VPN Primer for Noobs

Discussion in 'IP Cameras' started by nayr, Nov 6, 2016.

Share This Page

?

What VPN Solution are you using?

  1. OpenVPN

    69.3%
  2. IPSec/L2TP

    6.8%
  3. on an OEM Asus Router

    17.6%
  4. on a WRT flashed Router

    11.9%
  5. on a pfSense Router

    9.7%
  6. on my PC NVR (BlueIris, Milestone, etc)

    4.0%
  7. on a dedicated device (Raspbery Pi, VPN Concentrator, etc)

    6.3%
  8. ssh tunnels are the only way to roll

    2.3%
  9. on my NAS (Synology, FreeNAS, etc)

    6.8%
  10. on a OEM Netgear Router

    2.3%
Multiple votes are allowed.
  1. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,376
    Likes Received:
    4,928
    Location:
    Denver, CO
    The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video feeds, they want an always on linux box with decent internet connectivity that can be used to attack targets on the internet.. they want to turn your camera into a weapon of mass destruction.

    What is a VPN? Its a Virtual Private Network, it provides you with full access to your home network when your on a remote/foreign network.. It tunnels you across the internet and back into your LAN and secures everything in transit with very strong crypto..

    [​IMG]
    Your home LAN is the corp network

    The VPN Tunnel is transparent, once connected its effectively as if you were connected directly to your home network.. All devices on your network will be reachable through there internal non-routable IP addresses.. The same configuration you use when your on your home wifi will work once the VPN is connected.. infact it will be exactly like your on your home wifi when the VPN tunnel is connected, all your fileshares, printers, cameras, IoT devices will be avilable and none will be aware of the VPN or the fact that your remote.

    How hard is it to setup a VPN Server?, if you have a router that already included VPN Server built in its no more difficult than forwarding ports is, infact with some consumer routers like Asus many people find it even easier to setup than Port Forwards.. Site to Site VPN and some equipment may require very specific configurations that may require some more intense debugging and configuration.. It can range form very easy to very hard, stack the odds in your favor with good research and testing.

    Do i have to pay for a VPN Service? No, this a common point of confusion.. there are services out there that will run a VPN Server for you on a remote network.. these are used to hide your location from public internet services.. such as watching Netflix from a US IP, or downloading Torrents without exposing your IP address to the swarm.. If you have an externally routable IP address you will run your own VPN Server on your own network, using free software.. so there are no subscription fees.

    Will VPN Tunnel cause me to hit bandwidth limits faster? Practically no, the additional bandwidth used to encapsulate traffic in an encrypted tunnel is minimal and a tiny blip compared to your actual video stream.

    Crypto Speeds, this is the only real performance concern.. The first throughput bottleneck your likely to encounter is how much data your VPN Server can encrypt in realtime.. As long as your VPN Server has more capability than your outbound/upload speeds you'll never encounter this bottleneck.. If you are on a typical residential internet with just a few Mbit of upload speeds this is rarely ever a problem.. However if you have fiberoptic/business/european/asian connectivity you will need to make some hardware considerations to ensure you have adequate performance to utilize your actual connectivity. Higher end equipment (Multicore 1Ghz+ routers) are typically capable of 20Mbit or more VPN speeds which is faster than most typical home internet upload ceilings.. a router with a 600MHz single core CPU will only do a few Mbit unless it has crypto hardware to help accelerate it.. A Raspberry Pi3 can do ~45Mbit, if you have faster uploads than that and wish to use those speeds over VPN then you need to research VPN Crypto benchmarks and find a device that can meet your needs, perhaps a dedicated VPN Crypto Appliance or PC.

    Where do I run my VPN Server? the best place is on your home router, since it will be required to be online and reachable for all remote connections anyhow its the best candidate. However if you have an always on PC-NVR it can also run it on there with great performance capabilities, or on a dedicated VPN appliance such as a Raspberry Pi

    What do I do first? First check your router and see if it already has a built in VPN Server that simply needs to be setup and configured.. Almost all business class routers, some ISP Provided hardware and the vast majority of modern decent off the shelf routers will already have support built in and just need you to use your GoogleFu to set it up; Check youtube for setup guides specific to your equipment.

