VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    853

nayr

IPCT Contributor
Jul 16, 2014
9,229
5,327
Denver, CO
The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video feeds, they want an always on linux box with decent internet connectivity that can be used to attack targets on the internet.. they want to turn your camera into a weapon of mass destruction.

What is a VPN? Its a Virtual Private Network, it provides you with full access to your home network when your on a remote/foreign network.. It tunnels you across the internet and back into your LAN and secures everything in transit with very strong crypto..

8y85l3.jpg

Your home LAN is the corp network

The VPN Tunnel is transparent, once connected its effectively as if you were connected directly to your home network.. All devices on your network will be reachable through there internal non-routable IP addresses.. The same configuration you use when your on your home wifi will work once the VPN is connected.. infact it will be exactly like your on your home wifi when the VPN tunnel is connected, all your fileshares, printers, cameras, IoT devices will be avilable and none will be aware of the VPN or the fact that your remote.

How hard is it to setup a VPN Server?, if you have a router that already included VPN Server built in its no more difficult than forwarding ports is, infact with some consumer routers like Asus many people find it even easier to setup than Port Forwards.. Site to Site VPN and some equipment may require very specific configurations that may require some more intense debugging and configuration.. It can range form very easy to very hard, stack the odds in your favor with good research and testing.

Do i have to pay for a VPN Service? No, this a common point of confusion.. there are services out there that will run a VPN Server for you on a remote network.. these are used to hide your location from public internet services.. such as watching Netflix from a US IP, or downloading Torrents without exposing your IP address to the swarm.. If you have an externally routable IP address you will run your own VPN Server on your own network, using free software.. so there are no subscription fees.

Will VPN Tunnel cause me to hit bandwidth limits faster? Practically no, the additional bandwidth used to encapsulate traffic in an encrypted tunnel is minimal and a tiny blip compared to your actual video stream.

Crypto Speeds, this is the only real performance concern.. The first throughput bottleneck your likely to encounter is how much data your VPN Server can encrypt in realtime.. As long as your VPN Server has more capability than your outbound/upload speeds you'll never encounter this bottleneck.. If you are on a typical residential internet with just a few Mbit of upload speeds this is rarely ever a problem.. However if you have fiberoptic/business/european/asian connectivity you will need to make some hardware considerations to ensure you have adequate performance to utilize your actual connectivity. Higher end equipment (Multicore 1Ghz+ routers) are typically capable of 20Mbit or more VPN speeds which is faster than most typical home internet upload ceilings.. a router with a 600MHz single core CPU will only do a few Mbit unless it has crypto hardware to help accelerate it.. A Raspberry Pi3 can do ~45Mbit, if you have faster uploads than that and wish to use those speeds over VPN then you need to research VPN Crypto benchmarks and find a device that can meet your needs, perhaps a dedicated VPN Crypto Appliance or PC.

Where do I run my VPN Server? the best place is on your home router, since it will be required to be online and reachable for all remote connections anyhow its the best candidate. However if you have an always on PC-NVR it can also run it on there with great performance capabilities, or on a dedicated VPN appliance such as a Raspberry Pi

What do I do first? First check your router and see if it already has a built in VPN Server that simply needs to be setup and configured.. Almost all business class routers, some ISP Provided hardware and the vast majority of modern decent off the shelf routers will already have support built in and just need you to use your GoogleFu to set it up; Check youtube for setup guides specific to your equipment.

My router does not have a built in VPN Server! Well then see if your hardware supports some of the WRT based firmware, you can simply upgrade the firmware to DD-WRT, OpenWRT, Tomato (Google it) and add this software to your existing equipment.. its easier than it looks like and there is a large consensus among power users that the OpenSource firmware projects are far superior to most OEM offerings..

My router dont have support, its old and I want something as simple as possible! Look at Asus's wireless routers they seem to be the easiest to for noobs to get going out of the box and the equipment is widely avilable.

I hate connecting VPN before I can open my cameras! VPN use is a requirement for every corporate employee in the world whom needs to access there email or corporate network remotely.. If millions of poorly trained monkeys can manage to connect a VPN Client daily what is your excuse? If you hate loosing your house keys, you'd be pretty stupid to take the doors off your house..

