Trying to get off Port Forwarding Dependency

[Michael James]

Up until this week, I really never studied the Connections tab in BI Status. this week got Connections from: Shadowserver.org as well as 185.242.226.40 security.criminalip.com. Well, last night I saw 2 IP addresses, looked them up and they were both in China. IP WHOIS Lookup - Lookup IP WHOIS Information - WhatIsMyIP.com® This week members here have been urging me to get on a VPN and to end port forwarding. Thank you for that.

Here is my setup:
1) ASUS GT AX6000 router which has OpenVPN built in. I've never setup a VPN so Im trying to work thru that. (enclosing screen shots of what I have so far..no idea if its actually on and not sure how to test that). I didn't go into the advanced tab at all. I put a Port number that was between 1024 and 65000. Client will use VPN access for both Internet and Local Network (both), and hit Apply All Settings. I guess it turned on?! Again, never used a VPN before and no idea what I am doing or the implications on remote access with BI
2) 14 Cameras are mostly Amcrest. I have phased out all the Foscam except 3. I also have 2 of the $500 Dahua PTZs. The BI5 server is an using an internal SSD and external 2 Terabyte WD drive. Using ASIX USB to Gigabit Ethernet Family Adapter to the Asus AX6000. Internal network is 192.168.50.xx addresses. I manually assigned IPV4 DNS servers for the server.
3) On each camera I turned off UPNP. (Some of the cameras didn't have an option for UPNP but others did). On the AX6000 I also turned off UPNP.
4) I am using Verizons 5G Home internet (White Square box) in passthru mode. Because they change their WAN IP frequently I setup a DDNS- DynDNS Pro account (Screenshot attached)
5) Do I need to change any settings inside the BI5 app itself. Like under Blue Iris Settings, Web Server tab? (Screen shot attached)
6) In the Blue Iris Android App (Screenshot attached), I am unsure what I change or need to add to get remote access once I turn off Port Forwarding?

Another issue:
I'm also getting a red "Drive Issue. See details" popping up under Database when I first open BI5 which may or may not be related. I dont know how to view the actual "Drive Issue". I look in the logs and I see nothing regarding the drives in there, just Motion alerts. I look under the Storage tab (Drives and Devices) and everything is in Green or Blue, no Red

Any help is greatly appreciated.

 

[elvisimprsntr]

Q: You get a public IP with Verizon 5G Home Internet, not behind CGNAT? IPv4 or IPv6?

If so, then OpenVPN on your AX6000 might suffice.

If you are behind CGNAT, then you might need to host a VPN solution that will traverse CGNAT

My current goto solution for that is Tailscale · Best VPN Service for Secure Networks MESH VPN

 

[Ri22o]

I need to look into this as well to get off of port forwarding. I looked at my log and have some connections as well.

 

[Michael James]

Q: You get a public IP with Verizon 5G Home Internet, not behind CGNAT? IPv4 or IPv6?

If so, then OpenVPN on your AX6000 might suffice.

If you are behind CGNAT, then you might need to host a VPN solution that will traverse CGNAT

My current goto solution for that is Tailscale · Best VPN Service for Secure Networks MESH VPN

Oh boy... I have no idea. You're talking greek to me LOL. I have no idea how Verizon does this. How can I tell?
Im not using nor have I configured or plan to configure IPv6 on my router.

 

[elvisimprsntr]

Oh boy... I have no idea. You're talking greek to me LOL. I have no idea how Verizon does this. How can I tell?
Im not using nor have I configured or plan to configure IPv6 on my router.

Goto ping.eu to check your IP.

You mentioned you set up DyDNS updater.

Q: Do you have any manual port forwards on your AX6000

Q: If so, are you able to remotely connect to any current open services via the DyDNS hostname?