    My router does not have a built in VPN Server! Well then see if your hardware supports some of the WRT based firmware, you can simply upgrade the firmware to DD-WRT, OpenWRT, Tomato (Google it) and add this software to your existing equipment.. its easier than it looks like and there is a large consensus among power users that the OpenSource firmware projects are far superior to most OEM offerings..

    My router dont have support, its old and I want something as simple as possible! Look at Asus's wireless routers they seem to be the easiest to for noobs to get going out of the box and the equipment is widely avilable.

    I hate connecting VPN before I can open my cameras! VPN use is a requirement for every corporate employee in the world whom needs to access there email or corporate network remotely.. If millions of poorly trained monkeys can manage to connect a VPN Client daily what is your excuse? If you hate loosing your house keys, you'd be pretty stupid to take the doors off your house..

    You can route just your home LAN over the VPN connection, in this configuration leaving it permanently connected should not cause any issues and you wont have to do it manually every time.. some VPN clients/apps do auto-reconnect and/or dial on demand

    OpenVPN vs L2TP/IPSec vs Other? Really the only choice is OpenVPN vs L2TP/IPSec, little else is trustworthy as those two; for most people OpenVPN is easier to setup and run.. OpenVPN requires clients to be installed on all your devices, whereas L2TP/IPSec clients are built in natively on every modern device (Windows/OSX/iOS/Android/Linux).. typically its best use what you have avilable already.. If you configure your OpenVPN server to listen on port 443, the same port as HTTPS websites, then you can expect it to work on even the most restrictive remote networks.

    Credentials/Logins & Security? Give each device its own unique login and generate a one time password for it and save it to the device.. this way if a device gets lost or stolen you can simply delete that user account, or if you upgrade/replace the device you just generate a new password and render everything else unable to login without having to change the credentials on all your devices anytime you upgrade/loose an item.

    Why is a VPN more secure than just setting a strong password on my video system?
    Most video systems have undocumented backdoor credentials so the installer/vendor can unlock the device when the end user locks them selves out, for starters.. They do not come secure by default, They are also susceptible to remote attacks that can bypass your logins all together to run malicious code directly on the hardware without your knowledge.. They do not automatically update security issues without intervention like your desktop/laptop/phone and you cant easily even tell what software is running on them.. Where as VPN Servers are designed for direct internet exposure, have been audited by security professionals, they receive constant scrutiny that results in vulnerabilities being exposed quickly and fixed promptly.. Updating firmware on cameras is risky, recovery options in event of failure are minimal if they even exist at all.. when an update blows up on your computer/mobile you can reinstall and restore come worst case, but thats not an option for your video surveillance devices.

    Site to Site VPN or Remote Client VPN?
    Typically you want to setup a remote client VPN unless you want to permanently bridge two networks so no clients are required on them.. for example if you have a vacation property you may want to setup a Site to Site VPN to your vacation property then use a Remote Client VPN into your home LAN.. then your remote VPN connection can access both video surveillance systems on the same network and both networks are directly connected.

    Dynamic DNS? Yes you'll want to set this up, preferably on your router or VPN Server but your cameras/NVR are also likely to have these features.. Most internet connections have dynamic addresses, and this ensures you can always find your VPN Server and not have to reconfigure VPN Clients when your Server IP changes.

    Most common VPN Setup mistakes:
    • Using a commonly used subnet for your home network, you may want to re-address your network to a subnet your unlikely to encounter remotely.. for example if your Home network is 192.168.1.0 and your work network is 192.168.1.0 you'll find your remote VPN routes wont work, from work heh.. but if your home network is 192.168.253.0 your less likely to encounter a remote network that collides with your home subnet..
    • Not using your VPN for everything when on a public Wifi, when your on an unencrypted public wireless network anyone nearby can sniff your traffic right out of the air.. but once you enable that VPN Tunnel back to your home network all your traffic is encrypted and secure from anyone.. even the local network admins.
    • Not specifying gateway addresses for IoT devices, thinking this would keep them accessing the internet all together it can also prevent you from accessing it via LAN because your VPN Server is likely to put you in its own subnet and route traffic to your LAN and the VPN on its own.
    • Not disabling uPNP and shutting down old port forwards after having VPN Setup.
    • Not Syncing time correctly, Crypto requires your devices to have the correct time set.. if your server or clients do not have a time-source configured they will be unable to login.
    • Not having an externally routable IP, if your VPN Server is on a Satellite or a Mobile Network you may not be able to remotely connect to anything.. port forwards wont work either. The best option for these networks is to establish a point to point VPN outbound connection to an external server you run on another network or subscribe to.

