Ubiquity EdgeRouter X - Configuring to Isolate Surveillance Networks

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
Overview of LAN's Created

LANs created.jpg

I recommend labeling the ports to indicate their usage as above. I may interchangeably call the camera LAN 2, the surveillance LAN 2)

Notice that the defined LANs are numbered to match their associated ethernet port number. I do that to simplify later identification.

WAN (eth0) - connects to internet provider device. Expects to receive an address via DHCP.

Main LAN 1 (eth1) - Main network devices for your home go on this LAN. This LAN has full access to everything including the camera LAN devices.

Isolated Camera LAN 2 (eth2) - IP cameras and your recording PC or NVR live on this LAN. Device on this LAN are isolated and cannot reach out to the internet. The recorder PC is given special permission to reach out to the internet. You can also prevent that access. We will cover how to change it later. Main thing to remember is that the Camera LAN is intended to keep devices from reaching out of the LAN. This prevents cameras (or NVR) from phoning home.

Limited LAN 3 (eth3) - Some devices, like IOT devices, need internet access, but you don't want them to mess with your main network or cameras. This LAN can reach the WAN, but not the other LANs

Limited LAN 4 (eth4) - Perhaps you need another limited network for guest usage. This LAN, line Ltd LAN 3, can only reach the internet, but not other LANs

VLAN 1003-Eth1 - Supports a limited access guest VLAN. This is intended to support a guest WiFi system wherein the access points tag guest packets on VLAN 1003. 1003 matches the guest VLAN implemented by Apple. VLAN 1003 can only reach the internet, but not the main LAN nor any other LANs.

NB: The Main LAN in this configuration is on eth1 not Eth0. If you factory reset the EdgeRouter, you must start again with a connection on Eth0 and your PC in Ubiquity's default IP range.

Dashboard
Log into the ER-X and view its Dashboard.
Screen Shot 2020-01-24 at 9.49.44 PM.jpg

You can switch between views via the tabs at the top of the screen (Dashboard, Traffic Analysis, Routing, etc)

Moving bar graphs show you Tx and Rx activity for the LAN's you select. In the above picture, eth0 and eth1 traffic are being graphed. You can select the checkboxes next to each interface to add them to the display. Because one cannot rename the ethernet ports, I name each LAN with a number to match its ethernet port.
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
On the lower portion of the display you see the various Interfaces (your LANs) configurations.
We notice that the Lan 2 Isolated network is not that well named. Let's rename it.

Screen Shot 2020-01-24 at 9.54.46 PM.jpg

Select Actions/Config from the Action drop down menu for LAN 2 Isolated.

Screen Shot 2020-01-24 at 9.59.15 PM.jpg

Change its name to LAN 2 Isolated Cameras

While you are in this dialog, notice the IP range for LAN 2 is defined with "192.168.92.1/24"

Click on "save" to store your name change.

Now the interfaces look like this….

Screen Shot 2020-01-24 at 9.57.26 PM.jpg

Examine each interface and its config. You will find each has been assigned a distinct IP address range.

Switch0 is special in that we do not using it in this config. Its address range is "no address." Also, under its Vlan tab you find none of the interfaces are selected to be switched. Effectively the switch0 is turned off in my configuration.

Screen Shot 2020-01-20 at 8.28.37 PM.jpg

Traffic Analysis Tab
Your EdgeRouter tracks how much data each client is using. Usage is graphically displayed for the top devices. You can also examine type of traffic for each device using its disclosure triangle.

Routing Tab
Unless you need to do something very special and understand exactly what you are doing, leave the settings in this tab alone. It is usually best to let the router build the routing tables for itself.
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
Firewwall/NAT Tab

Port Forwarding

Screen Shot 2020-01-24 at 10.04.30 PM.jpg

Hairpin NAT is enabled for eth1 and eth2 so you can use the same dynamic address from both inside your network and outside your home network. Without hairpin NAT, servers on eth1 or eth2 would need to be addressed differently depending on whether you are inside or outside your network.

Hairpin NAT is much more convenient than keeping two different bookmarks for inside vs outside access. Without hairpin NAT, your internal bookmarks would likely be ip numbers.

Port Forwarding Rules
Port forwarding rules are how you open a port from the outside internet to a server in your network.

Local servers that need to be accessible from the outside (without VPN) are supported by defining a port forwarding rule.

To demonstrate how this works, I have one rule defined to service an NVRPC at IP 192.165.92.20. The NVRPC is expecting to serve inbound requests on port 9090. Noice that the NVRPC is on the camera LAN. You can tell by its IP address in the 192.165.92.xx range.

The rule forwards inbound TCP requests from WAN port 9090 to reach the machine at 192.168.92.20 on LAN port 9090.

Port forwarding can also map an inbound port number to a different, local port number. For instance, you could have inbound WAN Port 1023 forwarded to LAN port 9090.
This can let you specify a non-standard, inbound WAN port number, and map it to a standard LAN Port. Such a change may reduce scans against default port numbers.

If your NVRPC supports a web server and you wish to use port forwarding, enter your NVRPC's IP address and server port in this already existing rule.
If you do not need any port forwarding, delete the example forwarding rule I have in the configuration.

Port forwarding does not protect you from inbound requests. Your server must be able to reject unwanted connection requests. At the very least, such servers should have very difficult passwords and limit connection attempts. It is up to you to decide whether port forwarding is a connection method you wish to allow.

You must click on "Apply" for edits to take permanent effect..

In a later topic, you will set up an OpenVPN server to reduce the need for port forwarding, but there may be devices that need an inbound port.
A VPN connection is probably more secure, but takes additional setup and one extra step to establish a VPN connection during use.
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
NAT
The masquerade for WAN rule is what allows the EdgeRouter to receive and exist at its assigned, external WAN IP. Do not alter or delete this rule
There are also some VPN hairpin test rules that are inactive. Leave those alone unless you need to perform a VPN hairpin test - something well outside the scope of this thread.