You can route just your home LAN over the VPN connection, in this configuration leaving it permanently connected should not cause any issues and you wont have to do it manually every time.. some VPN clients/apps do auto-reconnect and/or dial on demand

OpenVPN vs L2TP/IPSec vs Other? Really the only choice is OpenVPN vs L2TP/IPSec, little else is trustworthy as those two; for most people OpenVPN is easier to setup and run.. OpenVPN requires clients to be installed on all your devices, whereas L2TP/IPSec clients are built in natively on every modern device (Windows/OSX/iOS/Android/Linux).. typically its best use what you have avilable already.. If you configure your OpenVPN server to listen on port 443, the same port as HTTPS websites, then you can expect it to work on even the most restrictive remote networks.

Credentials/Logins & Security? Give each device its own unique login and generate a one time password for it and save it to the device.. this way if a device gets lost or stolen you can simply delete that user account, or if you upgrade/replace the device you just generate a new password and render everything else unable to login without having to change the credentials on all your devices anytime you upgrade/loose an item.

Why is a VPN more secure than just setting a strong password on my video system?
Most video systems have undocumented backdoor credentials so the installer/vendor can unlock the device when the end user locks them selves out, for starters.. They do not come secure by default, They are also susceptible to remote attacks that can bypass your logins all together to run malicious code directly on the hardware without your knowledge.. They do not automatically update security issues without intervention like your desktop/laptop/phone and you cant easily even tell what software is running on them.. Where as VPN Servers are designed for direct internet exposure, have been audited by security professionals, they receive constant scrutiny that results in vulnerabilities being exposed quickly and fixed promptly.. Updating firmware on cameras is risky, recovery options in event of failure are minimal if they even exist at all.. when an update blows up on your computer/mobile you can reinstall and restore come worst case, but thats not an option for your video surveillance devices.

Site to Site VPN or Remote Client VPN?
Typically you want to setup a remote client VPN unless you want to permanently bridge two networks so no clients are required on them.. for example if you have a vacation property you may want to setup a Site to Site VPN to your vacation property then use a Remote Client VPN into your home LAN.. then your remote VPN connection can access both video surveillance systems on the same network and both networks are directly connected.

Dynamic DNS? Yes you'll want to set this up, preferably on your router or VPN Server but your cameras/NVR are also likely to have these features.. Most internet connections have dynamic addresses, and this ensures you can always find your VPN Server and not have to reconfigure VPN Clients when your Server IP changes.

Most common VPN Setup mistakes:
  • Using a commonly used subnet for your home network, you may want to re-address your network to a subnet your unlikely to encounter remotely.. for example if your Home network is 192.168.1.0 and your work network is 192.168.1.0 you'll find your remote VPN routes wont work, from work heh.. but if your home network is 192.168.253.0 your less likely to encounter a remote network that collides with your home subnet..
  • Not using your VPN for everything when on a public Wifi, when your on an unencrypted public wireless network anyone nearby can sniff your traffic right out of the air.. but once you enable that VPN Tunnel back to your home network all your traffic is encrypted and secure from anyone.. even the local network admins.
  • Not specifying gateway addresses for IoT devices, thinking this would keep them accessing the internet all together it can also prevent you from accessing it via LAN because your VPN Server is likely to put you in its own subnet and route traffic to your LAN and the VPN on its own.
  • Not disabling uPNP and shutting down old port forwards after having VPN Setup.
  • Not Syncing time correctly, Crypto requires your devices to have the correct time set.. if your server or clients do not have a time-source configured they will be unable to login.
  • Not having an externally routable IP, if your VPN Server is on a Satellite or a Mobile Network you may not be able to remotely connect to anything.. port forwards wont work either. The best option for these networks is to establish a point to point VPN outbound connection to an external server you run on another network or subscribe to.

I need step by step handholding because I am so dense I can bend light w/my gravity! Sounds like you should ask your grandkids, or whomever managed to teach you the internet.. Properly securing a network requires understanding and comprehension, and there is no single best way to do any of this.. You need to read, ask questions, and help your self.. nobody is going to do this for you, if you want to operate an internet connected IP network in the modern world, this is basic stuff you have to understand or else you are putting us all at risk.

this post is living and may be updated/changed at any time.
 