    I need step by step handholding because I am so dense I can bend light w/my gravity! Sounds like you should ask your grandkids, or whomever managed to teach you the internet.. Properly securing a network requires understanding and comprehension, and there is no single best way to do any of this.. You need to read, ask questions, and help your self.. nobody is going to do this for you, if you want to operate an internet connected IP network in the modern world, this is basic stuff you have to understand or else you are putting us all at risk.

    this post is living and may be updated/changed at any time.
     
    Last edited: Jan 9, 2017
    RJF, t_andersen, Mlda and 58 others like this.
  2. bp2008

    bp2008 Staff Member

    Joined:
    Mar 10, 2014
    Messages:
    4,769
    Likes Received:
    1,767
    Nice post. It will be helpful to any newbies who take the time to read it.
     
    Last edited: Nov 6, 2016
    nayr likes this.
  3. looney2ns

    looney2ns Known around here

    Joined:
    Sep 25, 2016
    Messages:
    1,105
    Likes Received:
    531
    Location:
    Evansville, Indiana
    Thank you Nayr for putting this together. :)
     
  4. tangent

    tangent Known around here

    Joined:
    May 12, 2016
    Messages:
    1,387
    Likes Received:
    558
    With iOS devices it's possible to configure them to connect to the VPN on demand (IPSec/L2TP only). Meaning you can set it so whenever you try to access your cams it will automatically connect. This takes a few more steps but is worth considering.
     
    Last edited: Nov 8, 2016
    nayr likes this.
  5. Q™

    Q™ Known around here

    Joined:
    Feb 16, 2015
    Messages:
    2,588
    Likes Received:
    872
    Location:
    Megatroplis, USA
  6. GH75

    GH75 Young grasshopper

    Joined:
    Mar 4, 2016
    Messages:
    59
    Likes Received:
    7
    Wow, like you read my mind. I was thinking of asking some VPN questions the last couple of days, and you pretty much covered it.

    I do have some questions.

    You say not to open ports? At my former company we did this on every install, and I do not think we ever had an IT department deny our request. If they did, it was simply we do not allow outside access for these type of devices, regardless of how we did it. So what is the real risk of opening ports? Is the danger to the CCTV network or does it expose the entire network if the port is opened to one device like a NVR?

    Is the danger simply seeing the clients cameras?

    How would one use idmss/gdmss with VPN? If I read right, they would have to open a separate app? Could that VPN stay open all the time, or would they have to connect the VPN everytime before they opened gdmss?

    Can this be used with DynDNS? We are setting all of our clients up with with clienta.mycompany.com, clientb.mycompany.com

    I am looking for a solution that we can implement at most or all of the clients we install.

    Thanks nayr
     
  7. tangent

    tangent Known around here

    Joined:
    May 12, 2016
    Messages:
    1,387
    Likes Received:
    558
    If there's a flaw in the NVR, it can expose the entire network. Depends a bit on how the rest of the network is setup. If you or your commercial clients care about security you should be using vlans, managed switches, and quality firewalls. This is the type of thing that led to the Target data breach, an HVAC contractor had insecure access to the network and once that device was compromised, the hackers were able to infect other devices all throughout the network. Providing full network / IT support is beyond the scope of what many cctv/alarm companies might do, it may be better to refer clients to a company that knows how to handle this sort of thing. Your best bet would probably be some sort of security appliance but you'd have to learn how to configure and support that and most have subscription costs.

    Yes, people would have to connect to the VPN before things like idmss/gdmss. With some effort you can make this more seamless if you want.

    I wouldn't use a subdomain structure like that.

    EDIT for clarity: The average user doesn't need vlans and high end firewalls. My comments were directed at someone who clearly didn't understand cyber security and who gave me the impression they were installing things for commercial clients. Bottom line: A VPN is a big improvement over port forwarding but it isn't always enough. If your in over your head especially if you're installing this stuff professionally, get / hire some competent help.
     
