VPN Primer for Noobs

Discussion in 'IP Cameras' started by nayr, Nov 6, 2016.

Share This Page

?

What VPN Solution are you using?

  1. OpenVPN

    62.5%
  2. IPSec/L2TP

    11.9%
  3. on an OEM Asus Router

    15.7%
  4. on a WRT flashed Router

    7.8%
  5. on a pfSense Router

    8.3%
  6. on my PC NVR (BlueIris, Milestone, etc)

    4.8%
  7. on a dedicated device (Raspbery Pi, VPN Concentrator, etc)

    4.8%
  8. ssh tunnels are the only way to roll

    1.4%
  9. on my NAS (Synology, FreeNAS, etc)

    6.4%
  10. on a OEM Netgear Router

    5.7%
Multiple votes are allowed.
  1. nbstl68

    nbstl68 Pulling my weight

    Joined:
    Dec 15, 2015
    Messages:
    997
    Likes Received:
    138
    My setup is as follows:

    CenturyLink ZYXEL C1100z modem \ wireless Router -> Linksys Cisco SRW248G4P 48 Port POE Switch -> HP computer dedicated to BI server

    Neither the router or the managed switch, (as far as I know) support using or installing VPN.
    So would it be best practice to run VPN software on the computer or figure out something additional like the Raspberry Pi setup I have read about here?

    If the RPi, then where \ how would it connect in exactly?

    Pros \ cons to running VPN on the computer other than taking away additional CPU from BI if needed?

    Best options for VPN software in this case?
    (I have 0 experience with this sort of thing other than reading this forum and other posts here) Open VPN? It seems to be the most popular option around here.

    My DSL provider changes up my IP address quite often...like sometimes more than once a week. Is this a concern?
    Thanks
     
  2. Paulx

    Paulx Young grasshopper

    Joined:
    Aug 23, 2017
    Messages:
    73
    Likes Received:
    21
    Location:
    St. Louis, Missouri
    I am by no way an expert. But I will kind of tell you my journey. I ended up buying an Asus wireless router with openVPN server built into its firmware. I too have CenturyLink Zyxel modem/router/wireless but a different model. With some hand holding (LOL) I was advised to change the protocol from PPPoE to Transparent Bridging mode. This will bring the public IP into and through their modem. Now you will need to know your user name and password. These will be programmed into the Asus. The WAN side will also be set to dynamic IP. Now with CL giving you a dynamic IP address. This is going to be problem, but Asus also offers a DDNS service that is a snap to set up in their router. Think up a fictitious user name for your account. And type that in to the router. This DDNS will talk with your router from time to time to keep updated on the changing Public address that CL assigns to your account.
    That said. I believe that using a Pi solution will require either a static IP from CL or buying a DDNS service Either of these two solutions is going to cost you more money. The Asus solution does not cost a monthly fee.
     
  3. nbstl68

    nbstl68 Pulling my weight

    Joined:
    Dec 15, 2015
    Messages:
    997
    Likes Received:
    138
    Thanks! Would running the VPN on the computer also require a static IP?
    This seems like the cheapest solution vs having to buy a new router.
     
  4. Paulx

    Paulx Young grasshopper

    Joined:
    Aug 23, 2017
    Messages:
    73
    Likes Received:
    21
    Location:
    St. Louis, Missouri
    I would think you would still need a DDNS server service provider. Thus monthly service fee. Or pay CL for a static IP address. I believe that is a service fee of 90 bucks and then 10 bucks per month. I almost went that route, but customer service sucks and I back away when they could not answer some questions. And if you have done much with CL you know they suck. My caller ID still shows the last person who had my phone number. So if I call someone they think I am someone else. Even after calling and being told about 5 times that they changed the caller ID info.
    So, its your call. Pay once (abt 150 bucks) and cry, or pay a little over and over and cry every month.
     
    58chev likes this.
  5. 58chev

    58chev Getting the hang of it

    Joined:
    Aug 30, 2017
    Messages:
    194
    Likes Received:
    82
    Location:
    Etobi, Ontario
    @nbstl68 , Suck it up and get yourself an ASUS router to simplify the issue at hand.
    I went that route also and within less than 24hrs I was up and running on OpenVPN. On my router, there is no noticeable CPU usage while running VPN and viewing two camera feeds at the same time.
    I can not say how running VPN on BI will affect CPU usage.