Screen Shot 2020-01-24 at 10.09.51 PM.jpg

Firewall/NAT Groups
Sometimes rules naturally affect multiple LAN's. I define one NAT group that consists of the following LAN's. They are specified by their IP range.

Screen Shot 2020-01-24 at 10.10.27 PM.jpg


192.168.91.0/24 - main LAN 1
192.168.92.0/24 - isolated camera LAN 2
192.168.93.0/24 - limited LAN 3
192.168.94.0/24 - limited LAN 4
10.21.21.0/24 - limited VLAN 1003
10.31.3.0/24 - OpenVPN (We will eventually create an OpenVPN service in this range)
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
Firewall Policies
It is here that we build protections for our LAN's, devices, and router. Several sets of rules are needed for any router configuration, but we need a few extra ones to protect and isolate our LANs. A mistake here can open your network to unwanted connections or cut off desired connections.
Screen Shot 2020-01-20 at 9.09.38 PM.jpg

There are a few firewall rule conventions key to understanding how things work..

- In vs out is means relative to the router.

- Local means a service inside the router.

- Rules in each set are applied sequentially, top first, bottom last. Ordering of rules can dramatically alter function. Conditions that match earlier rules are not tested against later rules.

- Rule sets are applied against packets arriving or leaving interfaces. A rule set can be applied against multiple interfaces or just one.


Let us examine the simplest rulesets first

WAN_IN - this ruleset controls inbound WAN on already established connections. Invalid, or non-already open connections are dropped. This ruleset disconnects undesired inbound connection attempts from the internet. Only connections that are established from a LAN device or through a forwarded port get in from the WAN.

Screen Shot 2020-01-20 at 9.35.13 PM.jpg


WAN_LOCAL - this ruleset is for connecting inbound WAN (eth0) to LOCAL (services inside router). We never want the outside internet to control our router. So, this rule's default action is to drop attempted new connection. There are three rules defined in this set.

Screen Shot 2020-01-20 at 9.35.26 PM.jpg
1. Allow established/related
2. Drop invalid
3. Allow inbound UDP to router's OpenVPN service on port 443. We will need this later for our OpenVPN service.

We don't allow any inbound internet connections to modify services or settings inside our router. The only exception is OpenVPN which we will finish setting up later.
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
The other two rule sets implement restrictions and connections for our LAN's. Our desired design gives full access to the Main LAN1 and VPN. The camera LAN2 isn't allowed to reach out to anywhere else, The LAN3 and LAN4 limited LAN's can only reach out to the internet, but not into other LAN's.

restricted_LANS_IN
This ruleset deals with connections going into the router and headed out to other LAN's or WAN. Those connections have a direction of in because they go into the router. Routers can also implement rules for out, but we do all our work on the inbound direction.

Pay particular attention to the interfaces this ruleset governs. Notice it does NOT cover the main LAN1 (eth1) nor the VPN. It only controls the isolated and restricted LANs.

Default action of this ruleset is to drop connections unless it gets accepted by one of the accept rules. I include a drop rule on Eth2 for gathering statistics even though they are not strictly needed.

Screen Shot 2020-01-24 at 10.13.07 PM.jpg

Rule 2 gives special permission for our NVRPC at IP 192.168.92.20 to access the internet and other LAN's. We have this looking for packets based on IP number, but we could also set it to identify packets by source MAC address.

Rule 3 protects the LAN_Protected_Networks from access by devices on the isolated and limited LANS - namely guest VLAN-1003 (eth1.1003), cameras LAN 2(eth2), LAN3(eth3), LAN4(eth4). Remember we previously defined the LAN networks that should be protected as all the LAN IP ranges.

Rule 4 gathers stats for Camera network attempts to contact the outside world.

Rule 5 lets LAN3 to connect out.

Rule 6 lets LAN4 to connect out.

Rule 7 allows Guest VLAN1003 connect out

The sequence of rules is very important. Rule 3 must be before the LAN3, LAN4, and VLAN 1003 accepts. Otherwise, those LAN's would gain access to the protected LANs. Notice that your cursor becomes crossed arrows when you move it over the rules list. Don't do it now, but you can click and drag a rule to shift its order. Then you would Save Rule Order to alter the sequence of rules.
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
restricted_LANs_LOCAL
Recall that "local" means a connection to services running inside the router. We use this rule set to limit access to router services. Again, we are only affecting the restricted and isolated LANs. Look at the interfaces involved (eth1.1003/local, eth2/local, eth3/local, eth4/local)

Screen Shot 2020-01-24 at 10.13.26 PM.jpg


Rule 1 gives our NVRPC at 192.168.92.20 special access to all services. We identify the source by the NVRPC's IP address. We could also do it by Mac Address. (You should set your NVRPC to be at 192.168.92.20 if you wish to use my pre-configuration)

Rule 2 prevents camera LAN2 devices from doing DNS lookups. I implement this drop rule early to specifically cut off LAN2 and gather statistics.

Rule 3 prevents camera LAN2 devices from getting DHCP leases. Again, I implement this drop rule early to specifically cut off LAN2 and gather statistics.

Rule 4 and 5 grants DNS and DHCP services to other LANs

Rule 6 allows eth2 NTP queries but only to the EdgeRouter's own NTP server at 192.168.92.1 on port 123. Cameras get NTP time only from the router.

All other attempts to obtain local router services are dropped by default action for the rule set.

You should now have a better understanding of how the rulesets implement and limit connections.


Services Tab
Under the services tab, we find the router's DHCP and DNS services.

DHCP Servers
I have created a DHCP server for each LAN. The respective DHCP service hands out IP assignments to devices on the associate LAN. You can go into each DHCP service and set up static reservations for devices that should not shift their IP.
Although I define a DHCP service for LAN2, it isn't actually allowed to be used. Recall the drop LAN2 DHCP rule we saw earlier.

Screen Shot 2020-01-24 at 10.22.48 PM.jpg

DNS Service
DNS translates URL's into ip numbers. The EdgeRouterX can locally cache DNS lookups for faster response. I have set it up to caches up to 600 lookups.