    Last edited: Dec 9, 2016
  8. tspicer

    tspicer n3wb

    Joined:
    Oct 18, 2016
    Messages:
    12
    Likes Received:
    3
    Location:
    Central IL
    Very nice info.. Thank you nayr!
     
  9. GH75

    GH75 Young grasshopper

    Joined:
    Mar 4, 2016
    Messages:
    59
    Likes Received:
    7
    Ok but why do you think the subdomain structure is a bad idea?

    Most of the concern i have heard lately is can other people see the cameras

    Sent from my SM-G900P using Tapatalk
     
  10. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,376
    Likes Received:
    4,928
    Location:
    Denver, CO
    Mirai (malware) - Wikipedia

    Thats just the latest in a long string; from voyeur to state sponsored cyber warfare.. read the first post again.. I justify the need for a VPN multiple times.. if you still dont understand; then take my word for it and do it regardless.
     
    thomaswde and Smitty Blackstone like this.
  11. tigerwillow1

    tigerwillow1 Getting the hang of it

    Joined:
    Jul 18, 2016
    Messages:
    293
    Likes Received:
    47
    Another thank you!!! I still don't understand a few things. When using the home router as the VPN server, or a Raspberry Pi3, do you use OpenVPN or L2TP/IPSec on the client? Does a port need to be forwarded to the VPN server? Sounds like if the VPN server listens on 443 it is "probably" forwarded already, correct?
     
  12. ipcamgeek

    ipcamgeek n3wb

    Joined:
    Sep 27, 2016
    Messages:
    25
    Likes Received:
    1
    @nayr! Thank you !! Perfect timing..
     
  13. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,376
    Likes Received:
    4,928
    Location:
    Denver, CO
    if you dont run it on your router you'll need to forward ports to your VPN Server; thats perfectly acceptable.. if its ran on the router; its listening on your external IP directly so no forwards are nessicary.. you may have to open/allow the requite ports if you have a default block-all firewall rule.. a decent router will configure the firewall to allow VPN Server automatically once you enable it.

    Some remote networks you'll find have very restrictive firewalls, like at EDU/GOV, Public Wifi's, or even your work.. they may only have a white list of open ports clients can use to prevent torrents, chats, etc.. If you can configure your OpenVPN Server to listen on 443/tcp it will look like normal encrypted web traffic to most policy enforcers and slip right past the rules.. for example Public Wifi that dont allow https traffic is not much of a hotspot at all with most sites requiring it now days.

    Its a client-server setup, so your mobile/portable devices (Laptops/Tablets/Phones/etc) will have to configure a VPN Client to connect and setup the encrypted tunnel.. depending on the server type you choose will depend on the client you use, if you happen to have L2TP/IPSec avilable you already have native clients built in to your operating system and nothing will need to be installed at all, but you still can use 3rd party VPN Clients if you dont like the native clients.. OpenVPN will require a client app to be installed as they are not included with the major operating systems..

    Some clients do have dial on demand options where they will connect automatically as previously mentioned, if this is something you want make sure the VPN client your using has the capabilities.
     
    Last edited: Nov 8, 2016
  14. GH75

    GH75 Young grasshopper

    Joined:
    Mar 4, 2016
    Messages:
    59
    Likes Received:
    7
    Not questioning the need for VPN, just understanding exactly what is at risk, so I can explain this to my clients.

    We almost always install a Linksys WRT54 router between the DVR's and client's network. This allows us to address all devices the same from site to site, and we set the DynDNS on the router. Then we open the ports on the linksys router and assign to each DVR. DVR1 is 37777, DVR2 is 37778 and so on. We also open ports on the ISP router to our Linksys router.

    Our typical setup has the ISP modem/router feeding the client network, and we install our Linksys router off the ISP modem/router. Would we still need to open ports on the ISP device if we were using VPN?

    Is there any standard for testing crypto speed so we can make a decision on a new router? I suspect that $40 WRT from 10+ years ago is not going to handle the bandwidth.

