VPN Primer for Noobs

[looney2ns]

Just spitballing, are using the iP along with the port? Can you ping the ip?

You may need to have them put the modem in bridge mode, and then supply your own router.
I just setup open vpn on my Asus router and had no hoops to jump.

Edit, do you have these client's blocked from the internet in the router? For me, that disables connecting to that client from the vpn.

 

[aabs]

Hi looney2ns,

As mentioned by Randy, think it must be due to this model being the DSL and not the RT.

I have two options to try out which is to create some routing rules for the 10.0.8.0 subnet or divide my LAN subnet and use a section of that.

 

[Mike A.]

Hi looney2ns,

As mentioned by Randy, think it must be due to this model being the DSL and not the RT.

I have two options to try out which is to create some routing rules for the 10.0.8.0 subnet or divide my LAN subnet and use a section of that.

"Push LAN to Clients" under Advanced Settings is the option that should do what you want. But looking at your settings above you have that checked on. I believe that just sets up the routing automatically by pushing the required info to the client for it to build the route. If you create a hard route yourself then it should end up being the same if that option setting isn't working/is not being pushed out for some reason. I've not had any troubles doing the same on mine but it's the RT.

 

[mmdb]

1 question about vpn .. can i st vpn on asus router 18nu(i have the same one on my work place and everything working great) can i set vpn on other asus 18 nu indetical with mine on my home pc ,im doing it for my friend ,and later i will install router on my friends house outside of town ?

 

[tangent]

1 question about vpn .. can i st vpn on asus router 18nu(i have the same one on my work place and everything working great) can i set vpn on other asus 18 nu indetical with mine on my home pc ,im doing it for my friend ,and later i will install router on my friends house outside of town ?

Yes you can set up a VPN server on a router and then install it. To do this, you would want to connect your PC to this router. There's no need to connect it to the internet to set it up.

 

[mmdb]

thx tangent

 

[Tinman]

You want to avoid any of the commonly used ports. 443 is standard https. Pick something way up in the 40,000s IMO. Something odd that isn't used by anything else.

Again, check your firewall rules. If possible, post a screenshot of that page.

run it on 443 the same port as https traffic, if you pick some random high port your very likely to encounter a remote network (Public Wifi/Guest Wifi/etc) that blocks all but basic web-traffic.

obfuscating ports is pointless; every port can be scanned very quickly and your VPN Server will identify its self regardless the port its on.. your vpn server can handle the abuse of running on a common port without increasing your attack surfaces.

I would use port 443 as Nayr's post above recommends

 

[dee]

I’m in my late 70s and am starting to lose some gray biological ram. 2 years ago I built my video system to what I perceived to be state of the art.

When I built the computer my thought was that NVRs seem to have too many issues.

This is why I chose to go direct to solid state memory into a fast reliable SSD. If I have chosen wrong, please point this out. My system is somewhat more involved than the average home system. That is why I endeavor to describe all of it in the hope this will facilitate easier feedback without too many questions about the system and will result in quicker answers and recommendations and/or changes.

My current concern is that a gateway exchange from my ISP somehow closed (lost) my port forwarding, along with my wireless printer connection. I fixed the printer connection but when researching the port forwarding on this forum was shocked to find but agreed at the new recommendations to not do this any longer. Having weighed the options recommended here, I intend to go with a new ASUS RT-AC68P Wireless-AC1900 that has VPN built in and incurs no associated monthly charges.

This intended solution brings up questions, which I know you fellows can and hopefully will answer.