 

[txedgeman]

Here is my setup:

4) I am using Verizons 5G Home internet (White Square box) in passthru mode. Because they change their WAN IP frequently I setup a DDNS- DynDNS Pro account (Screenshot attached)
Good. You will want to put the DDNS address as your server in the OpenVPN client.
5) Do I need to change any settings inside the BI5 app itself. Like under Blue Iris Settings, Web Server tab? (Screen shot attached)
Yes, you will most likely want to turn off the auto refresh WAN IP and manually set it to the LAN side static IP (192.168.x.x.) in the URL
6) In the Blue Iris Android App (Screenshot attached), I am unsure what I change or need to add to get remote access once I turn off Port Forwarding?
To know of the VPN is working, you will need to make sure you are not connected to the LAN (WiFi), connect to the VPN and you should be able to ping your BI IP 192.168.x.x. If you are doing this on your phone, then you might try to access the BI web URL in your browser (

http://192.168.x.x:81

). Also, on your router the OpenVPN client will be assigned an IP address on a different network than your LAN. Look in the Advanced area of your VPN setup. It looks like from the screenshots here [VPN] How to set up a VPN server on ASUS router – OpenVPN | Official Support | ASUS Global , they use 10.8.0.0. In your BI Web Server ADVANCED screen you will want to add ^10.8.0.* to the Limit Access by IP address box.

Once it is working you will be able to access BI via it's LAN address.

Hope this helps...

 

[Michael James]

Goto ping.eu to check your IP.

You mentioned you set up DyDNS updater.

Q: Do you have any manual port forwards on your AX6000

Q: If so, are you able to remotely connect to any current open services via the DyDNS hostname?

Yes, I setup DynDNS and used mjXXXXX.dyndns.xxx. I configured that on my router under the DDNS sections and it accepted it. On my original post above, I attached a screenshot of the Blue Iris Android App where I entered the mjXXXXX.dyndns.xxx:81 under the WAN section. Using the forwarded port 81. Yes I get access to the cameras over my Verizon phone using 5G. If I take out the :81 on the Andorid BI app, I don't get access to the cameras.

On the AX6000 I have the BI server port forwarded to 81

 

[Michael James]

Goto ping.eu to check your IP.

You mentioned you set up DyDNS updater.

Q: Do you have any manual port forwards on your AX6000

Q: If so, are you able to remotely connect to any current open services via the DyDNS hostname?

On the BI server machine, when I go to ping.eu, it shows: Your IP is 97.149.xxx.xxx (it whos the real numbers, I just masked them so I don't give it out here)
If I turn off the OpenVPN button inside the router then run the test again, it shows the same IP address.

 

[Michael James]

4) I am using Verizons 5G Home internet (White Square box) in passthru mode. Because they change their WAN IP frequently I setup a DDNS- DynDNS Pro account (Screenshot attached)
Good. You will want to put the DDNS address as your server in the OpenVPN client.

I don't see this option. I only see an option for "VPN Client (max 16)" see attached No option to enter it as my "Server"

 

[txedgeman]

On the BI server machine, when I go to ping.eu, it shows: Your IP is 97.149.xxx.xxx (it whos the real numbers, I just masked them so I don't give it out here)
If I turn off the OpenVPN button inside the router then run the test again, it shows the same IP address.

Dynamic DNS is independent of OpenVPN. Dynamic DNS is simply mapping your WAN IP to a FQDN. When you bring up an OpenVPN connection, the client will connect to the OpenVPN Server on the port you configured (which is also your router's WAN IP). Dynamic DNS makes it easy to be able to VPN back into your network when your WAN IP can change often.

 

[txedgeman]

4) I am using Verizons 5G Home internet (White Square box) in passthru mode. Because they change their WAN IP frequently I setup a DDNS- DynDNS Pro account (Screenshot attached)
Good. You will want to put the DDNS address as your server in the OpenVPN client.

I don't see this option. I only see an option for "VPN Client (max 16)" see attached No option to enter it as my "Server"

The VPN Server is your Router, the VPN client is the software on your phone, laptop, etc. What I was saying is that you want your DDNS address say mjames.dyndns.org to go in the server field of your Open VPN client (not sure if you will need to edit the export file, if it is putting the IP address for the server). So when you tell your android client to start a OpenVPN connection you want it to connect to mjames.dyndns.org, not the WAN IP address of the day of your router.