    VLAN's. The other day we did a small DVR upgrade and we were assigned a public IP address and the provider told us there was no need to open ports as all ports were open. He also mentioned we were on a VLAN with some other surveillance equipment (This location has two buildings sharing the same data closet. Vendor A supports bldg A and I just acquired Bldg B, our DVR sits right next to a competitor)

    Since they put us on a VLAN, does this mean we are completely isolated from the other side of the network? I understand it is another virtual network but is it pretty secure?


    thank you to nayr, tangent and anyone else that has helped.

    FWIW my goal here is to create s strategy for informing clients of the potential risks, give them their options, and let them make the decision.

    PSS I have been in the biz for a couple years but I had an engineer that handled all of this. Now I am on my own and learning as much as I can.
     
    John Reynolds likes this.
  15. randytsuch

    randytsuch Getting the hang of it

    Joined:
    Oct 1, 2016
    Messages:
    311
    Likes Received:
    73
    This is great, I have a few comments, suggestions since I just got openVPN working at home.

    Some information about DDNS would be great to include, since a home user would really need DDNS to have a usable VPN.
    Asus has a free DDNS service with their routers. When you set up DDNS on the router, it automatically uses that information when it sets up OpenVPN.

    For a client on my android and Iphone, I'm using OpenVPN Connect. it works great. On the iphone, just had to copy the client.ovpn file over and enter user name and password and it worked.
    On android, I had to change some power savings settings, found that on the net after searching for the log error message.

    I also had to change some advance settings on the OpenVPN advanced setup screen on the router, it was easy once I found advice on how to set it up. This is using the standard Asus firmware on my router, no special software required to make this work.
    Username / Password Auth. Only Yes
    Push LAN to clients Yes
    Direct clients to redirect Internet traffic No
    Respond to DNS Yes
    Advertise DNS to clients Yes


    Randy
     
  16. pal251

    pal251 Getting the hang of it

    Joined:
    Mar 15, 2014
    Messages:
    828
    Likes Received:
    58
    So it will connect to VPN whenever you open up your camera app only?
     
  17. BLKMGK

    BLKMGK Getting the hang of it

    Joined:
    Jul 19, 2016
    Messages:
    73
    Likes Received:
    34
    The reason why you do not allow direct access to your cameras and NVR boils down to vulnerability. The folks writing the software for these pieces of hardware don't do a good job of providing a secure interface, they don't patch security issues, they write poorly coded WEB interfaces allowing credentials to be bypassed, and they have a lengthy track record of leaving hidden hard coded user accounts in their code that can be found and taken advantage of by attackers (easily).

    The threat is that someone will break into one of these devices, a device that you as an owner have VERY little insight into and no ability to audit, and use it as a platform to attack the rest of your network or attack others via your bandwidth and network. While you may have had your device placed upon a VLAN that will restrict it's access to the rest of YOUR network it will not stop the device from attacking others on the internet - as NAYR clearly described above. Some of THE most powerful botnets being used to attack networks these days are built using things like internet connected IP cameras and NVR with Dahua hardware having been specifically found to be used. However you can be 100% certain that pretty much ALL of these devices are vulnerable to a determined attacker. When your provider cuts off your access to the internet, impacting the entire business, because of attacks emanating from your client's network, or a lawyer sends them a cease and desist (or worse) you will see the importance of this. Worse, if you set it up they may try to shift liability to YOU.

    The solution is "simple" - don't give them any attack surface. No door knobs to jiggle, no windows to break through. Place your devices on segregated networks within your network (VLAN for instance) and require remote access to them to require VPN credentials for traffic to even reach them. Your firewall and VPN are almost certainly more secure if they've been setup correctly using quality secure software\hardware than any of these devices being built overseas.


    That said - I run PFSense as my firewall and am looking to access it via IOS and am having a heck of a time getting it setup so I'm watching this with interest. I used to use PPTP with a different firewall and it was CAKE but it was also insecure and that protocol has been dropped from IOS anyway. I'll be watching this thread with interest and I suspect I may have to have a friend come over and help me sort it out. <sigh> Once you get it figured out I believe you will find it's well worth having a VPN for remote access. Open the BARE minimum of ports and put things like web servers in a DMZ rather than the network proper to make it even harder although I suppose that's a bit OT for this thread. Minimize minimize minimize....