We also define which network interfaces are provided DNS service. We listen on eth1, eth2, eth3, eth1.1003, eth4, and vtun0. Only interfaces that are listed receive DNS services.
Vtun0 will eventually be our OpenVPN interface. I have added it here for that eventual use.

Screen Shot 2020-01-24 at 10.22.58 PM.jpg

Dynamic DNS (updater deamon)
Most home networks are assigned a changeable, IP address by their internet provider. Dynamic DNS services provide a human readable DNS name that is associated with your current IP. However, if your provider changes your IP, that association must be updated. EdgeRouterX can automatically update your DNS service upon detecting an IP change. You set up the updater by adding a DDNS interface. Enter your Dynamic DNS account details and update key/password here. EdgeRouterX will keep your network IP updated for you.

I have intentionally not defined a DDNS in my pre-config. That would potentially generate inadvertent updates with multiple people running this configuration. Add one with your own DDNS account credentials.
During the process, you will specify eth0. If your DDNS service is DynDNS, setup would look like...

Screen Shot 2020-01-24 at 11.19.15 PM.jpg

Hostname is your DDNS host name
Login is your account name
Password is your updater key. If you only have an account password, use it here, but an updater key is safer.


Back Up Your Configuration Settings
Configuration settings can be exported and uploaded just like the configuration file I supplied. You should go into the system panel and export your settings now.
You will want a backup of your configuration before attempting to create the OpenVPN service. That exported config file lets you recover if your OpenVPN quest goes awry.

Screen Shot 2020-01-22 at 9.19.35 PM.jpg

Please save a config file before going further.
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
Wire Network and Manually Assign IP Numbers for Camera Network Devices
Your Edgerouter X is already fully operational except for lack of an OpenVPN service.
I suggest going ahead and wiring the router into your network at this point.

Assign your camera network devices with a static address in the 192.168.92.xxx range

The other network settings should be...

netmask 255.255.255.0
router 192.168.92.1
DNS 192.168.92.1
NTP server 192.168.92.1

The static IP numbering scheme I suggest for the camera LAN is...

192.168.92.1 - (EdgeRouter X interface for LAN 2 is already at this address)
192.168.92.2 - Main POE switch management page
192.168.92.3 - 2nd POE switch management page
192.168.92.4 - 3rd POE switch management page

192.168.92.10 - camera wifi access point (but WHY would you do this to yourself?)
192.168.92.11 - camera wifi access point (but WHY would you do this to yourself?)

192.168.92.20 - Recording PC or NVR

192.168.92.21 - camera
192.168.92.22 - camera
192.168.92.23 - camera
192.168.92.24 - camera
192.168.92.25 - camera
192.168.92.26 - camera
192.168.92.27 - camera
etc

Wire network with the topology I as in the diagram below.

"SecuritySpy Computer" is your recording computer.

Only fan out. Create no loops nor inter-connection of one LAN to another.

If you are using an NVR, the NVR would connect to LAN2 (Eth2). Cameras would connect to the NVR's LAN.
I won't be covering NVR wiring and cameras addressing in this thread. That would lead us away from EdgeRouter X setup.


camera network scheme.jpeg

Complete your IP assignments and wiring. Your home network and surveillance system should be operational at this point.

AFTER You have the network functioning, back up your config again.

Now, we are ready to add the OpenVPN service.
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
Command Line Basics or: How I Learned to Stop Worrying and Love the Keyboard

Needing to enter commands is often daunting to most of us. Rather than seeing and selecting, we are forced to type in very specific commands. Fear of punctuation errors, extra spaces, missing and wrong characters keeps many from even trying. You are going to be fine.

1. You have previously exported a safety net - your config file. You can always recover from disaster with a factory reset and uploading your config file. Granted, you need to go back through plugging into eth0, and using the default IP range, but you already know how to do that. You've already updated the firmware. So you don't even need to do that step.

You are not going to be totally lost. You have a bail out (provided you followed my advice and exported a config file).

2. Rather than memorizing arcane commands with painstaking accuracy for the parameters, you will mostly cut and paste the needed commands. You can can handle cut & paste.

I describe some basic commands and concepts here to help you understand what those commands are doing. Also, I will cover the two main ways you use command line interfaces on the EdgeRouter X.

Command Line Via Ubiquity Web Interface CLI
Your EdgeRouter X includes a simple, built in, command line interface (CLI) directly in its web page.

Screen Shot 2020-01-25 at 1.32.11 AM.jpg
You log into a session with your username and password. Usually this would your admin username.
Enter the commands you need and finally exit to end a session.

The built-in CLI is fine for simple tasks, but it does not accept pasted text. Therefore, we need a different means of running a command line session.
That would be ssh (also known as secure shell).

Command Line Via SSH
SSH sessions are a means of logging into another computer and running a command line session. SSH sessions can reach across a globe spanning network connection or just to computer on your local LAN.
We ssh into the EdgeRouter to run a full featured command line interface that include the ability to paste in commands.

Linux and MacOS have a built in terminal utility. In MacOS, terminal is inside the utilities folder of applications.

Windows does not include an ssh client. You should download and install an ssh client for your PC or add it to PowerShell. Here are some links to help with that.

Get your ssh client installed if need be.

Enable EdgeRouter-X SSH Server
By default, ssh is turned off in the EdgeRouter. You should keep ssh disabled except for when you are using it. So, when you are done, remember to turn the ssh server off.

Enable the ssh server in the system pane
Screen Shot 2020-01-25 at 1.41.56 AM.jpg
You don't need to specify the port. It will default to 22.

You must also click on "save" at the bottom of the system pane for the setting to take effect.
Once you do that, the ERX will accept ssh connections on port 22.

A typical command to start an ssh session to your Edgerouter would be...

ssh admin@192.168.91.1

You would log in with your username and password.
Exit ends the ssh session just like in the EdgeRouter CLI.