Last edited:
Thank you Nayr for putting this together. :)
 
With iOS devices it's possible to configure them to connect to the VPN on demand (IPSec/L2TP only). Meaning you can set it so whenever you try to access your cams it will automatically connect. This takes a few more steps but is worth considering.
 
Last edited:
  • Like
Reactions: nayr
Wow, like you read my mind. I was thinking of asking some VPN questions the last couple of days, and you pretty much covered it.

I do have some questions.

You say not to open ports? At my former company we did this on every install, and I do not think we ever had an IT department deny our request. If they did, it was simply we do not allow outside access for these type of devices, regardless of how we did it. So what is the real risk of opening ports? Is the danger to the CCTV network or does it expose the entire network if the port is opened to one device like a NVR?

Is the danger simply seeing the clients cameras?

How would one use idmss/gdmss with VPN? If I read right, they would have to open a separate app? Could that VPN stay open all the time, or would they have to connect the VPN everytime before they opened gdmss?

Can this be used with DynDNS? We are setting all of our clients up with with clienta.mycompany.com, clientb.mycompany.com

I am looking for a solution that we can implement at most or all of the clients we install.

Thanks nayr
 
  • Like
Reactions: Wayne C
So what is the real risk of opening ports? Is the danger to the CCTV network or does it expose the entire network if the port is opened to one device like a NVR?

Is the danger simply seeing the clients cameras?

How would one use idmss/gdmss with VPN? If I read right, they would have to open a separate app? Could that VPN stay open all the time, or would they have to connect the VPN everytime before they opened gdmss?
If there's a flaw in the NVR, it can expose the entire network. Depends a bit on how the rest of the network is setup. If you or your commercial clients care about security you should be using vlans, managed switches, and quality firewalls. This is the type of thing that led to the Target data breach, an HVAC contractor had insecure access to the network and once that device was compromised, the hackers were able to infect other devices all throughout the network. Providing full network / IT support is beyond the scope of what many cctv/alarm companies might do, it may be better to refer clients to a company that knows how to handle this sort of thing. Your best bet would probably be some sort of security appliance but you'd have to learn how to configure and support that and most have subscription costs.

Yes, people would have to connect to the VPN before things like idmss/gdmss. With some effort you can make this more seamless if you want.

I wouldn't use a subdomain structure like that.

EDIT for clarity: The average user doesn't need vlans and high end firewalls. My comments were directed at someone who clearly didn't understand cyber security and who gave me the impression they were installing things for commercial clients. Bottom line: A VPN is a big improvement over port forwarding but it isn't always enough. If your in over your head especially if you're installing this stuff professionally, get / hire some competent help.
 
Last edited:
Very nice info.. Thank you nayr!
 
If there's a flaw in the NVR, it can expose the entire network. Depends a bit on how the rest of the network is setup. If you or your clients care about security you should be using vlans, managed switches, and quality firewalls. This is the type of thing that led to the Target data breach, an HVAC contractor had insecure access to the network and once that device was compromised, the hackers were able to infect other devices all throughout the network. Providing full network / it support is beyond the scope of what many cctv/alarm companies might do, it may be better to refer clients to a company that knows how to handle this sort of thing. Your best bet would probably be some sort of security appliance but you'd have to learn how to configure and support that and most have subscription costs.

Yes, people would have to connect to the VPN before things like idmss/gdmss. With some effort you can make this more seamless if you want.

I wouldn't use a subdomain structure like that.
Ok but why do you think the subdomain structure is a bad idea?

Most of the concern i have heard lately is can other people see the cameras

Sent from my SM-G900P using Tapatalk
 
Mirai (malware) - Wikipedia

Thats just the latest in a long string; from voyeur to state sponsored cyber warfare.. read the first post again.. I justify the need for a VPN multiple times.. if you still dont understand; then take my word for it and do it regardless.
 
Another thank you!!! I still don't understand a few things. When using the home router as the VPN server, or a Raspberry Pi3, do you use OpenVPN or L2TP/IPSec on the client? Does a port need to be forwarded to the VPN server? Sounds like if the VPN server listens on 443 it is "probably" forwarded already, correct?
 
if you dont run it on your router you'll need to forward ports to your VPN Server; thats perfectly acceptable.. if its ran on the router; its listening on your external IP directly so no forwards are nessicary.. you may have to open/allow the requite ports if you have a default block-all firewall rule.. a decent router will configure the firewall to allow VPN Server automatically once you enable it.