    P.S. Last but not least - never discount that a device might "phone home" out of a secure network if it has the ability. Block this. These devices are made overseas and outgoing traffic is often used to bring attackers in, do NOT trust what you have so little insight into. the mere fact that these devices ever had hardcoded user accounts is enough for me to not trust them.
     
    djgarn, alastairstevenson and nayr like this.
  18. GH75

    GH75 Young grasshopper

    Joined:
    Mar 4, 2016
    Messages:
    59
    Likes Received:
    7
    So a vlan would protect the rest of the network in case of a breach.

    A vpn would provide a fairly secure connection to keep the dvrs safe.

    If we connected to clients comcast router, and put our router after that, and used a vpn, would we still need to open the ports on the comcast device? If yes, does that expose the clients network?

    The 888888 log in i was told only works when at the device and can not be changed. Can this log in be exploited by hackers?

    Thanks

    Sent from my SM-G900P using Tapatalk
     
  19. GH75

    GH75 Young grasshopper

    Joined:
    Mar 4, 2016
    Messages:
    59
    Likes Received:
    7
    If installing a switch with vlan, would that go after the comcast/isp device? Then the networks divide from there?

    Sent from my SM-G900P using Tapatalk
     
  20. Roman

    Roman Getting the hang of it

    Joined:
    Aug 31, 2014
    Messages:
    155
    Likes Received:
    12
    Yes, the switch would be installed after your modem. Not to confuse the situation to much but in an enterprise / corporate level switches are almost always "layer 3" meaning they route between vlans as well.
     
  21. Kawboy12R

    Kawboy12R Getting comfortable

    Joined:
    Nov 18, 2014
    Messages:
    1,453
    Likes Received:
    374
    There have also been attacks on NVRs that exposed the NVR's password and the email addresses inside used for notifications so if you used common passwords between devices or accounts that meant they had the keys to your kingdom as well as your NVR.
     
  22. MrRalphMan

    MrRalphMan Getting the hang of it

    Joined:
    Jan 20, 2016
    Messages:
    246
    Likes Received:
    43
    Just to let people know that sometimes your NAS drive has a option to install a VPN server. I am running a Synology NAS and it has a VPN Server to install. This allows several VPN options, including openVPN (which I use) and IPSec.

    This is being used by a mixture of Android and IoS devices.

    By the way, nice article Nayr. :)
     
  23. GH75

    GH75 Young grasshopper

    Joined:
    Mar 4, 2016
    Messages:
    59
    Likes Received:
    7
    If the switch was installed after the comcast router would the comcast router still be able to run dhcp through the managed switch and vlan?

    I am going to reach oit to some local companies in my network and partner with them so i have someone on call for help.

    But i still like to know the basics so i can make customers aware during the sales process.

    I have clients who dont even put UPS on their NVR so cost is a concern.

    Sent from my SM-G900P using Tapatalk
     
  24. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,376
    Likes Received:
    4,928
    Location:
    Denver, CO
    a vlan wont protect anything without a vlan capable router/firewall to filter the traffic; this is a highly advanced configuration and way beyond the scope of this article.. buying a bunch of advanced networking gear without understanding how to configure and set things up is just far more likely to be less secure than if you just kept it simple.. adding complexity dont nessicary increase security; espcially if you dont know what your doing.

    there are far better places on the internet to learn about advanced networking technology and how to deploy it than this forum.. use your google fu
     
  25. randytsuch

    randytsuch Getting the hang of it

    Joined:
    Oct 1, 2016
    Messages:
    311
    Likes Received:
    73
    OK, back to some more basic stuff.
    I have OpenVPN running, but I have read there are some pretty simple tweaks to make it more secure.
    One is not using the default server port, change it to some random port to make it harder to find.

    The other is to change the encryption cipher from default, which I read is Blowfish.
    Planning to try AES-256-CBC and make sure the performance is OK.