    @Paulx - You did good with a "Little hand holding" :D
     
    BeerNut and Paulx like this.
  6. Paulx

    Paulx Young grasshopper

    Joined:
    Aug 23, 2017
    Messages:
    73
    Likes Received:
    21
    Location:
    St. Louis, Missouri
    @58chev thanks for those encouraging words when I was uncertain.
     
  7. nbstl68

    nbstl68 Pulling my weight

    Joined:
    Dec 15, 2015
    Messages:
    997
    Likes Received:
    138
    Alrighty then...I'm picking up you are hinting I should get an ASUS router and run Open VPN on it.
    I'll give it a go.
     
    58chev likes this.
  8. economypilot

    economypilot n3wb

    Joined:
    May 16, 2018
    Messages:
    2
    Likes Received:
    0
    Location:
    Amelia Island
    Hello! I'm new to the site. I've done lots of reading on here trying to get up to speed, but I haven't had luck so far determining what issue I am having with my VPN connection.

    I have a Lorex LNR616 DVR, which I believe has the Dahua interface. I have the DVR setup in the home office, which also serves a ipsec/l2tp vpn.

    The only external ports I have open are for a business website. Via the VPN I have many servers operating which all work quite well. I have an sip server, various IOT webservers, file server, can remote access my machines in both directions etc etc. If I search the remote subnet for my ip cameras from Flir Cloud, it will find them, add the cameras, and connect. However, when I go to stream or save video, the video never comes through the connection. Flir Cloud will say "Failed to connect to video" or "Search stream timeout". This same behavior occurs whether I attempt to access the cameras directly or via the DVR.

    Additionally I am unable to access the web interfaces of the remote cameras from the home office.....

    In poking around myself (in the dark, no doubt), I have determined...

    -Home office is able to ping the cameras, with delays averaging about 23ms.
    -Home office is able to telnet to all relevant ports on the cameras (80,443,35000, etc)
    To my untrained eye, it seems the traffic is making it across the vpn, hitting the cameras, but the cameras are then ignoring that traffic. Do they ignore traffic from other subnets by default? I've been through the settings and cannot see anything like that. I do see a bless list for ip address ranges --- but the enabled box is not checked in that section and just for kicks I added the relevant networks, but still no joy on the video stream.

    So, yeah, I'm stumped. Need some next level ninja help.
     
  9. economypilot

    economypilot n3wb

    Joined:
    May 16, 2018
    Messages:
    2
    Likes Received:
    0
    Location:
    Amelia Island
    Update: I used netcat to verify UDP connectivity by setting up a listener at remote site and sending traffic from home office. And vice versa. So I do in fact have confirmed UDP connectivity via the VPN.
     
  10. TL1096r

    TL1096r Getting the hang of it

    Joined:
    Jan 28, 2017
    Messages:
    189
    Likes Received:
    11
    You ain't kidding. While being a great write-up having a step by step DIY on how to set it up can really help.
     
  11. brad2388

    brad2388 Getting the hang of it

    Joined:
    Oct 5, 2016
    Messages:
    115
    Likes Received:
    11
    Nice write up!

    My question/problem is im currently on att lte with no way out.

    Whats the best way to setup a vpn? I currently am using a edgerouter x.

    Can i set a rpi running vpn and have the nvr connect thru that? If so how would i set that up?


    Sent from my iPhone using Tapatalk
     
  12. Barboots

    Barboots Getting the hang of it

    Joined:
    Mar 15, 2018
    Messages:
    93
    Likes Received:
    30
    Location:
    Perth, Western Australia
    I'm currently trying to decide whether to throw $230 into a new Asus modem, or whether to have a go at Gargoyle/Tomato/OpenWRT on a Netgear WNDR3800. We're still on ADSL+ but fibre is coming, at this moment the maximum speed of the VPN isn't an issue.

    It would have been nice if I could have implemented a reasonably secure interim configuration with the basic modem/router I currently have, along with the D'Link DGS-1100-24P I bought.

    Anyway, what I'm curious about is whether anyone has commentary on the open firmware options... I am quite interested in Gargoyle.

    Cheers, Steve
     
  13. Barboots

    Barboots Getting the hang of it

    Joined:
    Mar 15, 2018
    Messages:
    93
    Likes Received:
    30
    Location:
    Perth, Western Australia
    Sort of answering my own post about Gargoyle...

    I've just finished setting it up on the Netgear with OpenVPN. I had a steep learning curve as I'm not good with networking. I'm quite proud that I didn't bother anyone here (or elsewhere) with my stupid questions about the set-up in general.

