IP Cam Talk

Welcome to the new IPCT! If you are having an issue logging in, please clear your cookies / cache.

VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    559

aabs

Young grasshopper
You can't make easy4ip / p2p more secure.
Im going to have to set up my own VPN using my Qnap openvpn app.
Im a little confused on how it will manage incoming and out going traffic. Is it a case of all traffic to & from the ip of my NVR has a rule set to pass through VPN on my Qnap.

Is it possible to remove or disable easy4ip to remove the security risk?
 

tangent

IPCT Contributor
Im going to have to set up my own VPN using my Qnap openvpn app.
Im a little confused on how it will manage incoming and out going traffic. Is it a case of all traffic to & from the ip of my NVR has a rule set to pass through VPN on my Qnap.

Is it possible to remove or disable easy4ip to remove the security risk?
If you run a VPN server on a device other than your router, you have to forward ports on your router to the VPN server.

Generally there is an option to disable p2p, easy4ip, etc., some hacked grey market cams may not give you the option You can also block the camera's ability to connect to the internet or to anything but a time server. When you connect to your vpn server it's like your connected to the network inside your house.
 

aabs

Young grasshopper
Installed OpenVPN on Qnap configured and downloaded certificate.
Transferred ca.crt & openvpn.ovpn to my ipad openvpn app by itunes transfer.
Created vpn client user account on Qnap to use on openvpn app to log in.

However openvpn connect times out and wont connect so im not quite there yet !!

See screen shot for config on Qnap and ive also forwarded UDP1194 on my router to Qnap ip address 192.168.2.x
Ip for DNS is router ip and router is also configured with a valid DDNS account
Only part im not sure of is vpn client pool ip 10.8.0.2 ~ 10.8.0.254 whats this referring to?
upload_2017-4-11_21-30-2.png

On the ipad opvpn connect
Profile = "External Certificate Profile" 81.153.233.***
Certificate = None selected
User Id = id created on qnap

Hope someone can spot the problem.
 

cb8

Getting comfortable
"VPN client IP pool" is the range of IPs the VPN server will use when assigning an IP to a client.

On your iPad, after you flick the toggle button to connect, you can press the status line above it to get more details on what's happening as it's trying to connect. I see a scroll bar in the web UI, are there additional configuration options?
 

aabs

Young grasshopper
Okay I finally got nap vpn up and running only to run into another issue.
The router supplied by my isp which is good old BT here in the UK will not forward 1194 documented on the BT forums.
2 nights worth of work for nothing I know it would of probably taken nayr an hour but at least I got as far as I could with my isp supplied router.

Hence I'm going to replace the router for the Asus router with VPN built in.
What's the sweet spot model for ease of set up performance/price
 

cb8

Getting comfortable
The BT router won't forward any other ports either? You could always change OpenVPN to use something else. There are references to various ASUS routers in the previous pages. I'm not familiar with their latest offerings as it's years since I used an ASUS router. Currently running OpenVPN on a Raspberry PI behind an EdgeRouter Lite.
 

mmdb

Getting the hang of it
how do you block cameras for calling home on nvr 16p 5216 ? i have disabled port forwarding on asus router is that enough or do i need to block ip of nvr 192.168.1.108 from router ?
 

aabs

Young grasshopper
The BT router won't forward any other ports either? You could always change OpenVPN to use something else. There are references to various ASUS routers in the previous pages. I'm not familiar with their latest offerings as it's years since I used an ASUS router. Currently running OpenVPN on a Raspberry PI behind an EdgeRouter Lite.
Yeah did a little more research last night and the offerings are a little more limited with BT unless you have a separate fibre modem.
Netgear R7000 looking a good option for my set up ATM
 

GSB1

Young grasshopper
I've read nayr's post at the head of this thread a good few times and many other threads where he has persistently pointed out that port forwarding or otherwise making your IP cams internet facing is a bad plan. Having checked some other sources that make the same point also, I decided I had better take action, better late than never. Thank you to nayr for the original post. I now have a configuration I am more comfortable with.