Now you know how to start a ssh session

Ubiquity Configure Mode
Once connected, you can adjust almost any configuration setting of the router via its configure mode.
Here are a few commands of note.

configure - starts configuration entry mode

Router goes into configure mode and you can type in configuration commands.
Once done entering commands, commit your changes to the currently running configuration.

commit - commits your edits to currently running configuration. However, does NOT save permanently. Reboot will undo your settings.

save - saves your edits permanently so they are retained across router restarts.

exit - leaves configuration mode

More detail about configuration mode is here EdgeRouter - Configuration and Operational Mode
Don't worry. You won't need to know all that to get through my setup.


Linux Commands to Know
Commands don't execute until you press the return key

exit leaves current mode, or logs out of connection

ls lists current directory

cd directoryName moves to a named directory. You can also cd to a path for a directory

cd .. moves up one directory level. The two dots means parent directory.

vi filename starts vi text editor to edit a file. We need vi to edit some config files.


vi basics
Arrow up, down, left, right to navigate through a file

Entry of text is done via "insert" mode. Insert mode is started by typing the letter i

Hitting the ESCape key a few times ends text entry.

:q quits vi without writing changes. Note the colon. Also, must be out of insert mode.

:wq writes and then quits vi



You don't need to learn more commands to complete the OpenVPN setup via command line.
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
OpenVPN Service Forward

In these instructions, commands that should be pasted or typed into your terminal session are in blue.
The process may look daunting, but realize you are mostly entering only the stuff in blue.
The majority of the material here is explanation of what you are doing.

OpenVPN Service Creation via ssh Session
Create your own Certificate Authority (CA) on the router and use it to create and sign certificates for authentication.
We also create the OpenVPN service interface, firewall rules, and adjust DHCP listening

You should have already set up time zone and allowed NTP in the EdgeRouter's System panel

Your EdgerRouter WAN should be connected to the internet and clients on your main LAN should already be able to browse the internet. A live internet connection is needed during this process so time and date are correct doing the setup process.

Also enable ssh in the EdgeRouter system panel. You must "save" to make that setting take effect.

Most of the work is done as root via an SSH session. In the System tab of EdgeRouter GUI, enable SSH. Then, start SSH session in terminal of your computer. we will issue you are logging under the admin username.

ssh admin@192.168.91.1

A SSH session will be opened and you will be asked for your admin password. Enter your admin account password

Once logged in, change to superuser mode with….

sudo su -

Extend Expiration Periods of Created CA and server/client certificates
.
Default expiration periods for Certificate Authority (CA) and server/client certificates are quite short. I prefer to adjust the expirations to something quite long.
That means editing some files using the vi editor. vi is a text editor built into the unix kernel of the EdgeRouter.

vi usage hints for once a file is opened
- scroll up and down using up down arrow keys
- Press "i" key (without quote) to start editing the contents (i starts insert mode)
- Once done editing, press ESC a couple times to end editing mode
- Once ready to quit vi, type the following
- to save the changes and quit, type :wq followed by a return
- to simply quit, abandoning your edits, type :q

Extend validity of the CA (Certificate Authority):
(I may already have this done for you)

vi /usr/lib/ssl/misc/CA.pl

Arrow down until you see

my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"} || "";
my $DAYS = "-days 365";
my $CADAYS = "-days 1095"; # 3 years
my $REQ = "$openssl req $OPENSSL_CONFIG";


Change $DAY and $CADAY to make them 10 years

my $DAYS = "-days 3650";
my $CADAYS = "-days 3650"; # 10 years


Once done editing hit ESC key a few times to end editing

:wq to write changes and quite vi

Extend the validity of the Server/Client Certificates

vi /usr/lib/ssl/openssl.cnf

Arrow down until you see

default_days = 365 # how long to certify for

Change default_days to make it 3650 days, aka 10 years.

default_days = 3650 # how long to certify for

Once done editing hit ESC key a few times to end editing

:wq to write changes and quite vi


Create Certificate Authority
As a precaution we delete any existing demoCA directory
cd /usr/lib/ssl/misc/
rm -rf demoCA


Also delete old misc and auth from /config
cd /config
rm -rf misc
rm -rf auth

Recreate an auth directory
mkdir auth

Navigate back into the necessary directory
cd /usr/lib/ssl/misc/

Create our new CA certificate.
./CA.pl -newca

Type enter key to create a new certificate.

Every time we create a certificate we go through an interactive process where you will be asked for several things. Try to be consistent with your answers. The PEM pass phrase is the most critical item. You must be type in the pem pass phrase multiple times during OpenVPN certificate creation. You CANNOT paste in the pass phrase. It must by typed in. The other responses can be pasted. I usually keep a list of the responses in a separate file for easy cut/paste.

Enter PEM pass phrase: pempassphrase (You cannot copy paste this! Must type it in manually)
You will be asked twice.

Country Name (2 letter code) [AU]: US
State or Province Name (full name) [Some-State]: WA
Locality Name (eg, city) []:cityName
Organization Name (eg, company) [Internet Widgits Pty Ltd]:MyCompanyName
Organizational Unit Name (eg, section) []:divisionName
Common Name (e.g. server FQDN or YOUR name) []:myServerName
Email Address []:mymail@provider.com

Simply leave the following extra attributes blank

A challenge password []:
An optional company name []:

Eventually you will be asked for a pass phrase. Simple to just use same pass phrase
Enter pass phrase for ./demoCA/private/cakey.pem: pempassphrase

You will see quite a bit of text scroll by as the certificate is generated.

eventually you should see something like...