Some remote networks you'll find have very restrictive firewalls, like at EDU/GOV, Public Wifi's, or even your work.. they may only have a white list of open ports clients can use to prevent torrents, chats, etc.. If you can configure your OpenVPN Server to listen on 443/tcp it will look like normal encrypted web traffic to most policy enforcers and slip right past the rules.. for example Public Wifi that dont allow https traffic is not much of a hotspot at all with most sites requiring it now days.

Its a client-server setup, so your mobile/portable devices (Laptops/Tablets/Phones/etc) will have to configure a VPN Client to connect and setup the encrypted tunnel.. depending on the server type you choose will depend on the client you use, if you happen to have L2TP/IPSec avilable you already have native clients built in to your operating system and nothing will need to be installed at all, but you still can use 3rd party VPN Clients if you dont like the native clients.. OpenVPN will require a client app to be installed as they are not included with the major operating systems..

Some clients do have dial on demand options where they will connect automatically as previously mentioned, if this is something you want make sure the VPN client your using has the capabilities.
 
Last edited:
Not questioning the need for VPN, just understanding exactly what is at risk, so I can explain this to my clients.

We almost always install a Linksys WRT54 router between the DVR's and client's network. This allows us to address all devices the same from site to site, and we set the DynDNS on the router. Then we open the ports on the linksys router and assign to each DVR. DVR1 is 37777, DVR2 is 37778 and so on. We also open ports on the ISP router to our Linksys router.

Our typical setup has the ISP modem/router feeding the client network, and we install our Linksys router off the ISP modem/router. Would we still need to open ports on the ISP device if we were using VPN?

Is there any standard for testing crypto speed so we can make a decision on a new router? I suspect that $40 WRT from 10+ years ago is not going to handle the bandwidth.

VLAN's. The other day we did a small DVR upgrade and we were assigned a public IP address and the provider told us there was no need to open ports as all ports were open. He also mentioned we were on a VLAN with some other surveillance equipment (This location has two buildings sharing the same data closet. Vendor A supports bldg A and I just acquired Bldg B, our DVR sits right next to a competitor)

Since they put us on a VLAN, does this mean we are completely isolated from the other side of the network? I understand it is another virtual network but is it pretty secure?


thank you to nayr, tangent and anyone else that has helped.

FWIW my goal here is to create s strategy for informing clients of the potential risks, give them their options, and let them make the decision.

PSS I have been in the biz for a couple years but I had an engineer that handled all of this. Now I am on my own and learning as much as I can.
 
This is great, I have a few comments, suggestions since I just got openVPN working at home.

Some information about DDNS would be great to include, since a home user would really need DDNS to have a usable VPN.
Asus has a free DDNS service with their routers. When you set up DDNS on the router, it automatically uses that information when it sets up OpenVPN.

For a client on my android and Iphone, I'm using OpenVPN Connect. it works great. On the iphone, just had to copy the client.ovpn file over and enter user name and password and it worked.
On android, I had to change some power savings settings, found that on the net after searching for the log error message.

I also had to change some advance settings on the OpenVPN advanced setup screen on the router, it was easy once I found advice on how to set it up. This is using the standard Asus firmware on my router, no special software required to make this work.
Username / Password Auth. Only Yes
Push LAN to clients Yes
Direct clients to redirect Internet traffic No
Respond to DNS Yes
Advertise DNS to clients Yes


Randy
 
With iOS devices it's possible to configure them to connect to the VPN on demand (IPSec/L2TP only). Meaning you can set it so whenever you try to access your cams it will automatically connect. This takes a few more steps but is worth considering.
So it will connect to VPN whenever you open up your camera app only?
 
Not questioning the need for VPN, just understanding exactly what is at risk, so I can explain this to my clients.

We almost always install a Linksys WRT54 router between the DVR's and client's network. This allows us to address all devices the same from site to site, and we set the DynDNS on the router. Then we open the ports on the linksys router and assign to each DVR. DVR1 is 37777, DVR2 is 37778 and so on. We also open ports on the ISP router to our Linksys router.