My home camera setup was using the frowned up port forwarding, exposing the cams to the internet (no nvr). I now have a VPN endpoint router configured with a choice of either an SSL tunnel or L2TP/IPSEC with AES encryption. I am using MOTP for the account password on both. I have firewall rules blocking all outbound WAN traffic from the respect static camera IPs, with subsequent rules permitting traffic to the Google DNS servers, traffic to port 123 (NTP) and traffic to port 465 (SSL SMTP for email alerts).
 
Last edited:

mmdb

Getting the hang of it
why is my vpn leaking ? i turn on openvpn connect on tablet and connect . but when i go to whatis myip.com i get my correct ip address ?tried Mozilla and chrome .in mozilla ive typed aboutconfig then media peerconnection and set to false .
 

aabs

Young grasshopper
I must have missed the reason why there is an effort to use TAP vs TUN. I will see if i can find it in the earlier posts. Is it because people's routers is stuck with TAP? I think the newer Netgear models suffer from this, which is better than it was when they did not seem to support VPN at all as a server. Or is it because people have services that are not IP traffic like poorly configured old windows gear (not WINS) or non-IP network printers? In my opinion, use TUN if at all possible, as it cleans up traffic on the net due to the nature of L3 routing (TUN) vs bridging the broadcast domain (TAP). As @nayr pointed out, it is easy with the right gear (ie newer ASUS router), but the theory and bits underneath is fairly complicated.
What Asus router would you recommend ?
 

cb8

Getting comfortable
why is my vpn leaking ? i turn on openvpn connect on tablet and connect . but when i go to whatis myip.com i get my correct ip address ?tried Mozilla and chrome .in mozilla ive typed aboutconfig then media peerconnection and set to false .
What do you expect your IP to be? The goal here is not to hide your IP, but to provide a secure connection to your home network.

Depending on how you configure OpenVPN, only the traffic designated for your home network will travel across the VPN connection, or alternatively, all traffic will. The former is useful if you want to be able to access your cameras and at the same time stream Youtube without having that depend on your home network's upload speed. On the other hand, if you're connected to an un-trusted network you may want the latter in order to have all your traffic go across a secure channel to your home network first.
 

mmdb

Getting the hang of it
thx cb8 ..i dont expect anything ,just want to be sure that i did set it up correctly and my cams are secure .i sett it up like this IMG_20170408_085406.jpg
i just want to see my cams remotely where r they install on my work place out of town
 

cb8

Getting comfortable
thx cb8 ..i dont expect anything ,just want to be sure that i did set it up correctly and my cams are secure .i sett it up like this View attachment 17289
i just want to see my cams remotely where r they install on my work place out of town
My guess would be that the "Direct clients to redirect Internet Traffic" determines if traffic not destined for your LAN will be routed through your VPN or not. If the raw OpenVPN configuration it would add an entry like

push "redirect-gateway"

if you were to turn it on. Seeing your work place's IP when you check myip.com is to be expected with it off, but your cameras are still safely accessed over the VPN.

If you want to go one step further in securing OpenVPN, you can turn on the "Extra HMAC authorization". It adds a shared secret to both the server and client configurations (you'll have to update your phone/table with a new .openvpn file afterwards). With this enabled, OpenVPN will only respond to clients that know the shared secret. It protects against Heartbleed style bugs as only clients knowing the shared secret would be able to exploit it.
 

mmdb

Getting the hang of it
thx cb8 .. so i can safely turn on nvr to router? and my openvpn is working ok and can i safely look cameras from remote location ? and do i need to turn on "Direct clients to redirect Internet Traffic"?
maybe the "problem" was with my tablet because i was locally connected trough wifi and same router is on nvr
 

cb8

Getting comfortable
With the VPN enabled, you should be able to connect to your NVR and cameras using their local IPs, i.e. 192.168.x.x or similar when you're at work. I'm not sure what you mean by "turn on nvr to router". You can connect it to your local network, but you should still not forward any ports, all access happen through the VPN where you connect your VPN and then connect to your NVR as if you were on the local network.

No need to turn on "Direct clients to redirect Internet Traffic" for this.
 
Top