    Gargoyle was straightforward to flash and has a clean interface. The inbuilt OpenVPN would be easy to use if you were not a noob like me. It works great with the "OpenVPN for Android" app, even building one-click configuration files to import. Speed from the old hardware is still far better than the ADSL we suffer here.

    However the the other reason I've posted now is to thank those who promoted doing things properly with regard to security, and in particular remote access. My girlfriend suggested that I just use P2P like most other consumers would, but I wanted to do the right thing by myself and the internet community. Thanks for the guidance onto the high road.

    Cheers, Steve
     
    SmartAceW0LF and awsum140 like this.
  14. Barboots

    Barboots Getting the hang of it

    Joined:
    Mar 15, 2018
    Messages:
    93
    Likes Received:
    30
    Location:
    Perth, Western Australia
    Is the GRC "Shields Up" group of services an adequate check? I noticed that you can't scan all ports from 1 to 65535.

    Is there anything the gurus can recommend?

    Cheers, Steve
     
  15. brad2388

    brad2388 Getting the hang of it

    Joined:
    Oct 5, 2016
    Messages:
    115
    Likes Received:
    11
    I have a router running tomato running openvpn.

    How do i setup my nvr to use it?

    If i plug my internet to the wan port of the router i will lose access to the cameras.


    Sent from my iPhone using Tapatalk
     
  16. KatchMeRacing

    KatchMeRacing n3wb

    Joined:
    Apr 1, 2018
    Messages:
    20
    Likes Received:
    1
    I agree with this thought.

    I'm clueless when it comes to protecting a network.
     
  17. randytsuch

    randytsuch Pulling my weight

    Joined:
    Oct 1, 2016
    Messages:
    471
    Likes Received:
    150
    How do you access you NVR when you are at home?
    When you are out, you open the openvpn connection, and then you device will think you are at home. It's actually pretty simple once you understand that. Just pretend you're in your living room.

    BTW, for anyone with an asus router, I wrote these instructions, which has been linked to before in this long thread, but thought I'd do it again.
    Randy : OpenVPN on a Asus router

    Randy
     
    xtropodx, looney2ns and 58chev like this.
  18. 58chev

    58chev Getting the hang of it

    Joined:
    Aug 30, 2017
    Messages:
    194
    Likes Received:
    82
    Location:
    Etobi, Ontario
    @randytsuch
    Best HowToo on the interweb. Hands Down.

    This write up is what prompted me to buy an ASUS router just to avoid confusion and head aches.
    Tossed my Linksys with DD-WRT
     
  19. brad2388

    brad2388 Getting the hang of it

    Joined:
    Oct 5, 2016
    Messages:
    115
    Likes Received:
    11
    But this doesnt work behind a strict nat. We have att wireless lte.


    Sent from my iPhone using Tapatalk
     
  20. randytsuch

    randytsuch Pulling my weight

    Joined:
    Oct 1, 2016
    Messages:
    471
    Likes Received:
    150
    So I'm not a network guy, know just enough to be dangerous, but I'm not sure about your strict nat comment?

    I can tell you I have an iphone 8 with ATT as the provider, and I have no problem running openvpn and checking cams.
     
  21. brad2388

    brad2388 Getting the hang of it

    Joined:
    Oct 5, 2016
    Messages:
    115
    Likes Received:
    11

    Yes the strict nat im referring to is more like a double nat. I cant port forward thru and get a public ip address.




    Sent from my iPhone using Tapatalk
     
  22. xtropodx

    xtropodx Young grasshopper

    Joined:
    Apr 30, 2017
    Messages:
    40
    Likes Received:
    6
    I have ASUS router & twice in the last few months the router has been compromised, despite having (what I thought to be) strong settings & passwords, after setting VPN Server up following instructions here.
    Is there a way, once VPN Server (& client) is set up, to brute-force attempt to penetrate ones own system?
     
  23. randytsuch

    randytsuch Pulling my weight

    Joined:
    Oct 1, 2016
    Messages:
    471
    Likes Received:
    150
    So you are using AES-256-CBC for the encryption cipher, and someone was able to break in through VPN?
    From my limited understanding of this stuff, AES-256-CBC is quite secure, and its really hard to crack, so having someone do it a couple times in a few minutes seems strange, unless they are getting your key somehow.

    How do you know you were compromised?
    Did you look at the asus router logs?

    Randy
     
  24. xtropodx

    xtropodx Young grasshopper

    Joined:
    Apr 30, 2017
    Messages:
    40
    Likes Received:
    6
    Language on router been changed. I'm not suggesting the cause is via VPN server, but rather if there's a way to test/break it to ensure the settings used are indeed secure?
     
