VPN and multiple cameras at multiple sites

jwadsley

Getting the hang of it
Joined
Dec 18, 2020
Messages
116
Reaction score
12
Location
United States
I agree with Biggen and user8963 about the use of "site to site" VPN tunnels.

There are two steps that you need to do to make this as easy as possible for your users. First, establish "site to site" VPN tunnels from your house (VPN server running on a router/firewall) to the other locations you have cameras at (VPN client running on a router/firewall at each site). This will allow you from your house to "see" any device connected at any of the sites (home or remote sites). These tunnels will be operational 24/7. Once they are set up, there is nothing that needs to be logged into or changed or maintained. As long as you have internet at the sites, the sites will be connected. If you lose internet at either end, the connection will automatically come back online whenever the internet service is restored. I've done this between my parents house and my house and it works great. (We use it to be able to backup important data "offsite" by sending the backups to the other location through the tunnel. The "offsite" storage locations simply appear as networked drives available on both networks).

Second, you need to set up another VPN server at you home that will be used for people to connect to while away from the house to view devices on the network, Keep in mind that devices at the remote sites will appear as regular devices on the home network because of the site to site tunnels, so you will be able to view everything at the remote site as if it was a device on the home network. This is how you can get away with using just one VPN setup for people to be able to log into your home network and view devices at all the remote sites too.

The only potential downside to this setup is that it requires internet to be working at all the locations. If the internet is working at the remote sites, but not at your home, you will loose the ability to view the remote sites. You might want to create "backup" VPN connections (ie have the remote site will run a VPN server on the router in addition to the VPN client) that you can use to connect directly to each remote site while away from home in case this happens. You don't need to let everyone have access to these backup connections (just to cut down on the confusion factor), but you'll know they are there and be able to access them in a situation where the home internet goes down.

Hopefully that makes sense.
This made a lot of sense! Thank you. Site to Site VPN's could be established with ASUS routers VPN options and then a local VPN server could be PiVPN?
 

jwadsley

Getting the hang of it
Joined
Dec 18, 2020
Messages
116
Reaction score
12
Location
United States
I have multiple sites, and a persistent site-to-site VPN combined with on-demand VPN (for use while traveling on random wifi hotspots to boost security).

Before we go that route:
  • do you need to monitor the multiple sites all the time or only occasionally (i.e. "check on them" like before and after a major storm)?
  • do you have adequate remote site upload speed to handle streaming camera video (I only get about 2FPS on 3 cameras over 3Mb upload), figure out the upload speed for each remote site. (download doesn't matter for this use case, the cameras video streams will be going "up" via this internet connection).
  • do you have adequate download speed to handle receiving the streams from all sites without drastically degrading your local performance for Netflix etc. (i.e. if 3 remote sites are streaming 10 Mb each, can you absorb the constant consumption of 30 Mb on your download pipe at the "local" or "central" location)?
  • can you put equipment at each site (I recommend each remote site is an OpenVPN server, and your central site "connects" to them as a client). I use an ASUS router, and it's been up for two years even through multiple storms and power outages it has recovered. I haven't tried PiVPN so unsure how reliable it would be, which is paramount concern for me as the site is 1000 miles from my "local" location.
  • do you have some system at the local site that can act as OpenVPN client and make the persistent connection.
For upload speed you might have to do a speed test from the site, as some providers have gotten clever about hiding this detail from subscribers (like Comcast offers "1200 Speed Internet", which only tells you the max download speed, and probably has something pathetic like 30-50Mb upload).

If you had "25/5 cable internet", you have an asymmetrical 25 Mbit upload and 5Mbit download (5Mb would be the important number). Almost 100% of the time the smaller number is the upload bandwidth. If you happen to have a symmetrical 10Mb, 100Mb, or 1000Mb connection then you have the same speed in both directions (theoretically). I have had both asymmetrical fiber (10/3 & 50/30) and symmetrical fiber (1000/1000).
Excellent points. Let me try to answer them

1. Check on them occasionally
2. One site has 5MB Upload, another has about 10 and my main site has 10 as well
3. Yes, my main site is 150MB/s download capable
4. Could I do this with Asus VPN capable routers?
5. Would a PiVPN do the trick?
 

wpiman

Getting the hang of it
Joined
Jul 16, 2018
Messages
88
Reaction score
28
Location
massachusetts
I think I do exactly what you are referring to...

I have my home, my parents house, and the vacation house all have separate subnets and are connected with peer to peer VPN networks using Ubiquti routers...

I followed this setup for setting up one, and then modified it using other ports for the other two VPNs.


