VPN Primer for Noobs

Discussion in 'IP Cameras' started by nayr, Nov 6, 2016.

Share This Page

?

What VPN Solution are you using?

  1. OpenVPN

    73.1%
  2. IPSec/L2TP

    6.9%
  3. on an OEM Asus Router

    17.9%
  4. on a WRT flashed Router

    13.1%
  5. on a pfSense Router

    9.0%
  6. on my PC NVR (BlueIris, Milestone, etc)

    4.8%
  7. on a dedicated device (Raspbery Pi, VPN Concentrator, etc)

    5.5%
  8. ssh tunnels are the only way to roll

    2.1%
  9. on my NAS (Synology, FreeNAS, etc)

    7.6%
  10. on a OEM Netgear Router

    1.4%
Multiple votes are allowed.
  1. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,363
    Likes Received:
    4,821
    Location:
    Denver, CO
    @randytsuch, check out my x509 wiki article for Domoticz.. I also put a Nginx proxy server exposed to the internet that only accepts client x509 certs from my CA.. this proxy's all my web appliances to the internet and bypasses my VPN, domoticz, opensprinkler, sonarr, transmission, nzbget, etc are all proxied and they use the same certs I install on all my devices for wifi and vpn access, and vpn dont have to be connected either.

    im so confident in its abilities to keep my shit secure, this is my IoT Portal: Access Denied
     
  2. randytsuch

    randytsuch Getting the hang of it

    Joined:
    Oct 1, 2016
    Messages:
    275
    Likes Received:
    58
    Nayr
    I think I looked at your wiki a while ago, of course at the time I didn't know it was yours lol

    In the Install the CA on Client Devices, you say
    Mobile Devices are a little harder and you may consider getting your cert signed by a 3rd party authority.

    Since I'm pretty much only using mobile devices when outside my network to view this stuff, this makes it a no go for me.

    Also, wondering what the advantage is for x509 versus vpn?
    As long as VPN is secure, won't it work just as well?
    I guess there is VPN overhead, which you don't have with x509.
    Connecting my vpn only takes a few pushes, so I don't mind having to do that.

    Randy
     
  3. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,363
    Likes Received:
    4,821
    Location:
    Denver, CO
    you can install your own CA on your devices, you only get a signed 3rd party one if you want other people's devices to work w/out installing it.

    automation is a bit harder if you have to ensure VPN is open, for example I have a RFID token in my car that triggers my garage door to open/close via Domoticz.. if I come home and my phone is a bit slow getting on the wifi I dont have to fire up a VPN to connect to domoticz and execute the commands.
     
  4. randytsuch

    randytsuch Getting the hang of it

    Joined:
    Oct 1, 2016
    Messages:
    275
    Likes Received:
    58
    OK, thanks.
    RFID in car sounds cool, I have seen people talking about geofencing to do things like that but RFID would be a better way to do it.
    For now, I'll stick with openVPN, but will keep this in mind if VPN becomes an issue with Domoticz. I'm not using Domoticz much yet, really just to turn the light on for the dog when we get home after dark lol.
     
  5. BLKMGK

    BLKMGK Getting the hang of it

    Joined:
    Jul 19, 2016
    Messages:
    69
    Likes Received:
    31
    As NAYR pointed out above YES security IS an issue for cams and NVR. While they may not be able to steal secrets from them they CAN be hacked and turned into bots used to attack other networks or jumping off points for your internal network if the device can see other hosts. These devices tend to be pretty insecure, if you've locked all of your doors there's no sense leaving a window wide open.
     
  6. fooey

    fooey n3wb

    Joined:
    Jan 9, 2016
    Messages:
    15
    Likes Received:
    0
    Hi nayr

    I understand using the certificates in place of wifi password authentication but how does it work for apps connecting over a public wifi network in the place of connecting via VPN?

    For example using a VPN, you would need to establish it before any phone/tablet apps could then access whatever as if it was local to the network.

    This couldn't be done without VPN and just using Certs?
     
  7. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,363
    Likes Received:
    4,821
    Location:
    Denver, CO
  8. JohnCena

    JohnCena n3wb

    Joined:
    Sep 23, 2016
    Messages:
    7
    Likes Received:
    0
    Nice article. I've read a bit about setting up a VLAN but I've decided against it mostly because I'm pretty dumb when it comes to setting network stuff up, setting up OpenVPN on my router was difficult enough. Should have went for an Asus one!