  25. crw030

    crw030 Pulling my weight

    Joined:
    Apr 26, 2016
    Messages:
    218
    Likes Received:
    110
    @xtropodx check that you don't have WAN management turned on in ASUS router. On mine it's under "Administration" >> "System" >> "Enable WEB Access on WAN" (set to NO)

    Also disable AICloud and UPNP. On mine it's under "WAN" >> "Internet Connection" >> "Enable UPnP" (set to NO)

    I've had this ASUS router on an always-on internet connection for literally YEARS, and never has it been hacked into. You just need to double check you have kept your firmware up-to-date and tweaked all the settings to ensure you have the most secure configuration running that you can.
     
  26. 58chev

    58chev Getting the hang of it

    Joined:
    Aug 30, 2017
    Messages:
    194
    Likes Received:
    82
    Location:
    Etobi, Ontario
    @xtropodx ,
    Have you been keeping up with firmware updates?

    I know that I have been and no issues. But then again I am running Merlin firmware.

    Most likely a backdoor hacker got in, I have read the most common change from a hacker is the language.
     
  27. randytsuch

    randytsuch Pulling my weight

    Joined:
    Oct 1, 2016
    Messages:
    471
    Likes Received:
    150
    @xtropodx There is also the kind of obvious suggestion that port forwarding should be disabled.
    Also, if it happens again, I'd check the log asap, and see if there is a clue to how someone else got in.

    This gave me an idea to revise my blog to add some suggestions for other settings to help secure an asus router.
    1. Make sure firmware is up to date, and periodically check.
    2. Make sure port forwarding is disabled (need to see what page to check)
    3. Disable Web access on WAN: "Administration" >> "System" >> "Enable WEB Access on WAN" (set to NO)
    4. Disable AICloud and UPNP: "WAN" >> "Internet Connection" >> "Enable UPnP" (set to NO)

    I also think there is a setting to only let certain mac addresses into your router, need to look at that. I'd make sure you have at least a couple PCs enabled, in case one breaks you have a backup.

    Any other suggestions?
     
    xtropodx likes this.
  28. xtropodx

    xtropodx Young grasshopper

    Joined:
    Apr 30, 2017
    Messages:
    40
    Likes Received:
    6
    Thanks all. I am running merlin firmware & running latest 384.5, most recent breach was on previous v384.4_2. Just looking at possible avenues & while I am still learning I'm pretty sure last breach all these settings etc were as they needed to be disabled etc.

    I thought mac addresses could be spoofed?
    For your blog, perhaps a more comprehensive detailing of settings with security in mind? Your blog mentions how to get it working which is great, but there's many settings on VPN server & having some basic explanation or ideal minimum setting would be fantastic. EDIT: especially given the GUI looks slightly different now.


    I'm now stuck at the moment trying to block my cameras from accessing the internet but can't access them via vpn server.
     
  29. randytsuch

    randytsuch Pulling my weight

    Joined:
    Oct 1, 2016
    Messages:
    471
    Likes Received:
    150
    Yeah, you can spoof a mac address, but then a bad guy would need to know which mac address to spoof. Its another layer of protection.

    My philosophy for security is to make your security good enough so its too much work to break in, so the bad guy will go find someone where its much easier. And unfortunately, there are a lot of people where its probably pretty easy to break in. Doesn't have to be perfect, just good enough so its not worth the trouble.

    I'll try to update my blog, but honestly I don't understand all of the VPN settings, I just figured out how to make it work, and did some googling to figure out how to make it more secure. I'm a hardware type by trade, definitely not a network or it type.

    BTW, I have my cameras on a VLAN to keep them safely segregated from my main network. Cams are known for having backdoors, so I feel safer keeping them locked out. They are only allowed to access each other, and my bi PC, nothing else.
     
    xtropodx likes this.
  30. looney2ns

    looney2ns Known around here

    Joined:
    Sep 25, 2016
    Messages:
    5,166
    Likes Received:
    3,161
    Location:
    Evansville, Indiana
    GRCsecurity port scanners.
    GRC | ShieldsUP! — Internet Vulnerability Profiling  
    You possibly have something else on the network that has been hacked, not necessarily the router.
    Power down everything on your network including router and modem, leave them all powered off for 10 minutes.
    by power off, I mean unplug it from the wall.
    Then power back up starting with the modem.
    In some case's this may clear any hacks.
     
    xtropodx and awsum140 like this.