VPN Primer for Noobs

Discussion in 'IP Cameras' started by nayr, Nov 6, 2016.

Share This Page

?

What VPN Solution are you using?

  1. OpenVPN

    76.7%
  2. IPSec/L2TP

    10.0%
  3. on an OEM Asus Router

    21.7%
  4. on a WRT flashed Router

    16.7%
  5. on a pfSense Router

    10.0%
  6. on my PC NVR (BlueIris, Milestone, etc)

    3.3%
  7. on a dedicated device (Raspbery Pi, VPN Concentrator, etc)

    3.3%
  8. ssh tunnels are the only way to roll

    1.7%
  9. on my NAS (Synology, FreeNAS, etc)

    10.0%
Multiple votes are allowed.
  1. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    6,945
    Likes Received:
    2,529
    Location:
    Denver, CO
    @randytsuch, check out my x509 wiki article for Domoticz.. I also put a Nginx proxy server exposed to the internet that only accepts client x509 certs from my CA.. this proxy's all my web appliances to the internet and bypasses my VPN, domoticz, opensprinkler, sonarr, transmission, nzbget, etc are all proxied and they use the same certs I install on all my devices for wifi and vpn access, and vpn dont have to be connected either.

    im so confident in its abilities to keep my shit secure, this is my IoT Portal: Access Denied
     
  2. randytsuch

    randytsuch Getting the hang of it

    Joined:
    Oct 1, 2016
    Messages:
    143
    Likes Received:
    16
    Nayr
    I think I looked at your wiki a while ago, of course at the time I didn't know it was yours lol

    In the Install the CA on Client Devices, you say
    Mobile Devices are a little harder and you may consider getting your cert signed by a 3rd party authority.

    Since I'm pretty much only using mobile devices when outside my network to view this stuff, this makes it a no go for me.

    Also, wondering what the advantage is for x509 versus vpn?
    As long as VPN is secure, won't it work just as well?
    I guess there is VPN overhead, which you don't have with x509.
    Connecting my vpn only takes a few pushes, so I don't mind having to do that.

    Randy
     
  3. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    6,945
    Likes Received:
    2,529
    Location:
    Denver, CO
    you can install your own CA on your devices, you only get a signed 3rd party one if you want other people's devices to work w/out installing it.

    automation is a bit harder if you have to ensure VPN is open, for example I have a RFID token in my car that triggers my garage door to open/close via Domoticz.. if I come home and my phone is a bit slow getting on the wifi I dont have to fire up a VPN to connect to domoticz and execute the commands.
     
  4. randytsuch

    randytsuch Getting the hang of it

    Joined:
    Oct 1, 2016
    Messages:
    143
    Likes Received:
    16
    OK, thanks.
    RFID in car sounds cool, I have seen people talking about geofencing to do things like that but RFID would be a better way to do it.
    For now, I'll stick with openVPN, but will keep this in mind if VPN becomes an issue with Domoticz. I'm not using Domoticz much yet, really just to turn the light on for the dog when we get home after dark lol.
     
  5. BLKMGK

    BLKMGK Young grasshopper

    Joined:
    Jul 19, 2016
    Messages:
    54
    Likes Received:
    11
    As NAYR pointed out above YES security IS an issue for cams and NVR. While they may not be able to steal secrets from them they CAN be hacked and turned into bots used to attack other networks or jumping off points for your internal network if the device can see other hosts. These devices tend to be pretty insecure, if you've locked all of your doors there's no sense leaving a window wide open.
     
  6. fooey

    fooey n3wb

    Joined:
    Jan 9, 2016
    Messages:
    14
    Likes Received:
    0
    Hi nayr

    I understand using the certificates in place of wifi password authentication but how does it work for apps connecting over a public wifi network in the place of connecting via VPN?

    For example using a VPN, you would need to establish it before any phone/tablet apps could then access whatever as if it was local to the network.

    This couldn't be done without VPN and just using Certs?
     
  7. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    6,945
    Likes Received:
    2,529
    Location:
    Denver, CO
  8. JohnCena

    JohnCena n3wb

    Joined:
    Sep 23, 2016
    Messages:
    5
    Likes Received:
    0
    Nice article. I've read a bit about setting up a VLAN but I've decided against it mostly because I'm pretty dumb when it comes to setting network stuff up, setting up OpenVPN on my router was difficult enough. Should have went for an Asus one!