    Randy
     
  26. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,376
    Likes Received:
    4,928
    Location:
    Denver, CO
    run it on 443 the same port as https traffic, if you pick some random high port your very likely to encounter a remote network (Public Wifi/Guest Wifi/etc) that blocks all but basic web-traffic.

    obfuscating ports is pointless; every port can be scanned very quickly and your VPN Server will identify its self regardless the port its on.. your vpn server can handle the abuse of running on a common port without increasing your attack surfaces.

    stronger crypto is always good if your hardware is capable of using it; but it can really destroy performance if its doing it all in software on weak hardware.. check your hardware support, if it has crypto acceleration support for your ciphers then your golden.
     
    vietace likes this.
  27. BLKMGK

    BLKMGK Getting the hang of it

    Joined:
    Jul 19, 2016
    Messages:
    73
    Likes Received:
    34
    If you run a VPN the ports exposed to the internet are the VPN ports, NOT the NVR ports. If you run the VPN behind say a cable modem you'll have to forward VPN ports to the VPN server.

    I agree VLAN is a bit complicated and it does require hardware that can handle it. I've just recently bought some VLAN capable switches and hope to learn about it more myself as I've never used them. Done right it's a network within a network is my understanding, how it works though is simply by tagging specific fields on packets so don't get a false sense of security when it's used...

    Crypto - what's your threat? Are you REALLY worried that someone is sniffing the traffic and going to brute force the crypto keys out or do you simply want no one to be able to look at the traffic and grab credentials and whatnot? While good crypto is "better" you have to assess the threat. If it's not super duper secret data being protected from nation state intel services maybe you don't have to turn the dial up to eleven if it slows things? Run what makes sense! I used to run PPTP for a VPN, it was simple to setup and "easy" to break but my threat was joe average at the bar while I ate dinner so I didn't care. The more valuable the data the higher the security precautions but if taking precautions is simple or free do it. No security is a big problem because at that point the network resource itself is the prize, you need to make it hard enough they go elsewhere :)
     
  28. GH75

    GH75 Young grasshopper

    Joined:
    Mar 4, 2016
    Messages:
    59
    Likes Received:
    7
    Lol kind of like most reports state surveillance systems dont lower crime in an area, it just displaces it. I dont need to stop hacking, i just need them to find someone else...

    And you are right, i am not guarding national secrets. I really do not plan on utilizing vlans, i just like to know how they come into play. Because 10% of our clients are enterprise running Cisco etc but they have their own IT department

    And I am not trying to redesign the clients network. We do alot of apartment complexes and most leasing offices have a comcast device with default password, and a cheap tp link switch after it to expand ports.

    I think a decent router with vpn that allows sufficient bandwidth is all we need. Keep all traffic we generate limited to the nvr and make that connection fairly secure.

    Thanks for answering about the ports.

    Sent from my SM-G900P using Tapatalk
     
  29. Roman

    Roman Getting the hang of it

    Joined:
    Aug 31, 2014
    Messages:
    155
    Likes Received:
    12
    Just wanted to comment that this is an excellent suggestion by nayr and not only public wif / guest wifi environments but also in the business world. For example, your work may block port 5080 but they sure as hell are not going to block 443 (typically) due to https sites.

    This used to work for me so I could stream my sling box at work and watch tv on port 443 instead of the default:)
     
  30. randytsuch

    randytsuch Getting the hang of it

    Joined:
    Oct 1, 2016
    Messages:
    311
    Likes Received:
    73
    On my asus router, its very easy changing the encryption cipher from default (Blowfish) to AES-256-CBC, or some other cipher if you want.
    For AES, you can choose 128, 192 or 256. Thought it was interesting they added 192, I guess if you are worried 128 bit is not enough, and 256 is too slow.

    I found this post
    OpenVPN - estimate performance via OpenVPN

    where someone measured the speeds for aes 128 and 256. Around a 7% difference, which I can live with.
    It's a overclocked ac68, so speeds are 20% faster than my stock 68p, but for this I'm more concerned about the relative difference.

    I changed to aes256 this morning, works fine, and for domoticz, which is very low data anyway, no difference in speeds.
    The most work in changing was implementing my new, random password lol

    BTW, for just video and cams, I don't think security is a big concern.
    I'm more concerned with keeping bad guys out of my network in general, and as I implement more in Domiticz and IOT, I want that part secure.

    Randy
     
    Caveman81 likes this.