VPN Primer for Noobs

Discussion in 'IP Cameras' started by nayr, Nov 6, 2016.

Share This Page

?

What VPN Solution are you using?

  1. OpenVPN

    63.1%
  2. IPSec/L2TP

    12.0%
  3. on an OEM Asus Router

    15.7%
  4. on a WRT flashed Router

    9.1%
  5. on a pfSense Router

    8.9%
  6. on my PC NVR (BlueIris, Milestone, etc)

    4.6%
  7. on a dedicated device (Raspbery Pi, VPN Concentrator, etc)

    5.4%
  8. ssh tunnels are the only way to roll

    1.7%
  9. on my NAS (Synology, FreeNAS, etc)

    6.3%
  10. on a OEM Netgear Router

    4.9%
Multiple votes are allowed.
  1. nbstl68

    nbstl68 Pulling my weight

    Joined:
    Dec 15, 2015
    Messages:
    958
    Likes Received:
    116
    My setup is as follows:

    CenturyLink ZYXEL C1100z modem \ wireless Router -> Linksys Cisco SRW248G4P 48 Port POE Switch -> HP computer dedicated to BI server

    Neither the router or the managed switch, (as far as I know) support using or installing VPN.
    So would it be best practice to run VPN software on the computer or figure out something additional like the Raspberry Pi setup I have read about here?

    If the RPi, then where \ how would it connect in exactly?

    Pros \ cons to running VPN on the computer other than taking away additional CPU from BI if needed?

    Best options for VPN software in this case?
    (I have 0 experience with this sort of thing other than reading this forum and other posts here) Open VPN? It seems to be the most popular option around here.

    My DSL provider changes up my IP address quite often...like sometimes more than once a week. Is this a concern?
    Thanks
     
  2. Paulx

    Paulx Young grasshopper

    Joined:
    Aug 23, 2017
    Messages:
    53
    Likes Received:
    16
    I am by no way an expert. But I will kind of tell you my journey. I ended up buying an Asus wireless router with openVPN server built into its firmware. I too have CenturyLink Zyxel modem/router/wireless but a different model. With some hand holding (LOL) I was advised to change the protocol from PPPoE to Transparent Bridging mode. This will bring the public IP into and through their modem. Now you will need to know your user name and password. These will be programmed into the Asus. The WAN side will also be set to dynamic IP. Now with CL giving you a dynamic IP address. This is going to be problem, but Asus also offers a DDNS service that is a snap to set up in their router. Think up a fictitious user name for your account. And type that in to the router. This DDNS will talk with your router from time to time to keep updated on the changing Public address that CL assigns to your account.
    That said. I believe that using a Pi solution will require either a static IP from CL or buying a DDNS service Either of these two solutions is going to cost you more money. The Asus solution does not cost a monthly fee.
     
  3. nbstl68

    nbstl68 Pulling my weight

    Joined:
    Dec 15, 2015
    Messages:
    958
    Likes Received:
    116
    Thanks! Would running the VPN on the computer also require a static IP?
    This seems like the cheapest solution vs having to buy a new router.
     
  4. Paulx

    Paulx Young grasshopper

    Joined:
    Aug 23, 2017
    Messages:
    53
    Likes Received:
    16
    I would think you would still need a DDNS server service provider. Thus monthly service fee. Or pay CL for a static IP address. I believe that is a service fee of 90 bucks and then 10 bucks per month. I almost went that route, but customer service sucks and I back away when they could not answer some questions. And if you have done much with CL you know they suck. My caller ID still shows the last person who had my phone number. So if I call someone they think I am someone else. Even after calling and being told about 5 times that they changed the caller ID info.
    So, its your call. Pay once (abt 150 bucks) and cry, or pay a little over and over and cry every month.
     
    58chev likes this.
  5. 58chev

    58chev Getting the hang of it

    Joined:
    Aug 30, 2017
    Messages:
    129
    Likes Received:
    42
    Location:
    Etobi, Ontario
    @nbstl68 , Suck it up and get yourself an ASUS router to simplify the issue at hand.
    I went that route also and within less than 24hrs I was up and running on OpenVPN. On my router, there is no noticeable CPU usage while running VPN and viewing two camera feeds at the same time.
    I can not say how running VPN on BI will affect CPU usage.

    @Paulx - You did good with a "Little hand holding" :D
     
    BeerNut and Paulx like this.
  6. Paulx

    Paulx Young grasshopper

    Joined:
    Aug 23, 2017
    Messages:
    53
    Likes Received:
    16
    @58chev thanks for those encouraging words when I was uncertain.
     
  7. nbstl68

    nbstl68 Pulling my weight

    Joined:
    Dec 15, 2015
    Messages:
    958
    Likes Received:
    116
    Alrighty then...I'm picking up you are hinting I should get an ASUS router and run Open VPN on it.
    I'll give it a go.
     