Our typical setup has the ISP modem/router feeding the client network, and we install our Linksys router off the ISP modem/router. Would we still need to open ports on the ISP device if we were using VPN?

Is there any standard for testing crypto speed so we can make a decision on a new router? I suspect that $40 WRT from 10+ years ago is not going to handle the bandwidth.

VLAN's. The other day we did a small DVR upgrade and we were assigned a public IP address and the provider told us there was no need to open ports as all ports were open. He also mentioned we were on a VLAN with some other surveillance equipment (This location has two buildings sharing the same data closet. Vendor A supports bldg A and I just acquired Bldg B, our DVR sits right next to a competitor)

Since they put us on a VLAN, does this mean we are completely isolated from the other side of the network? I understand it is another virtual network but is it pretty secure?


thank you to nayr, tangent and anyone else that has helped.

FWIW my goal here is to create s strategy for informing clients of the potential risks, give them their options, and let them make the decision.

PSS I have been in the biz for a couple years but I had an engineer that handled all of this. Now I am on my own and learning as much as I can.

The reason why you do not allow direct access to your cameras and NVR boils down to vulnerability. The folks writing the software for these pieces of hardware don't do a good job of providing a secure interface, they don't patch security issues, they write poorly coded WEB interfaces allowing credentials to be bypassed, and they have a lengthy track record of leaving hidden hard coded user accounts in their code that can be found and taken advantage of by attackers (easily).

The threat is that someone will break into one of these devices, a device that you as an owner have VERY little insight into and no ability to audit, and use it as a platform to attack the rest of your network or attack others via your bandwidth and network. While you may have had your device placed upon a VLAN that will restrict it's access to the rest of YOUR network it will not stop the device from attacking others on the internet - as NAYR clearly described above. Some of THE most powerful botnets being used to attack networks these days are built using things like internet connected IP cameras and NVR with Dahua hardware having been specifically found to be used. However you can be 100% certain that pretty much ALL of these devices are vulnerable to a determined attacker. When your provider cuts off your access to the internet, impacting the entire business, because of attacks emanating from your client's network, or a lawyer sends them a cease and desist (or worse) you will see the importance of this. Worse, if you set it up they may try to shift liability to YOU.

The solution is "simple" - don't give them any attack surface. No door knobs to jiggle, no windows to break through. Place your devices on segregated networks within your network (VLAN for instance) and require remote access to them to require VPN credentials for traffic to even reach them. Your firewall and VPN are almost certainly more secure if they've been setup correctly using quality secure software\hardware than any of these devices being built overseas.


That said - I run PFSense as my firewall and am looking to access it via IOS and am having a heck of a time getting it setup so I'm watching this with interest. I used to use PPTP with a different firewall and it was CAKE but it was also insecure and that protocol has been dropped from IOS anyway. I'll be watching this thread with interest and I suspect I may have to have a friend come over and help me sort it out. <sigh> Once you get it figured out I believe you will find it's well worth having a VPN for remote access. Open the BARE minimum of ports and put things like web servers in a DMZ rather than the network proper to make it even harder although I suppose that's a bit OT for this thread. Minimize minimize minimize....

P.S. Last but not least - never discount that a device might "phone home" out of a secure network if it has the ability. Block this. These devices are made overseas and outgoing traffic is often used to bring attackers in, do NOT trust what you have so little insight into. the mere fact that these devices ever had hardcoded user accounts is enough for me to not trust them.
 
So a vlan would protect the rest of the network in case of a breach.

A vpn would provide a fairly secure connection to keep the dvrs safe.

If we connected to clients comcast router, and put our router after that, and used a vpn, would we still need to open the ports on the comcast device? If yes, does that expose the clients network?

The 888888 log in i was told only works when at the device and can not be changed. Can this log in be exploited by hackers?

Thanks

Sent from my SM-G900P using Tapatalk
 
  • Like
Reactions: mennan
If installing a switch with vlan, would that go after the comcast/isp device? Then the networks divide from there?

Sent from my SM-G900P using Tapatalk
 
If installing a switch with vlan, would that go after the comcast/isp device? Then the networks divide from there?

Sent from my SM-G900P using Tapatalk

Yes, the switch would be installed after your modem. Not to confuse the situation to much but in an enterprise / corporate level switches are almost always "layer 3" meaning they route between vlans as well.