    If I set up a VPN and then on my DD-WRT router set up a rule that blocks all traffic on Access Restrictions/add the camera's IP and MAC address to the list of clients I should be pretty decent at least, right? I know that a VLAN would be the most secure option but I'm hoping that using VPN + blocking the cameras from the internet should be pretty decent, even if they're plugged into the router.
     
  9. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,363
    Likes Received:
    4,821
    Location:
    Denver, CO
    yeah block your ipcameras from talking to the internet and run a local NTP Server to give em time.. or allow em to only talk 123/udp and nothing else.

    rule order is important, so put the block all at the top.. and if you allow NTP put that above the block all.
     
    JohnCena likes this.
  10. BLKMGK

    BLKMGK Getting the hang of it

    Joined:
    Jul 19, 2016
    Messages:
    69
    Likes Received:
    31
    You might also be able to run an NTP server for your local network on your firewall\router\VPN\gateway device - I pretty certain my PFSense box can do it. So PFSense would go out and get time ten be the time server for the rest of the network so only one device ever goes out for it. I don't think I have this setup but will look. I *think* you might even be able to setup the DHCP server to set the NTP server along with the DNS for your clients.

    Do NVR have NTP servers on them? Since they tend to put cameras on their own subnet I would think so and act pretty much as I described above. So NVR gets NTP from firewall thingy and sends time to cameras. Also, with a good flexible firewall type device or router you can allow your devices to do DHCP dynamic addressing but always get the same address from the DHCP server by assigning the same address each time using the MAC address of the device. I do this extensively for my servers, switches, and my camera. Still working on the VPN part but I like the idea of using X509 certs and a proxy!
     
  11. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,363
    Likes Received:
    4,821
    Location:
    Denver, CO
    NVR's sync the cameras times using onvif and not ntp.. if you enable both NTP and configure NVR to set time on cameras they fight each other.

    but yeah its possible to setup NVR to sync NTP time and then push it out to all the cameras..
     
  12. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,363
    Likes Received:
    4,821
    Location:
    Denver, CO
    bumping this back into view for the holiday spending spree
     
    wantafastz28 and fenderman like this.
  13. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    17,354
    Likes Received:
    3,417
    I made it a sticky..
     
    MrRalphMan, wantafastz28 and nayr like this.
  14. RickM

    RickM n3wb

    Joined:
    Dec 25, 2016
    Messages:
    2
    Likes Received:
    0
    Location:
    West Central Florida
    Loads of good information in the original post in this thread. A lot of folks don't think about network security until after the damage has been done. Thanks for sharing!
     
  15. istreich

    istreich n3wb

    Joined:
    Mar 23, 2015
    Messages:
    28
    Likes Received:
    1
    Thanks Nayr for these great directions. One thing I can't find though.
    I use Blue Iris to connect to my cameras from my iPhone and it is great. Right now via port forwarding, it is immediate.
    going forward, I will use a VPN but I don't want any lag when I click on my Blue Iris icon nor do I want to have to open the VPN separately.
    I don't believe there is a way to have Blue Iris starting the VPN connection every time you click on it. Correct? If so, would still be a lag but maybe acceptable.
    As an alternative and probably better option, I could have an always open VPN on my iPhone but I have not found a way to do this. Any suggestion? Either OpenVPN or L2TP.
    THANKS!
     
  16. Jack B Nimble

    Jack B Nimble Pulling my weight

    Joined:
    Dec 15, 2015
    Messages:
    890
    Likes Received:
    100
    Location:
    Great White North
    Open VPN always on when I use my Samsung did you try in settings on the app for always on .
     
  17. pal251

    pal251 Getting the hang of it

    Joined:
    Mar 15, 2014
    Messages:
    792
    Likes Received:
    55
    @nayr. What do you think of the online cloud based vpn services where you pay per month.
     
  18. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,363
    Likes Received:
    4,821
    Location:
    Denver, CO
    those are for hiding your IP from tracking services, few if any will allow you to remote access your network
     
  19. pal251

    pal251 Getting the hang of it

    Joined:
    Mar 15, 2014
    Messages:
    792
    Likes Received:
    55
    Ahhh gotcha.


    I may try to use a raspberry pi to create a server. I got a location with open camera ports that people keep trying to access...
     
  20. istreich

    istreich n3wb

    Joined:
    Mar 23, 2015
    Messages:
    28
    Likes Received:
    1
    Did not see a setting for that in the OpenVPN app for iPhone
     
  21. bug99

    bug99 Getting the hang of it

    Joined:
    Dec 27, 2016
    Messages:
    139
    Likes Received:
    29
    Nice guide @nayr .