I can see the camera at the dock in the vacation house. I am having a POE problem down there right now, but it works just fine. I think I would need faster upload speeds there to monitor all the cameras- but I am making calls to upgrade now.
 
Joined
Apr 26, 2016
Messages
1,091
Reaction score
849
Location
Colorado
Excellent points. Let me try to answer them

1. Check on them occasionally
2. One site has 5MB Upload, another has about 10 and my main site has 10 as well
3. Yes, my main site is 150MB/s download capable
4. Could I do this with Asus VPN capable routers?
5. Would a PiVPN do the trick?
Ok great. Then I would recommend the following.
1. Check on them occasionally
I recommend: setup individual OpenVPN servers at each location using either ASUS or PiVPN if you fancy. You could connect your local router to them or just use individual OpenVPN connections in a mobile device to establish a connection when and if you want to check up on the property. You won't have 24x7 recording, but it will accomplish your occasional need to view the properties and will just require establishing the OpenVPN connection whenever you are interested in looking in on the property.

2. One site has 5MB Upload, another has about 10 and my main site has 10 as well
Based on my experience, if you did need to record multiple cameras at a location with this type of connection I would put an NVR at the location and establish an OpenVPN connection if you wanted to review footage. Since you just want to "check in", that should be fine to pull a low FPS/low rez video stream from any single camera over your OpenVPN connection.

3. Yes, my main site is 150MB/s download capable
Yeah you probably wouldn't even notice much impact at the local site, but since you just want to "check in" this becomes less relevant. Whether you are on a mobile connection or this home internet connection I think you could check in on any single camera without a problem.

4. Could I do this with Asus VPN capable routers? Yes.

5. Would a PiVPN do the trick? (See my earlier comment), Probably yes I just don't have experience with PiVPN reliability. My concern with a Pi would be if the location is hard/time consuming to reach, a Raspberry Pi might have other problems you have to navigate. For example, Raspberry Pi use SD card, so unless you setup as read-only OS there is a good chance of SD corruption in the event of power issues, and would it 100% restart if the power went out without you having to be onsite to do something? I have to reset my project Pi every month or two because it runs out of memory (some memory leak).

I just know devices like ASUS routers usually use flash and almost always restart on their own and just seem to be very reliable coming back online (my experience). Sure you could mediate some things by using a UPS (or Pi UPS module) and so on, but for a simple, reliable setup I think the ASUS router will still be more dependable (I've had to physically reset mine twice in 4 years, once because I loaded a bad OpenVPN config remotely and killed my only connection and once due to a lockup due to reasons unknown).
 

user8963

Known around here
Joined
Nov 26, 2018
Messages
1,465
Reaction score
2,311
Location
Christmas Island
I agree with Biggen and user8963 about the use of "site to site" VPN tunnels.

There are two steps that you need to do to make this as easy as possible for your users. First, establish "site to site" VPN tunnels from your house (VPN server running on a router/firewall) to the other locations you have cameras at (VPN client running on a router/firewall at each site). This will allow you from your house to "see" any device connected at any of the sites (home or remote sites). These tunnels will be operational 24/7. Once they are set up, there is nothing that needs to be logged into or changed or maintained. As long as you have internet at the sites, the sites will be connected. If you lose internet at either end, the connection will automatically come back online whenever the internet service is restored. I've done this between my parents house and my house and it works great. (We use it to be able to backup important data "offsite" by sending the backups to the other location through the tunnel. The "offsite" storage locations simply appear as networked drives available on both networks).

Second, you need to set up another VPN server at you home that will be used for people to connect to while away from the house to view devices on the network, Keep in mind that devices at the remote sites will appear as regular devices on the home network because of the site to site tunnels, so you will be able to view everything at the remote site as if it was a device on the home network. This is how you can get away with using just one VPN setup for people to be able to log into your home network and view devices at all the remote sites too.

The only potential downside to this setup is that it requires internet to be working at all the locations. If the internet is working at the remote sites, but not at your home, you will loose the ability to view the remote sites. You might want to create "backup" VPN connections (ie have the remote site will run a VPN server on the router in addition to the VPN client) that you can use to connect directly to each remote site while away from home in case this happens. You don't need to let everyone have access to these backup connections (just to cut down on the confusion factor), but you'll know they are there and be able to access them in a situation where the home internet goes down.

Hopefully that makes sense.

