameras, and then use the router as a client to a paid service to get the benefits of hiding your IP address and such.

So it's not like you wasted your money exactly. At least now your ISP won't know what your doing.
Click to expand...
its a complete waste...I would rather trust my isp than some unknown entity claiming to provide privacy to you..it also slows your connection speeds...
 
  • Like
Reactions: giangievo and ChooChooman74
blanch007 said:
Frustrated .... I purchased a subscription to a vpn and used the router software (ASUS) and everything works fine. It's great because I have a firestick, etc. However, when I asked customer support how to remotely access my home network, they said I would need a "site to site vpn" which they didn't offer?? I thought you could just access the vpn remotely as stated above? Am I missing something
Click to expand...
Most VPNs are one-way.

The type of VPN a lot of folks here setup is for "inbound" traffic. This type of VPN will encrypt their traffic initiated from the Internet side of their home router (i.e. from their mobile phone, or from their work computer) that is trying to access inside their home network. This type of VPN does NOT encrypt initiated from inside their home network. So when they're at home on their laptop, this VPN is not encrypting traffic from that laptop going out to the Internet.

The paid VPN service you have works similarly (one-way), but opposite of the example above. It encrypts traffic initiated from within your home network that is trying to access the Internet, but it doesn't encrypt traffic initiated from the Internet that's trying to access your home network.
 
Last edited:
  • Like
Reactions: blanch007 and giomania
aristobrat said:
Most VPNs are one-way.

The type of VPN a lot of folks here setup is for "inbound" traffic. This type of VPN will encrypt their traffic initiated from the Internet side of their home router (i.e. from their mobile phone, or from their work computer) that is trying to access inside their home network. This type of VPN does NOT encrypt initiated from inside their home network. So when they're at home on their laptop, this VPN is not encrypting traffic from that laptop going out to the Internet.

The paid VPN service you have works similarly (one-way), but opposite of the example above. It encrypts traffic initiated from within your home network that is trying to access the Internet, but it doesn't encrypt traffic initiated from the Internet that's trying to access your home network.
Click to expand...
Thank you, I had no idea. I'm starting to understand now. Thanks for taking the time to explain!!
 
You must log in or register to reply here.
Top Bottom