Signature ok
Certificate Details:
Serial Number:
eb:b5:f3:45:e8:27:08:c7
Validity
Not Before: Jan 24 05:20:58 2020 GMT
Not After : Jan 21 05:20:58 2030 GMT
Subject:
countryName = US
stateOrProvinceName = WA
organizationName = MyCompanyName
organizationalUnitName = divisionName
commonName = myServerName
emailAddress = mymail@provider.com
X509v3 extensions:
X509v3 Subject Key Identifier:
DA:4E:4F:BF:8C:C3:4B:78:CF:D3:D8:2B:D0:A7:57:33:D7:A5:B5:64
X509v3 Authority Key Identifier:
keyid:DA:4E:4F:BF:8C:C3:4B:78:CF:D3:D8:2B:D0:A7:57:33:D7:A5:B5:64
X509v3 Basic Constraints: critical
CA:TRUE
Certificate is to be certified until Jan 21 05:20:58 2030 GMT (3650 days)
Write out database with 1 new entries
Data Base Updated
==> 0
====
CA certificate is in ./demoCA/cacert.pem


You can ignore the error messages about index.txt.attr.
What matters is that singnature was OK, you see the database was written with 1 new entry and CA certificate is in ./demoCA/cacert.pem

Once new certificate authority creation completes, you have a new directory called demoCA. The two most important items in there are as follows:

private/cakey.pem – This is the private key for your CA (always keep this secret)
cacert.pem – This the public key for your CA (you’ll be giving this out to your clients)

Backup Certificate Authority to preserve it across firmware updates
EdgeRouter firmware upgrades destroy the directory in which your certificate authority and keys exist. /usr/lib/ssl/misc
Firmware upgrades, therefore, destroy the certificate authority and its keys.
To allow use to restore our CA after a firmware update, we duplicate the CA to a location that is saved during config exports.
We back up the CA before generating and moving client keys to /config/auth. Backing up the CA later will destroy keys in /config/auth.
So, back up your CA NOW with this command.

cp -r /usr/lib/ssl/misc /config/

Again, above must be before further key generation or restoring the backup will overwrite your generated keys.
How does this preserve your CA? Exporting a config file includes the copy of your CA along with the rest of your router configuration.
When config file is restored, the data for your CA is loaded in our copy location. We simply to copy it back to the CA's normal working location to restore the CA.


———— Begin Restore CA after a firmware upgrade - Do NOT do this now ——
Restore Certificate Authority after Firmware Update
Don't do this now. These instructions are for after a firmware update. It simply made sense to document the process here.
You must have an exported config file to upload.

Upload your config file via EdgeRouter System GUI.

Restore CA misc directory from /config back to /usr/lib/ssl with

ssh admin@192.168.91.1
sudo su -
cp -r /config/misc /usr/lib/ssl/


End ssh session
exit

———— End Restore CA after a firmware upgrade - Do NOT do this now ——


Create Server Certificate
Next, we generate a public/private key for the server.
./CA.pl -newreq

You will go through same interactive process of entering pass phrase and parameters.
The Common Name (CN) of your server certificate should be something unique like your dynamic DNS host name
Eventually you get to...

Request is in newreq.pem, private key is in newkey.pem

Sign the newly created server certificate with the following command
./CA.pl -sign

You will be asked for your pem passphrase.
Type it in correctly. If you make a mistake, you will see errors like….

unable to load CA private key
2013087232:error:06065064:digital envelope routines:EVP_DecryptFinal_ex:bad decrypt:../crypto/evp/evp_enc.c:536:
2013087232:error:23077074:pKCS12 routines:pKCS12_pbe_crypt:pkcs12 cipherfinal error:../crypto/pkcs12/p12_decr.c:63:
2013087232:error:2306A075:pKCS12 routines:pKCS12_item_decrypt_d2i:pkcs12 pbe crypt error:../crypto/pkcs12/p12_decr.c:94:
2013087232:error:0907B00D:pEM routines:pEM_read_bio_PrivateKey:ASN1 lib:../crypto/pem/pem_pkey.c:87:


Assuming you enter the pass phrase correctly, you get details for the certificate and asked whether to sign and commit.
Answer Y to both. Eventually the database will be written one with 1 new entry.

Write out database with 1 new entries
Data Base Updated
==> 0
====
Signed certificate is in newcert.pem


Once this completes, you have three new files, as follows. You can list the files in directory with ls command.

newkey.pem – This is the private key for your server (keep this secret)
newreq.pem – This is the unsigned public key of the server (this needs to be signed by your CA)
newcert.pem – This is the signed public key for your server

We previously backed up the CA. However, these new files should also be backed up.
Copy the important server files to a directory in config where they won’t be wiped out during a firmware upgrade.

In addition to moving the files, we’re also renaming them.

cp /usr/lib/ssl/misc/demoCA/cacert.pem /config/auth/
cp /usr/lib/ssl/misc/demoCA/private/cakey.pem /config/auth/
mv /usr/lib/ssl/misc/newcert.pem /config/auth/host.pem

mv /usr/lib/ssl/misc/newkey.pem /config/auth/host.key

Diffie-Hellman Parameters
Generate new Diffie-Hellman (DH) parameters to ensure Perfect Forward Secrecy (PFS).
Believe it when it says that it takes a long time. EdgeRouter will need 5 to 20 minutes to complete.
openssl dhparam -out /config/auth/dh2048.pem -2 2048

Decrypt Host Key
We must decrypt the password from the host and later generated client(s) keys so that OpenVPN can run in interactive mode.
openssl rsa -in /config/auth/host.key -out /config/auth/host-decrypted.key

You will be asked for your pempassphrase

We have now completed the certificates for the server. The next task is creating user certificates for each client.

Create & Decrypt Client Certificate(s)
For each client, we
- generate a request and sign it for each new user certificate.
- Move the new files into your preserved directory while renaming them.

The Common Name (CN) of your user certificate should be something unique like the client machine name.
COMMON NAME must not have been previously used or it will not be accepted in the registration database.