Problem with all "site-to-site" scenarios is, that its a huge security issue if you dont have a good configured firewall. just think about it.. you only need the wifi password for one location and have access to all clients in all locations.also only one device inside the network have to be infected with something (ransomware, virus...) and its a potential risk for all clients in all locations.

in my opinion "site to site" connections should be avoided if you have no idea how to run it correct...

you dont need to run "backup" vpn connections... you can do it in an easy way. just set up a "poor man loadbalancing"-round-robin-scheme with a dns where all vpn-server are an a-record. all vpn-servers needs the same user/key configuration and voila, if one site is down, it will use another one and have access to all online sites :thumb: but there are even "better" solutions for that.... like an authentication server which handle the access.. with this and "client-to-client"-function you will get rid of the most problems which occurs with n-site-tunnels ... i think ubiquiti use same mechanisms ... but its only a few clicks for the enduser ... access and dns is controlled by their cloud
 
Last edited:

jwadsley

Getting the hang of it
Joined
Dec 18, 2020
Messages
116
Reaction score
12
Location
United States
Ok great. Then I would recommend the following.
1. Check on them occasionally
I recommend: setup individual OpenVPN servers at each location using either ASUS or PiVPN if you fancy. You could connect your local router to them or just use individual OpenVPN connections in a mobile device to establish a connection when and if you want to check up on the property. You won't have 24x7 recording, but it will accomplish your occasional need to view the properties and will just require establishing the OpenVPN connection whenever you are interested in looking in on the property.

2. One site has 5MB Upload, another has about 10 and my main site has 10 as well
Based on my experience, if you did need to record multiple cameras at a location with this type of connection I would put an NVR at the location and establish an OpenVPN connection if you wanted to review footage. Since you just want to "check in", that should be fine to pull a low FPS/low rez video stream from any single camera over your OpenVPN connection.

3. Yes, my main site is 150MB/s download capable
Yeah you probably wouldn't even notice much impact at the local site, but since you just want to "check in" this becomes less relevant. Whether you are on a mobile connection or this home internet connection I think you could check in on any single camera without a problem.

4. Could I do this with Asus VPN capable routers? Yes.

5. Would a PiVPN do the trick? (See my earlier comment), Probably yes I just don't have experience with PiVPN reliability. My concern with a Pi would be if the location is hard/time consuming to reach, a Raspberry Pi might have other problems you have to navigate. For example, Raspberry Pi use SD card, so unless you setup as read-only OS there is a good chance of SD corruption in the event of power issues, and would it 100% restart if the power went out without you having to be onsite to do something? I have to reset my project Pi every month or two because it runs out of memory (some memory leak).

I just know devices like ASUS routers usually use flash and almost always restart on their own and just seem to be very reliable coming back online (my experience). Sure you could mediate some things by using a UPS (or Pi UPS module) and so on, but for a simple, reliable setup I think the ASUS router will still be more dependable (I've had to physically reset mine twice in 4 years, once because I loaded a bad OpenVPN config remotely and killed my only connection and once due to a lockup due to reasons unknown).
Thanks for the reply. I currently have my OpenVPN setup on my asus router at my house, and was successful in using my mobile phone LTE to connect to my cameras in my house without opening ports.

My parents also have an Asus router at their house, I assume I can do the same thing for them and just email myself their config file to import and then i would have two profiles for my mobile phone OpenVPN application?

Ditto my vacation home? No asus router there but could do a Pi VPN
 

looney2ns

IPCT Contributor
Joined
Sep 25, 2016
Messages
14,144
Reaction score
19,423
Location
Evansville, In. USA
Thanks for the reply. I currently have my OpenVPN setup on my asus router at my house, and was successful in using my mobile phone LTE to connect to my cameras in my house without opening ports.

My parents also have an Asus router at their house, I assume I can do the same thing for them and just email myself their config file to import and then i would have two profiles for my mobile phone OpenVPN application?

Ditto my vacation home? No asus router there but could do a Pi VPN
Yes.
 

jwadsley

Getting the hang of it
Joined
Dec 18, 2020
Messages
116
Reaction score
12
Location
United States
Will I be able to have multiple VPN connections running at once? I've got a camera program IP CENTCOM that I use to monitor cameras at all 3 sites, but if I have to VPN into my parents and the vacation home, then some of those won't always work correct?
 
Joined
Apr 26, 2016
Messages
1,091
Reaction score
849
Location
Colorado
Will I be able to have multiple VPN connections running at once? I've got a camera program IP CENTCOM that I use to monitor cameras at all 3 sites, but if I have to VPN into my parents and the vacation home, then some of those won't always work correct?
If you want to monitor them live thats a different strategy than "check on them occasionally", you want to setup a site-to-site VPN for that and the network speeds for each location factor in more significantly.
 

jwadsley

Getting the hang of it
Joined
Dec 18, 2020
Messages
116
Reaction score
12
Location
United States
If you want to monitor them live thats a different strategy than "check on them occasionally", you want to setup a site-to-site VPN for that and the network speeds for each location factor in more significantly.
Should the Asus routers have the ability to do a site to site VPN? I assume then it would constantly be on at all sites and the IP's would have to be different?
 