    I am wondering about router support and ease of use of OpenVPN with internal server. Apparently my new TP-Link wireless router (Archer C7) does not have its own server. I think it supports having one on the LAN (maybe up to 10), but that would be a pain. I think my other router/AP Netgear (R7000) does. Does anyone know if the Ubiquity Edge series (X or Lite) support OpenVPN? I am fairly sure they support PPTP and L2 ipsec, but supect that getting thoes to work with an android cell phone on LTE reliably might be a heavy lift. If it is easy however, they might be a good choice for the router between the cable modem and one or two LANs where the APs reside. Otherwise i think putin an ASUS wireless there (ex RT-AC66U B1) and using the other wireless routers as APs would be the easiest way to go. It is not that I think i will ever have more than 30,000 pps, so that is likely not really a decision. My gut tells me that the Ubiquity products are more resilient, for little or no added cost.

    One suggestion for an added point. I think that to use VPN, a token is needed to be exchanged (one time). In general the server will create this and the clients will have their half to encrypt/de-crypt the tunnel traffic. What this means is their needs to be a vpn server process (in the router maybe), a client (ex android client tunnel app) and a set of tokens (one needs to be made and copied to the client in all cases). I think this minor point is missing.
     
    Last edited: Jan 27, 2017
  22. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,363
    Likes Received:
    4,821
    Location:
    Denver, CO
    Ive got a UBNT EdgeRouter and it dont have OpenVPN; im using IPSec off a freeradisus server I installed on the egdrouter.. If you are familiar w/linux command line you can install OpenVPN on it im sure.

    tokens are not always used w/VPN, its just suggested because brute forcing a token is pretty much not going to happen.. its just a form of authentication and VPN can use all sorts of methods of auth.
     
  23. bug99

    bug99 Getting the hang of it

    Joined:
    Dec 27, 2016
    Messages:
    139
    Likes Received:
    29
    @nayr, Does your IPSec system work well with android phones? what app do you use? i assume that it woks well with the built in security of modern computer OSes, but not sure how easy that would be for phone camera monitoring, my primary usage case right now.
     
  24. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,363
    Likes Received:
    4,821
    Location:
    Denver, CO
    yeah works really well cause my router has ipsec crypto acceleration; im using the native android VPN client thats built in.
     
  25. bug99

    bug99 Getting the hang of it

    Joined:
    Dec 27, 2016
    Messages:
    139
    Likes Received:
    29
    well lookie there. i did not know VPN was native to android. are you able to use port 443 with ipsec? I will be looking at this setup a bit more soon.
     
  26. nayr

    nayr Known around here

    Joined:
    Jul 16, 2014
    Messages:
    9,363
    Likes Received:
    4,821
    Location:
    Denver, CO
    no ipsec requires specific protocols (not tcp/udp, IKE, ESP, etc) to be allowed, so trying to run it only over tcp/443 isint gonna fly
     
  27. redfive

    redfive Young grasshopper

    Joined:
    Apr 13, 2016
    Messages:
    78
    Likes Received:
    16
    Nice post, @nayr !!, I saw it only now... ;)
    Agree on all, my cameras and NVR are on their own VLAN, and are accessible via VPN or from my lan, but they cannot initiate connections by themselves (fw rules, internal NTP and so on), it's funny seeing, in the firewall's logs, how many sessions these devices try to initiate to some external ip addresses (mostly amazonaws) .....
    Cheers,
    jonatha
    P.S. I mean ... these devices try to connect the internet .....when actually they shouldn't (with all internet services disabled)
     
    Last edited: Jan 30, 2017
  28. Dytryn

    Dytryn n3wb

    Joined:
    Nov 28, 2016
    Messages:
    24
    Likes Received:
    1
    I have an Asus RT-AC88U router and cannot get the VPN to allow me access. Is anyone familiar with that router and willing to help? My IT guy has already spent 2 hours and researched issues on his forums and still nothing.
     
  29. fenderman

    fenderman Staff Member

    Joined:
    Mar 9, 2014
    Messages:
    17,354
    Likes Received:
    3,417
    asus has the easiest vpn implementation...something either wrong with your router or it guy...
    youtube has a bunch of tutorials
     
  30. username

    username Young grasshopper

    Joined:
    Feb 7, 2016
    Messages:
    75
    Likes Received:
    10
    Did you get that sorted out? I can access my NVR via pfSense using "openVPN Connect" running iVMS-4500 on iOS. It took awhile but I finally got it.