 

[Michael James]

5) Do I need to change any settings inside the BI5 app itself. Like under Blue Iris Settings, Web Server tab? (Screen shot attached)
Yes, you will most likely want to turn off the auto refresh WAN IP and manually set it to the LAN side static IP (192.168.x.x.) in the URL

For #5.. please see screen shot. Is this what you meant for the settings?
Do I need to remove the :81 ?

 

[Michael James]

4) I am using Verizons 5G Home internet (White Square box) in passthru mode. Because they change their WAN IP frequently I setup a DDNS- DynDNS Pro account (Screenshot attached)

Good. You will want to put the DDNS address as your server in the OpenVPN client.

So it should look like this but take out the :81 on both the LAN and WAN?

 

[Michael James]

So I got this working. The part I was missing is that you have to download the OpenVPN app on the phone side too. So I went to the Google Play Store, downloaded the app. Then you have to export the profile from the OpenVPN built into the Aus router. Then you have to import that file using Microsoft OneDrive, Google Drive or whatever you use. When configuring the the Phone side of OpenVPN, when it asks for the Login and Password, its asking for the login and password for the router itself. (the one you use when you first login to the web interface for your router).

So I was only using the Blue Iris app from Google Play Store yesterday when I was testing. I didn't realize I was only using the LAN access address both inside my house and remote at a concert. What I like to use is the web interface. I use Edge on my phone and use the mjXXXXXXXX.dyndns.info address in the browser in case Verizon changes my LAN. You dont use that dyndns address on Edge (or any browers you use on your phone)..you only use the local IP address. I installed the OpneVPN 64 bit client on my laptop (client) this morning. Got it working too. Thanls for everyones help espeically txedgeman who gave me some extra help here,

 

[Bruce_H]

When you setup the Asus router for the Openvpn, I would suggest that you create a separate User and Password for the VPN connection instead of using the router admin password. I hope that you are not still using the default router userid and password, I changed the user name from admin to something else and generated a complex password for it!

 

[Michael James]

The VPN Server is your Router, the VPN client is the software on your phone, laptop, etc. What I was saying is that you want your DDNS address say mjames.dyndns.org to go in the server field of your Open VPN client (not sure if you will need to edit the export file, if it is putting the IP address for the server). So when you tell your android client to start a OpenVPN connection you want it to connect to mjames.dyndns.org, not the WAN IP address of the day of your router.

Since I have OpenVPN running on the router... Is there a reason to run the OpenVPN client side software (64 bit MSI installer) on the BlueIris server (PC)? The server is never outside the house.

Community Downloads - Open Source VPN | OpenVPN

 

[Michael James]

When you setup the Asus router for the Openvpn, I would suggest that you create a separate User and Password for the VPN connection instead of using the router admin password. I hope that you are not still using the default router userid and password, I changed the user name from admin to something else and generated a complex password for it!

I changed the password when I first setup the router and changed it again last week. I'll change the user name as well. Then I'll make the other changes. Thx

 

[wittaj]

Since I have OpenVPN running on the router... Is there a reason to run the OpenVPN client side software (64 bit MSI installer) on the BlueIris server (PC)? The server is never outside the house.

Community Downloads - Open Source VPN | OpenVPN

Nope.

 

[Ri22o]

I am hoping to work on getting mine set up this week. Any advice or resource links for an Edgerouter X?

 

[wittaj]

I am hoping to work on getting mine set up this week. Any advice or resource links for an Edgerouter X?

Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks (This topic began as an inquiry regarding interest. Enough desire was shown to proceed. Main content is later in this thread) Main content begins at Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks...

ipcamtalk.com

EdgeRouter - OpenVPN Server - Step By Step setup

EdgeRouter - OpenVPN Server - Step By Step setup I just found this for those that have an Edge Router (in my case an ER-4). It has a Step by Step setup ---with pictures too. o_O...

ipcamtalk.com