Joined
Apr 26, 2016
Messages
1,091
Reaction score
849
Location
Colorado
Should the Asus routers have the ability to do a site to site VPN? I assume then it would constantly be on at all sites and the IP's would have to be different?
I presume yes, provided at least one of them can run an OpenVPN CLIENT. You might want to confirm you get the right equipment to reach this end goal, for example, if you need special firmware or advanced configuration to accomplish multiple simultaneous site-to-site connections, or need extra horsepower at the local endpoint to handle all the streams coming it's way.

My particular ASUS router is older and doesn't appear to have a client OpenVPN client (it just has the server), but @looney2ns I believe has mentioned in the past that his ASUS router does have both client & server features.
 

whoami ™

Pulling my weight
Joined
Aug 4, 2019
Messages
203
Reaction score
187
Location
South Florida
I'd look into a netgate pfsense+ appliance and unifi AP's. If your going to spend the money, you might as well future proof. probably be cheaper long term tbh.
 

jwadsley

Getting the hang of it
Joined
Dec 18, 2020
Messages
116
Reaction score
12
Location
United States
I presume yes, provided at least one of them can run an OpenVPN CLIENT. You might want to confirm you get the right equipment to reach this end goal, for example, if you need special firmware or advanced configuration to accomplish multiple simultaneous site-to-site connections, or need extra horsepower at the local endpoint to handle all the streams coming it's way.

My particular ASUS router is older and doesn't appear to have a client OpenVPN client (it just has the server), but @looney2ns I believe has mentioned in the past that his ASUS router does have both client & server features.
Ya, my current and my parents current router has both client and server. So would I make it a daisy chain between the routers or how do I get all three talking together? Thats the part I'm a little fuzzy on and haven't found a good guide online to follow
 
Joined
Apr 26, 2016
Messages
1,091
Reaction score
849
Location
Colorado
I may be off base with this, but I'd make the two remote locations hosts and install the clients on your router to be able to access both.
Yeah I'd do it this way as well. Each REMOTE location would be setup as a VPN SERVER, probably using a DDNS registration in case the endpoint IP address ever changes. Create the OpenVPN client config files for each server and load those as OpenVPN client configurations.
  1. Make sure each remote site has it's own subnet to avoid subnet collisions. (use something like 192.168.5.X , 192.168.10.X etc, if all your routers are defaulted to 192.168.1.X you will have issues) see https://en.wikipedia.org/wiki/Private_network for other ranges you can safely use.
  2. Configure each server (ASUS router) to reboot once a week. I recently got the OpenVPN server locked up at a remote site (storm or something caused it), and had to have a technician go to the site to reset the router. I have since setup weekly reboot so if it ever happens again a reboot might get it sorted a few days later.
  3. Configure unique DDNS registration for each remote site. IPCAMTALK.COM provides this service free for one device I believe, but there are other services that also offer this, and I have also used the asuscomm.com built-in to ASUS routers. DDNS updates the remote site IP in case it changes, so you don't lose connectivity as the DDNS name will resolve to the new IP address once it gets registered.
  4. Make sure to setup routing back across the VPN connection for appropriate subnets (i.e. research how you might have to PUSH ROUTES as part of OpenVPN setup). You might need to add some advanced commands on ASUS SERVER router similar to: push "route 192.168.5.0 255.255.255.0"; and possibly also on the CLIENT router to push subnets the remote clients might need to reach so that when you connect to it devices on the client subnet know how to reach clients on the server subnet via the OpenVPN connection. If either is missing, your clients might not know how to respond back to your subnet and it might go out the remote router internet connection and into oblivion.
  5. Test...test....test.
 
Last edited:
Joined
Oct 28, 2022
Messages
1
Reaction score
0
Location
USA
Hi there! I think you may be overthinking this a bit. You could definitely set up a VPN, but it may not be necessary. If you are concerned about safety, you could look into setting up a VPN at each location and then use port forwarding on your router to forward the appropriate ports to each VPN. That way, you wouldn't need to worry about your family members forgetting to turn on the VPN. Alternatively, you can set up thunder vpn for windows. It's very straightforward to use and also free. I hope this helps!
 
Last edited:
Top