Repeat for each client as below. Take care that file names are adjusted for each client (seen in red)
———
Begin certificate for phone
Create the certificate.
./CA.pl -newreq

You will be asked for the usual inputs for certificate creation.
When it comes to the common name, give each client a unique name. I use myPhone here

Eventually you get....
Request is in newreq.pem, private key is in newkey.pem

Sign the freshly created newcert.pem and newkey.pem
./CA.pl -sign
Usual yes to sign and commit

We rename newcert.pem to myPhone.pem and newly.pem to myPhone.key
mv newcert.pem /config/auth/myPhone.pem
mv newkey.pem /config/auth/
myPhone.key


Decrypt to allow OpenVPN run in interactive mode
openssl rsa -in /config/auth/myPhone.key -out /config/auth/myPhone-decrypted.key

End certificate for phone


———

Begin certificate for laptop
Create the certificate.
./CA.pl -newreq

You will be asked for the usual inputs for certificate creation.
When it comes to the common name, give each client a unique name. I use myLaptop here

Eventually you get....
Request is in newreq.pem, private key is in newkey.pem

Sign the freshly created newcert.pem and newkey.pem
./CA.pl -sign
Usual yes to sign and commit

We rename newcert.pem to myLaptop.pem and newly.pem to myLaptop.key
mv newcert.pem /config/auth/myLaptop.pem
mv newkey.pem /config/auth/myLaptop.key

Decrypt to allow OpenVPN run in interactive mode
openssl rsa -in /config/auth/myLaptop.key -out /config/auth/myLaptop-decrypted.key

End certificate for laptop
———

Done Making Certificate Authority and Creating Certificates
Finally after all that, we are done creating certificates.
Exit back to normal ubnt user mode
exit
whoami


whoami should report admin instead of root.
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
Adding OpenVPN Service to EdgeRouter
With our certificates ready, we can create the OpenVPN service on the router.

Delete Existing OpenVPN Server
I have already done this in my configuration. You do not need to do the deletion.
I include the deletion commands in case you ever need to reconfigure the OpenVPN server. Easiest is to delete the existing and create a new one.

configure
delete interfaces openvpn vtun0
commit
save

exit


Create OpenVPN server on Router
server subnet should be one unlikely to exist at client local connection and server
push-route must be a LAN ip range on server
name-server should be from LAN ip range on server
note port 443 has been specified for this server

configure
set interfaces openvpn vtun0
set interfaces openvpn vtun0 description "OpenVPN server"
set interfaces openvpn vtun0 mode server
set interfaces openvpn vtun0 encryption aes256
set interfaces openvpn vtun0 hash sha256
set interfaces openvpn vtun0 server subnet 10.31.3.0/24
set interfaces openvpn vtun0 server push-route 192.168.91.0/24
set interfaces openvpn vtun0 server name-server 192.168.91.1
set interfaces openvpn vtun0 tls ca-cert-file /config/auth/cacert.pem
set interfaces openvpn vtun0 tls cert-file /config/auth/host.pem
set interfaces openvpn vtun0 tls key-file /config/auth/host-decrypted.key
set interfaces openvpn vtun0 tls dh-file /config/auth/dh2048.pem
set interfaces openvpn vtun0 openvpn-option "--port 443"
set interfaces openvpn vtun0 openvpn-option --tls-server
set interfaces openvpn vtun0 openvpn-option "--comp-lzo no"
set interfaces openvpn vtun0 openvpn-option --persist-key
set interfaces openvpn vtun0 openvpn-option --persist-tun
set interfaces openvpn vtun0 openvpn-option "--keepalive 10 120"
set interfaces openvpn vtun0 openvpn-option "--user nobody"
set interfaces openvpn vtun0 openvpn-option "--group nogroup"
commit
save



OpenVPN Client
You now have a running OpenVPN Server on your EdgeRouter. To establish an OpenVPN tunnel into your main LAN you also need an SSH Client appl
Windows, MacOS, and your phone OS do not come with an OpenVPN Client app. You must download and install a client to enable use of OpenVPN protocol on your client device.
This can be from OpenVPN or a variety of other sources.


Personally, I use TunnelBlick on MacOS and OpenVPN Connect on IOS.

Download and install an OpenVPN Client of your choice.

OpenVPN Configuration Files
Each client needs some configuration files to
  • Tell clients the address of your server
  • Prove client and server identity via certificates
  • Set up connection parameters for the tunnel
We have already created the certificates for your OpenVPN server and client machines. We must transfer them from the EdgeRouter to your computer. We could scp (a linux secure copy command), but it is far easier to simply export your EdgeRouter config file, unzip the archive, and grab the needed files from there.

BTW: Because your config file contains copies of your certificates, you should always keep your config files in a secure, encrypted location.

Go ahead and export a config file now.
Decompress the config file.

Look in config/auth to find all your certificate files.

For each client you should prepare a folder with five files.
For your laptop in this tutorial, those files would be....

myLaptop.pem <--- copied from your config/auth
cacert.pem <--- copied from your config/auth
myLaptop-decrypted.key <--- copied from your config/auth
myLaptop.key <--- copied from your config/auth
myLaptop.ovpn <-- create this plain text file with the following content. The text file should be saved with .ovpn as its extension. Do not create an Rich Text File.

Substitute the DNS name of your server for myServerDDNSName.com. For example if your DDNS name is porchPiratePhaserServer62.blogsite.org, use porchPiratePhaserServer62.blogsite.org
Substitute the name of your client for myLaptop. In the case of your phone, it would be myPhone

client
remote myServerDNSName.com
port 443
cert myLaptop.pem
key myLaptop-decrypted.key
ca cacert.pem
dev tun
proto udp
cipher AES-256-CBC
auth SHA256
redirect-gateway def1
nobind
user nobody
group nogroup
ping-restart 60
ping-timer-rem
persist-tun
persist-key
resolv-retry 86400
# keep-alive ping
ping 10
# enable LZO compression
comp-lzo no
# moderate verbosity
verb 3
mute 10


Those five files together in a folder are submitted to your OpenVPN client app to define a connection.
How these credential files are submitted varies with the client app.

Once a connection is defined, please dispose of those credential files.
Never give those credential files to anyone else. Protect them. They are keys to your main network!!!!

Once an OpenVPN connection is established, your client device acts as though it is on your Main LAN.
Bonjour or other self-identifying broadcasts are NOT transmitted across an OpenVPN connection.
So, access your network devices via its LAN IP number.