    58chev likes this.
  8. economypilot

    economypilot n3wb

    Joined:
    May 16, 2018
    Messages:
    2
    Likes Received:
    0
    Location:
    Amelia Island
    Hello! I'm new to the site. I've done lots of reading on here trying to get up to speed, but I haven't had luck so far determining what issue I am having with my VPN connection.

    I have a Lorex LNR616 DVR, which I believe has the Dahua interface. I have the DVR setup in the home office, which also serves a ipsec/l2tp vpn.

    The only external ports I have open are for a business website. Via the VPN I have many servers operating which all work quite well. I have an sip server, various IOT webservers, file server, can remote access my machines in both directions etc etc. If I search the remote subnet for my ip cameras from Flir Cloud, it will find them, add the cameras, and connect. However, when I go to stream or save video, the video never comes through the connection. Flir Cloud will say "Failed to connect to video" or "Search stream timeout". This same behavior occurs whether I attempt to access the cameras directly or via the DVR.

    Additionally I am unable to access the web interfaces of the remote cameras from the home office.....

    In poking around myself (in the dark, no doubt), I have determined...

    -Home office is able to ping the cameras, with delays averaging about 23ms.
    -Home office is able to telnet to all relevant ports on the cameras (80,443,35000, etc)
    To my untrained eye, it seems the traffic is making it across the vpn, hitting the cameras, but the cameras are then ignoring that traffic. Do they ignore traffic from other subnets by default? I've been through the settings and cannot see anything like that. I do see a bless list for ip address ranges --- but the enabled box is not checked in that section and just for kicks I added the relevant networks, but still no joy on the video stream.

    So, yeah, I'm stumped. Need some next level ninja help.
     
  9. economypilot

    economypilot n3wb

    Joined:
    May 16, 2018
    Messages:
    2
    Likes Received:
    0
    Location:
    Amelia Island
    Update: I used netcat to verify UDP connectivity by setting up a listener at remote site and sending traffic from home office. And vice versa. So I do in fact have confirmed UDP connectivity via the VPN.
     
  10. TL1096r

    TL1096r Getting the hang of it

    Joined:
    Jan 28, 2017
    Messages:
    195
    Likes Received:
    10
    You ain't kidding. While being a great write-up having a step by step DIY on how to set it up can really help.
     
  11. brad2388

    brad2388 Young grasshopper

    Joined:
    Oct 5, 2016
    Messages:
    93
    Likes Received:
    6
    Nice write up!

    My question/problem is im currently on att lte with no way out.

    Whats the best way to setup a vpn? I currently am using a edgerouter x.

    Can i set a rpi running vpn and have the nvr connect thru that? If so how would i set that up?


    Sent from my iPhone using Tapatalk
     
  12. Barboots

    Barboots Young grasshopper

    Joined:
    Mar 15, 2018
    Messages:
    35
    Likes Received:
    15
    Location:
    Perth, Western Australia
    I'm currently trying to decide whether to throw $230 into a new Asus modem, or whether to have a go at Gargoyle/Tomato/OpenWRT on a Netgear WNDR3800. We're still on ADSL+ but fibre is coming, at this moment the maximum speed of the VPN isn't an issue.

    It would have been nice if I could have implemented a reasonably secure interim configuration with the basic modem/router I currently have, along with the D'Link DGS-1100-24P I bought.

    Anyway, what I'm curious about is whether anyone has commentary on the open firmware options... I am quite interested in Gargoyle.

    Cheers, Steve
     
  13. Barboots

    Barboots Young grasshopper

    Joined:
    Mar 15, 2018
    Messages:
    35
    Likes Received:
    15
    Location:
    Perth, Western Australia
    Sort of answering my own post about Gargoyle...

    I've just finished setting it up on the Netgear with OpenVPN. I had a steep learning curve as I'm not good with networking. I'm quite proud that I didn't bother anyone here (or elsewhere) with my stupid questions about the set-up in general.

    Gargoyle was straightforward to flash and has a clean interface. The inbuilt OpenVPN would be easy to use if you were not a noob like me. It works great with the "OpenVPN for Android" app, even building one-click configuration files to import. Speed from the old hardware is still far better than the ADSL we suffer here.

    However the the other reason I've posted now is to thank those who promoted doing things properly with regard to security, and in particular remote access. My girlfriend suggested that I just use P2P like most other consumers would, but I wanted to do the right thing by myself and the internet community. Thanks for the guidance onto the high road.

    Cheers, Steve
     
    awsum140 likes this.
  14. Barboots

    Barboots Young grasshopper

    Joined:
    Mar 15, 2018
    Messages:
    35
    Likes Received:
    15
    Location:
    Perth, Western Australia
    Is the GRC "Shields Up" group of services an adequate check? I noticed that you can't scan all ports from 1 to 65535.

    Is there anything the gurus can recommend?

    Cheers, Steve