My system consists of:

Windows 10, Version 1703, I7-4790K, CPU @ 4.0 GHz 360 GHz
Installed Ram 16.0 GB
System type 64-bit operating system, x-64 based processor
Display 65” 4k LG @ 1080p
ISP = Spectrum Mbit/s cable, modem(gateway) = Arris T1682g
Disks are 2 fast3/4 tb Samsung SSD, 2 1 tb Sate IDE, 1 tb USB (for backup)

My 3 cams:

3 Hikvision DS-2CD2032F-I cams
Connection = Cat5 with Poe from Giga POE 8 port switch
Giga POE 8 port switch, signal from via Cat5 from Arris T1682g, power from wall wart

Other Network items:

Vera Lite home network, signal from via Cat5 from Arris T1682g, power from wall wart
2 WIFI connected 5GHz S5 android phones, 2 10” WIFI 5GHz connected tablets

Cameras are currently being viewed 2 ways:

At home on 1080p in an IE tab in Chrome browser using ivsm4200, I also have BLUE iRIS. ShouldI use it?
, in android5 GHz WIFI using tinycam PRO app

Away from home in android in android using tinycam PRO app (this no longer works due to no port forwarding)

My questions:

As I understand, using a VPN router and dialing into my no-ip network address from my android, this is what happens: The no-ip address would be https:// xxxx.ddns.net ?
Yes No

Dialed from an unsecure WIFI network, this dialing string would not be able to be sniffed out by bad actors?
Yes No

No, it does not work like this. I have to install some type of client VPN on my android which will prevent the dialing string from being sniffed.
Yes No

I understand there are various types of VPN software that can be installed on the new ASUS RT-AC68P Wireless-AC1900. Is the one that comes with it the best one, easiest to implement? Would you recommend another?
Yes No

Is stunnel an additional protocol?
Yes No

Is it included in the router’s VPN software?
Yes No

What does stunnelling do and is it recommended?
Yes No

I read on this forum that some members were able to buy a refurnished router and download and install the firmware themselves. But 6 hours? How fast were others able to do this and is it really that difficult?

 

[Mike A.]

My questions:

As I understand, using a VPN router and dialing into my no-ip network address from my android, this is what happens: The no-ip address would be https:// xxxx.ddns.net ?
Yes No

You'll access your public IP. The DDNS service used is optional but just makes that easier. But basically, yes, you'd set up that host name in whatever VPN client you use (see below).

Dialed from an unsecure WIFI network, this dialing string would not be able to be sniffed out by bad actors?
Yes No

Hopefully you're not dialing in but, no, that's a little off. The actual connection would be seen at some level since the larger network needs to know how to route traffic from one place to another. There's a way to better hide that using a public VPN that you might employ but that's kind of a different matter and not something that you probably need to consider here.

What it will do is better secure the connection between your client and your system and encrypts the information inside that data stream so that someone can't, for example, see your passwords, credit card numbers, etc. sent via that connection, can't simply pass unrequested traffic in over that port into your network, etc.

No, it does not work like this. I have to install some type of client VPN on my android which will prevent the dialing string from being sniffed.
Yes No

There are two parts - Your router will run a VPN server. You will install a VPN client on whatever device you use to access that host. Upon connection, the two will negotiate a secured connection.

I understand there are various types of VPN software that can be installed on the new ASUS RT-AC68P Wireless-AC1900. Is the one that comes with it the best one, easiest to implement? Would you recommend another?
Yes No

Unless you have some specific reason to do otherwise, then just use the stock ASUS VPN to get started. It's probably all that you'll ever need, makes it easy, and works well.

Is stunnel an additional protocol?
Yes No

Is it included in the router’s VPN software?
Yes No

What does stunnelling do and is it recommended?
Yes No

I read on this forum that some members were able to buy a refurnished router and download and install the firmware themselves. But 6 hours? How fast were others able to do this and is it really that difficult?

Stunnel is for things that don't provide for native SSL-encrypted connections. Using the VPN you most likely don't need it. Not entirely true but for most purposes here it's more something that would be used instead of VPN in certain circumstances since what's being connected doesn't have the ability to do encrypted communication on its own. Basically, it creates a secure wrapper around the normal traffic to/from that device/program. You don't need to deal with it at all just to set up a VPN into your network.

 

[dee]

Thanks for clearing this up.
Any comment on my avoiding the use of an NVR and just recording directly to an SSD drive?
I never quite understood why people generally use an NVR. Is it to create a separation for a specific group of devices which in this case are cams? If there are other reasons I would love to learn them.