For instance, your RecordingPC should be at 192.168.52.20 if you followed this tutorial.

NOTE: You cannot OpenVPN into your network from INSIDE your network. That would make no sense.
You can only tunnel in from OUTSIDE your local network. Test your OpenVPN from an internet connection outside your own network. A handy way I test is to use my phone's cell connection with a tethered laptop.
 
Last edited:

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
The following are useful commands. The pre-config I supply already has specific DNS servers active.

Set DNS forwarding to specific servers
(Derived from DNS Forwarding / Name Servers | Ubiquiti Community)
configure
delete system name-server
set service dhcp-server use-dnsmasq enable

set system name-server 127.0.0.1

Since default is getting an IP on your WAN address via DHCP, we tell the dhcp-client not to add the ISP DNS servers to /etc/resolv.conf.

set interfaces ethernet eth0 dhcp-options name-server no-update

By default, dnsmasq will send queries to any of the upstream servers it knows about and tries to favor servers that are known to be up. If you want to query the servers in order instead, then add the following:

set service dns forwarding options strict-order

Then you can add your nameservers to dnsmasq. Change the 0's and 1's to the DNS address you want to use. Add more if you like. If using the strict-order option, add them in the order you want them to be queried.

The following are MegaPath, NTT America, OpenDNS and google DNS servers
set service dns forwarding name-server 1.1.1.1
set service dns forwarding name-server 129.250.35.251
set service dns forwarding name-server 208.67.222.222
set service dns forwarding name-server 8.8.8.8


One special alternative to the above is OpenDNS family shield DNS servers
set service dns forwarding name-server 208.67.222.123
set service dns forwarding name-server 208.67.220.123

Once you are happy with your settings, type the following to commit your changes, save the new config, and exit configure mode

commit
save
exit

Release/renew to remove ISP servers from /etc/resolv.conf
release dhcp interface eth0
renew dhcp interface eth0


Now, when you type
show dns forwarding nameservers

Response shows designated DNS servers.



Set ER-X to Use ISP Assigned DNS Server
In the command line interface via CLI or ssh...

configure
delete system name-server

set service dhcp-server use-dnsmasq enable
set system name-server 127.0.0.1
commit
save

exit

Release/renew to remove ISP servers from /etc/resolv.conf
release dhcp interface eth0
renew dhcp interface eth0


Verify with command to show current nameserver list
show dns forwarding nameservers




Enable hwnat and ipsec Hardware Acceleration Offloading

configure
set system offload hwnat enable
set system offload ipsec enable

commit ; save

Disable hwnat and ipsec Offloading

configure
set system offload hwnat disable
set system offload ipsec disable

commit ; save



Restore Certificate Authority after ER-X firmware update
Firmware upgrades destroy /usr/lib/ssl/misc
Firmware upgrades therefore destroy the certificate authority and its keys.

You should always export and save your config file prior to a firmware update. If you followed the CA backup instructions during my CA setup, your CA should have already been cloned into your config folder.
After the firmware update completes, upload your config file
Restore your CA after your uploaded config file

sudo su -
cp -r /config/misc /usr/lib/ssl/
exit


 
Last edited:

Serodgers

Getting the hang of it
Joined
Dec 17, 2018
Messages
74
Reaction score
51
Location
PC FL
Here is a similar web page with a good setup tutorial got me started with all my Ubiquity gear.

Always appreciate those that take the time to make these tutorials.






Sent from my iPad using Tapatalk
 

windguy

Getting comfortable
Joined
Sep 25, 2019
Messages
285
Reaction score
289
Location
Pacific Coast
I personally do not follow you putting all your cams in a physically seperated network while you have all the bells and whistles to hook your POE switch into a vlan. One of the use cases might be that IF your BI pc has an issue, you can still connect to the VPN server (on your ER-X) and watch your cams "in direct mode". But in your diagram, that won't be possible. On the other hand, your setup avoids any bandwidth leakage from cams into your "main" network.

Choices choices choices :)

In any case, with the ER-X, almost everything is possible, but keep in mind that the vSwitch is underperforming than a "native" switch, that's the reason why in your design (and mine) I offload all "switching" traffic.

Good luck!
CC
Thanks for the input CC. Couple of reasons why, but mainly I don't know any better. I have limited networking skills and there is a following on this forum that suggests to use a dual NIC setup and isolate all cams on a subnet, physically isolated from the rest of the network. And to also keep all the cam traffic off of the router. Based on those rules, I came up with that network diagram. Seemed like a reasonable plan until this thread came along. I see the virtues of adopting GUYKUO's suggested network diagram as long as I can successfully integrated the ER-X. With this great tutorial I think I can now. Before I had strong doubts. The only draw back in eliminating the dual NIC and connecting the POE switch direct to the ER-X is it takes up an extra port on the POE switch so I'm limited to six cameras on an 8-port switch, but I can live with that. Also that I already bought a second NIC, but that's a minor adjustment. Thanks!
 

windguy

Getting comfortable
Joined
Sep 25, 2019
Messages
285
Reaction score
289
Location
Pacific Coast
The EdgeRouter will do the desired isolation of the camera network while still allowing your Main LAN computers (and VPN) to administer and view cameras directly. It is also useful for remotely power cycling cameras on "smart" POE switches. All my POE+ switches have remote management. That lets me reboot any camera that gets into trouble. That is super handy when I'm out of town and notice a camera is wonky. It's rare, but nice to be able to fix things remotely. Changed to smart POE switches after a trip that included half my cameras going off line for some reason. Could not do anything about the system being crippled until returning home. Now I can reach in and reboot any camera.
Thanks GUYKUO. Appreciate the input. I can easily adopt your network diagram. I haven't bought the POE switch yet, but was planing on getting a passive Netgear Model GS108PP 8-port POE+. I can appreciate your stated benefit of being able to reset cameras remotely if traveling. I should have added that feature as one of my requirements. Could you please share which model smart POE switch you got and any pros/cons?