    If I set up a VPN and then on my DD-WRT router set up a rule that blocks all traffic on Access Restrictions/add the camera's IP and MAC address to the list of clients I should be pretty decent at least, right? I know that a VLAN would be the most secure option but I'm hoping that using VPN + blocking the cameras from the internet should be pretty decent, even if they're plugged into the router.
     
  9. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    6,945
    Likes Received:
    2,529
    Location:
    Denver, CO
    yeah block your ipcameras from talking to the internet and run a local NTP Server to give em time.. or allow em to only talk 123/udp and nothing else.

    rule order is important, so put the block all at the top.. and if you allow NTP put that above the block all.
     
    JohnCena likes this.
  10. BLKMGK

    BLKMGK Young grasshopper

    Joined:
    Jul 19, 2016
    Messages:
    54
    Likes Received:
    11
    You might also be able to run an NTP server for your local network on your firewall\router\VPN\gateway device - I pretty certain my PFSense box can do it. So PFSense would go out and get time ten be the time server for the rest of the network so only one device ever goes out for it. I don't think I have this setup but will look. I *think* you might even be able to setup the DHCP server to set the NTP server along with the DNS for your clients.

    Do NVR have NTP servers on them? Since they tend to put cameras on their own subnet I would think so and act pretty much as I described above. So NVR gets NTP from firewall thingy and sends time to cameras. Also, with a good flexible firewall type device or router you can allow your devices to do DHCP dynamic addressing but always get the same address from the DHCP server by assigning the same address each time using the MAC address of the device. I do this extensively for my servers, switches, and my camera. Still working on the VPN part but I like the idea of using X509 certs and a proxy!
     
  11. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    6,945
    Likes Received:
    2,529
    Location:
    Denver, CO
    NVR's sync the cameras times using onvif and not ntp.. if you enable both NTP and configure NVR to set time on cameras they fight each other.

    but yeah its possible to setup NVR to sync NTP time and then push it out to all the cameras..
     
  12. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    6,945
    Likes Received:
    2,529
    Location:
    Denver, CO
    bumping this back into view for the holiday spending spree
     
    wantafastz28 and fenderman like this.
  13. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    15,347
    Likes Received:
    2,652
    I made it a sticky..
     
    MrRalphMan, wantafastz28 and nayr like this.
  14. RickM

    RickM n3wb

    Joined:
    Dec 25, 2016
    Messages:
    2
    Likes Received:
    0
    Location:
    West Central Florida
    Loads of good information in the original post in this thread. A lot of folks don't think about network security until after the damage has been done. Thanks for sharing!
     
  15. istreich

    istreich n3wb

    Joined:
    Mar 23, 2015
    Messages:
    28
    Likes Received:
    1
    Thanks Nayr for these great directions. One thing I can't find though.
    I use Blue Iris to connect to my cameras from my iPhone and it is great. Right now via port forwarding, it is immediate.
    going forward, I will use a VPN but I don't want any lag when I click on my Blue Iris icon nor do I want to have to open the VPN separately.
    I don't believe there is a way to have Blue Iris starting the VPN connection every time you click on it. Correct? If so, would still be a lag but maybe acceptable.
    As an alternative and probably better option, I could have an always open VPN on my iPhone but I have not found a way to do this. Any suggestion? Either OpenVPN or L2TP.
    THANKS!
     
  16. Jack B Nimble

    Jack B Nimble Getting the hang of it

    Joined:
    Dec 15, 2015
    Messages:
    807
    Likes Received:
    70
    Location:
    Great White North
    Open VPN always on when I use my Samsung did you try in settings on the app for always on .
     
  17. pal251

    pal251 Getting the hang of it

    Joined:
    Mar 15, 2014
    Messages:
    770
    Likes Received:
    49
    @nayr. What do you think of the online cloud based vpn services where you pay per month.
     
  18. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    6,945
    Likes Received:
    2,529
    Location:
    Denver, CO
    those are for hiding your IP from tracking services, few if any will allow you to remote access your network
     
  19. pal251

    pal251 Getting the hang of it

    Joined:
    Mar 15, 2014
    Messages:
    770
    Likes Received:
    49
    Ahhh gotcha.


    I may try to use a raspberry pi to create a server. I got a location with open camera ports that people keep trying to access...
     
  20. istreich

    istreich n3wb

    Joined:
    Mar 23, 2015
    Messages:
    28
    Likes Received:
    1
    Did not see a setting for that in the OpenVPN app for iPhone