 

[tangent]

Thanks for clearing this up.
Any comment on my avoiding the use of an NVR and just recording directly to an SSD drive?
I never quite understood why people generally use an NVR. Is it to create a separation for a specific group of devices which in this case are cams? If there are other reasons I would love to learn them.

Best practice is generally to use a dedicated pc or nvr and not try to use a PC for your cams and daily use. No point in recording to an SSD, $/GB is much higher and frequent re-writes shorten the life of the drive. If you put an SSD in a PC use it for the OS and record your video to a regular old spinner.

 

[erkme73]

This question may have been answered in the previous 13 pages, but I can't seem to find it...

With regard to VPN, how does one address the need for accessibility to the BI server, from friends and family on various external devices? I understand that all of them would need to have a VPN client on their devices, but what if I only want to share the BI server, and not the rest of my LAN? I'm sure I could put the BI server on the same subnet as the VPN, and isolate the home LAN from it, but that would introduce other roadblocks. For example, home automation equipment which needs to fire triggers to the BI server's LAN IP... Or the cameras themselves...

Further, does leaving the VPN client on a mobile device (Android) on all the time consume data or battery power? IOW, if I leave my VPN tunnel connected, am I going to see my phone's battery melt, or blow through my data quota from my carrier?

 

[Mike A.]

This question may have been answered in the previous 13 pages, but I can't seem to find it...

With regard to VPN, how does one address the need for accessibility to the BI server, from friends and family on various external devices? I understand that all of them would need to have a VPN client on their devices, but what if I only want to share the BI server, and not the rest of my LAN? I'm sure I could put the BI server on the same subnet as the VPN, and isolate the home LAN from it, but that would introduce other roadblocks. For example, home automation equipment which needs to fire triggers to the BI server's LAN IP... Or the cameras themselves...

The simple answer is that most don't address it since in the large majority of cases there's either nobody else accessing theirs or who does have access is trusted. The more useful answer is that you still have all of the same access controls and physical/logical structure that exist on your various devices and network. The VPN just puts them into your network as another client IP. If they want to log in to a particular computer/device/share, then they're still subject to whatever user name/password and other access limitations may exist and whatever physical/logical structure exists for the network. They will have free access to whatever is left open and available to them like open shares, etc. But that does put them inside of your network so you need to tighten things up as necessary and it does present some risk for potential inside attacks/vulnerabilities that could come from them whether intended or not. To be realistic about it though, most probably will be doing good just to remember to start the VPN first and get to your BI server with a provided link vs trying to hack your password hashes. If there's more risk there then, yeah, you probably don't want them in your network to begin with period.

Further, does leaving the VPN client on a mobile device (Android) on all the time consume data or battery power? IOW, if I leave my VPN tunnel connected, am I going to see my phone's battery melt, or blow through my data quota from my carrier?

Not really any noticeable effect or overhead from most of the VPN clients that I've used. I leave mine running all the time since I run my remote access back to my home network and through the same ad/spam/malware filters/firewall that I have set up for my network vs having to try to replicate and maintain all of at least what I could do on each device individually.

How it affects your data will be determined by what you're doing via the link. The VPN/client doesn't add in any significant way to that itself. Basically, it's the same as an SSL connection to a web page, you're just using an encrypted stream for all of the traffic to/from your network.

Another way to deal with this that I've used in the past if you have access to some outside web server is to replicate the views from the BI server or cams there. That way only the remote server has access to your local server and they're just looking at what it displays vs accessing your network/local server directly.

 

[tim8]

So is there anyway to configure a vpn to automatically connect only when using the idmss and then disconnect automatically after I close the idmss app? This is in iOS btw.

 

[injunear]

I need step by step handholding because I am so dense I can bend light w/my gravity!

Sounds like you should ask your grandkids, or whomever managed to teach you the internet.. Properly securing a network requires understanding and comprehension, and there is no single best way to do any of this.. You need to read, ask questions, and help yourself.. nobody is going to do this for you, if you want to operate an internet connected IP network in the modern world, this is basic stuff you have to understand or else you are putting us all at risk.