Secondly, many thanks for your wonderful tutorial postings. Job well done! Seems very thorough and easy to understand for a networking dolt like myself. I can only go so far reading without actually getting the ER-X and setting it up. That will be my next step along with a POE switch. Thanks!
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Thanks for the input CC. Couple of reasons why, but mainly I don't know any better. I have limited networking skills and there is a following on this forum that suggests to use a dual NIC setup and isolate all cams on a subnet, physically isolated from the rest of the network. And to also keep all the cam traffic off of the router. Based on those rules, I came up with that network diagram. Seemed like a reasonable plan until this thread came along. I see the virtues of adopting GUYKUO's suggested network diagram as long as I can successfully integrated the ER-X. With this great tutorial I think I can now. Before I had strong doubts. The only draw back in eliminating the dual NIC and connecting the POE switch direct to the ER-X is it takes up an extra port on the POE switch so I'm limited to six cameras on an 8-port switch, but I can live with that. Also that I already bought a second NIC, but that's a minor adjustment. Thanks!
No problem, sharing is caring, right? I don't follow you on why the single NIC would take an extra port on the POE switch? In the dual NIC BI pc setup, you'll have one wire from 2nd NIC to that POE switch. That wire is re-used to connect the POE switch to your core network (either ER-X, or the managed switch downstream). You can then connect your BI pc to the same managed switch (or ER-X). I'm not using BI, but if I was you, I would either advice you to still use that 2nd NIC (to connect to an untagged vlan port of your managed swithc) OR use vlan tagging on the 1st NIC of the BI pc. Why? So you can hook up your BI pc both to your "internal" LAN (which allows internet traffic for eg. windows update) and which avoids ANY by-pass/allow-once internet access for that BI pc if it would reside in the cam-lan only.

Choices choices choices ;-) But the good news is: with the ER-X, you have not 1, not 2 but ample alternatives. Nothing is "better" than another, however keep the following in mind:
- DRAW your physical topologies and LABEL your wires (nothing frustrating than discovering an unlabeled CAT6 and nobody knows what's behind it) - same logic applies for PATCH cables. LABEL THOSE. Preferably both sides
- DRAW your logical topologies, write down ALL vlans, subnets, gateways, whatif's and whatnot's. EVERYTHING. Preferably with mac addresses, because you know, someday, you see something running around and you don't know who the h€ck it is.

Hope this helps!
CC
 

windguy

Getting comfortable
Joined
Sep 25, 2019
Messages
285
Reaction score
289
Location
Pacific Coast
No problem, sharing is caring, right? I don't follow you on why the single NIC would take an extra port on the POE switch?
Thanks CC - On page one of this tread, if you compare my network diagram to GUYKUO's, mine only had one port of non-cam overhead, going to the BI host. The POE switch wasn't directly connected to the ER-X. On GUYKUO's network diagram, the POE Switch is directly connected to the ER-X, so now your have two ports used for non-cam overhead (BI host and ER-X) and no need for the second NIC on the BI host. Maybe I'm missing something.

Regarding labeling and documentation, great tip. I try to do that and keep good notes. For the most part, it works with a few holes here and there. GUYKUO's suggestion of labeling the ports on the ER-X is a good one since they are programmed ports. Always room for improvement. Thanks!
 

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,659
Reaction score
1,193
Thanks CC - On page one of this tread, if you compare my network diagram to GUYKUO's, mine only had one port of non-cam overhead, going to the BI host. The POE switch wasn't directly connected to the ER-X. On GUYKUO's network diagram, the POE Switch is directly connected to the ER-X, so now your have two ports used for non-cam overhead (BI host and ER-X) and no need for the second NIC on the BI host. Maybe I'm missing something.
I see what you mean, but didn't know that that diagram was from you.

If I google the specifications of that Zyxel (GS-105S v2 5-Port Desktop Gigabit Ethernet Media Switch | Zyxel) I do not see any notion of "managed", or 802.1q vlan tagging capabilities (which is, to be honest, not so rare with these cheap small switches). And indeed, on a 5-port switch, which already looses 1 port for uplink, loosing another one for a downlink is painful (and not cost effective).

Not that this device is wasted/sunk cost, but depending on all your other network gear, you might (re)consider a decent (eg) 16 port *managed* switch, on which you still can use that 5 port zyxel (and drop all that traffic within your internal (v)LAN somewhere). With 16 ports, you don't mind hooking up the POE switch into it. But off course all depends on your budget, WAF factor, full network requirements, interstellar compositions etc etc :)

If you want to discuss your specifics, you are always welcome for a face to face conversation in my mailbox!

Good luck!
CC
 

guykuo

Getting comfortable
Joined
Jul 7, 2018
Messages
553
Reaction score
1,379
Location
Sammamish, WA
Working on the OpenVPN write up. Wish I could include it in the pre-configured file, but doing so simply isn't safe.
Don't worry. It is going to be mostly cut and paste.



The most variable part is setting up OpenVPN clients (i.e., your phone and laptop). Creating the VPNserver on the EdgeRouter should be fairly simply if you just follow instructions step by step.

... Should be up this weekend.

Meanwhile, read the first post in this thread. It summarizes why you want a VPN instead of port forwarding.
Port forwarding to devices like NVR's and cameras is not typically desirable. Their firmware may include back doors or be widespread enough to be nation state hacking.

Port forwarding to a computer based NVR with BlueIris or SecuritySpy app is a bit less hazardous because the NVR apps are not known to have back doors and represent a much smaller population against which to build a hack.

Best is a VPN instead of port forwarding.

 
Last edited:

wittaj

IPCT Contributor
Joined
Apr 28, 2019
Messages
24,428
Reaction score
47,543
Location
USA
@guykuo thank you so much for putting this up! I am learning all about this and on the fence between this and the ASUS router with VPN. I do love the customization it appears the EdgeRouter has, but I don't know if it is overkill for my needs (actually I don't think it is LOL but it appears to be a steep learning curve with it). I am probably leaning towards the ASUS router but might be able to be convinced otherwise based on this thread you are creating.
 
Last edited:
Top