Firstly, my grandkids are dumber than a rock and declare that they're 'expert' in proficiency in computerese because they use many social media apps and download music.....They don't know, what they don't know, as the saying goes and I find that true of many of the last couple generations. Having said that, as an MSEE I admit to my my networking ignorance as most of my career's been designing military hardware and the most often used protocol was, and still is, IEE1553 serial. Buying a router, plugging it in and setting up the wifi and security and setting up IP's and masks was all I cared to know about 'networking' over the internet.

So, here I am trying to catch up on this topic without reading 14 pages ;<(.

I'm trying to grasp the big picture so to speak.

1) I need to setup my router as a VPN server, preferably as either Open or L2, right? This requires no paid VPN service as my router becomes the server to connect to, right?

2) I need to install a VPN client on my devices that will access the VPN server via the internet, right?

3) This requires me to download and setup a VPN client to my Android, or is it native on an Android?

4) I currently have Port Forwarding on my system. I use BI for my cams. I have the BI client on my Android phone.
Is the BI version I have downloaded VPN capable or do I still need to install a VPN client to my phone for logins?

5) Any recommendations on third party apps to use as a client on the phone would be appreciated.

Thanks
Bob T.

 

[Mike A.]

So is there anyway to configure a vpn to automatically connect only when using the idmss and then disconnect automatically after I close the idmss app? This is in iOS btw.

Don't think so. At least not unless jail broken.

 

[tim8]

With iOS devices it's possible to configure them to connect to the VPN on demand (IPSec/L2TP only). Meaning you can set it so whenever you try to access your cams it will automatically connect. This takes a few more steps but is worth considering.

Could you please elaborate on this? Thanks

 

[Mike A.]

Firstly, my grandkids are dumber than a rock and declare that they're 'expert' in proficiency in computerese because they use many social media apps and download music.....They don't know, what they don't know, as the saying goes and I find that true of many of the last couple generations. Having said that, as an MSEE I admit to my my networking ignorance as most of my career's been designing military hardware and the most often used protocol was, and still is, IEE1553 serial. Buying a router, plugging it in and setting up the wifi and security and setting up IP's and masks was all I cared to know about 'networking' over the internet.

So, here I am trying to catch up on this topic without reading 14 pages ;<(.

I'm trying to grasp the big picture so to speak.

1) I need to setup my router as a VPN server, preferably as either Open or L2, right? This requires no paid VPN service as my router becomes the server to connect to, right?

Correct.

2) I need to install a VPN client on my devices that will access the VPN server via the internet, right?

Correct.

3) This requires me to download and setup a VPN client to my Android, or is it native on an Android?

OpenVPN Connect - Android Apps on Google Play

Various others available.

4) I currently have Port Forwarding on my system. I use BI for my cams. I have the BI client on my Android phone.
Is the BI version I have downloaded VPN capable or do I still need to install a VPN client to my phone for logins?

You still need the VPN client. You'll connect to your server using the VPN client. That will put you inside of your network basically as if you were connected locally on your home network. You'll then use the BI app as you normally would. (May need to make some adjustments to the IP, access controls, etc., depending on how your network and BI are setup but not much assuming a simple setup.)

5) Any recommendations on third party apps to use as a client on the phone would be appreciated.

The BI app is the most capable for controlling BI. Use that if you've already bought it. Can also launch a browser and use that to connect to the BI web server.

 

[injunear]

Mike. Thanks much.....

 

[aabs]

Check your firewall rules to ensure that traffic is allowed between those two subnets (in both directions). Often the default is to treat a VPN subnet like a sandbox, and if that's the case, unless you explicitly allow the traffic nothing will ever talk to each other.

Also consider changing that OpenVPN port. It's standard / the default one, which means that hackers will include it in their portscans.

Finally making some progress.
I can web browse to NAS drives and other things on my LAN 192.168.2 range but to do this I had to switch my firewall off which defeats the objective of more security !

I need more help from the more experienced like DWW0311 to help me configure my firewall on a ASUSWRT router to achieve this with the firewall switched on