VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    836

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Okay, just want to be sure I am understanding correctly, so on my windows phone VPN setup page I can choose "L2TP with IPsec" and on the router I don't have to turn on the OpenVPN ? .....and that the "L2TP with IPsec" setting I choose on my windows phone VPN setup page will allow my phone to connect to my LAN (and camera on the LAN) since on the router page below "L2TP Passthrough" and "IPsec Passthrough" were already enabled ?

View attachment 22983
Correct. You'd need some OpenVPN client in order to use the built in Asus OpenVPN server so it's not going to do anything for you in this case.

The other settings that you've attached will allow VPN traffic to pass through the router. But it's not providing the VPN server itself. That alone will not provide the other end of the incoming VPN connection that you're trying to set up.
 

Probird79

Getting the hang of it
Joined
Aug 23, 2017
Messages
161
Reaction score
51
Most of that looks as it should but you'll need to turn OpenVPN on. That's your VPN server. Can't see how that's set from your pic.

UPnP should be turned off at the router. That will prevent anything like your cams from forcing things open on their own. You should turn it off on the devices as well but some don't necessarily follow what you set so killing it at the router makes sure. Also turn off any P2P-type functions in the cams (unless you're using it) to keep things from 'phoning home.' Again, some try to even when you've turned such things off on the cam.

Port Forwarding should be off as you have it unless you have some specific need. Coming in via VPN typically not. Also check that Port Trigger and DMZ are turned off.

You can use the Asus DDNS instead of No-IP. Either works. No-IP will work in some cases where the Asus DDNS doesn't (double NAT behind another router) but otherwise basically the same.

Under Administration > System, make sure that "Enable Web access from WAN" is turned off (permits remote access to the same pages that you're looking at). Also check that telnet is turned off. You can flip it on/off as you need it.

Under IPv6 set that to disabled unless you have some reason to enable it.

Under Firewall, it should be set on. DDOS doesn't matter much but generally I'll leave that turned on. Respond to ICMP doesn't matter much but generally I turn it off just so that there' s not an immediate ping picked up by port scanners. Harder scans still will pick up that there's something there.

Separate consideration but under Wireless make sure that WPS is set to off.

Depending on how you're set up, some other things that you can do to harden it a little more and you also can block Internet access for specific devices, either erase or plug with nonsense values the gateway and DNS server settings on the devices, set up VLANs, etc., to keep things segregated and from getting in/out but that's kind of a next step. Get the basics working first.
Quoting this to save for future use.
 

GKL

Getting the hang of it
Joined
Oct 20, 2017
Messages
167
Reaction score
8
Correct. You'd need some OpenVPN client in order to use the built in Asus OpenVPN server so it's not going to do anything for you in this case.

The other settings that you've attached will allow VPN traffic to pass through the router. But it's not providing the VPN server itself. That alone will not provide the other end of the incoming VPN connection that you're trying to set up.
I'm really sorry to ask again, but when you said "correct" to my post, were you agreeing that if on my windows phone VPN setup page I choose "L2TP with IPsec" and on the router I don't turn on the OpenVPN that the "L2TP with IPsec" setting I choose on my windows phone VPN setup page will allow my phone to connect to my LAN (and camera on the LAN) since on the router "L2TP Passthrough" and "IPsec Passthrough" are enabled ?
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
I'm really sorry to ask again, but when you said "correct" to my post, were you agreeing that if on my windows phone VPN setup page I choose "L2TP with IPsec" and on the router I don't turn on the OpenVPN that the "L2TP with IPsec" setting I choose on my windows phone VPN setup page will allow my phone to connect to my LAN (and camera on the LAN) since on the router "L2TP Passthrough" and "IPsec Passthrough" are enabled ?
Yes to not turning on OpenVPN since you won't be using it.

No to allowing your phone to connect. It will permit the traffic to flow through, BUT you still need some VPN server running on your network. Without that, there's nothing for that traffic to connect to.

The built-in OpenVPN server on the Asus router provides that server function in that case. But if you have no client for it, then you're not doing that.
 

GKL

Getting the hang of it
Joined
Oct 20, 2017
Messages
167
Reaction score
8
Yes to not turning on OpenVPN since you won't be using it.

No to allowing your phone to connect. It will permit the traffic to flow through, BUT you still need some VPN server running on your network. Without that, there's nothing for that traffic to connect to.

The built-in OpenVPN server on the Asus router provides that server function in that case. But if you have no client for it, then you're not doing that.
Okay, thanks, so is there VPN server software that I can download to my laptop that will connect with my phone's "L2TP with IPsec" ?

Edit to add: I just did a quick search and found this, would this work ? SoftEther VPN Project - SoftEther VPN Project
 
Last edited:

GKL

Getting the hang of it
Joined
Oct 20, 2017
Messages
167
Reaction score
8
I just thought of something, there has to be other forum members who use a windows phone with the Hikvision ivms-4500 app for windows phones to remotely access the ip cam on their home LAN, if I could find out what they used for a VPN server that would work with a windows phone that would really help, I'll have to do some forum searches, but it isn't always easy to find exactly what you're searching for :idk::)
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
Okay, thanks, so is there VPN server software that I can download to my laptop that will connect with my phone's "L2TP with IPsec" ?

Edit to add: I just did a quick search and found this, would this work ? SoftEther VPN Project - SoftEther VPN Project
Haven't used it. Says that it does. You'll likely need to work out things with the Windows firewall, etc., wherever you're running it.

You say on your notebook... If you're just trying to connect to one machine, then there may be some easier ways to do that.
 

GKL

Getting the hang of it
Joined
Oct 20, 2017
Messages
167
Reaction score
8
Haven't used it. Says that it does. You'll likely need to work out things with the Windows firewall, etc., wherever you're running it.

You say on your notebook... If you're just trying to connect to one machine, then there may be some easier ways to do that.
We only have one security camera I need to connect, a Hikvision DS-2CD2342WD-I 4MM and want to be able to view it thru our home LAN WIFI when at home and from our Windows phones when away from our home WIFI. What would be the easier ways to do both those things ?
 
Last edited:

GKL

Getting the hang of it
Joined
Oct 20, 2017
Messages
167
Reaction score
8
On the graphic below, it shows a windows mobile phone at the far top right and arrows from it shows 2 possible ways to connect, but I'm not sure which would be best for my router -
softethervpnserver.jpg
 

Mike A.

Known around here
Joined
May 6, 2017
Messages
3,825
Reaction score
6,377
We only have one security camera I need to connect, a Hikvision DS-2CD2342WD-I 4MM and want to be able to view it thru our home LAN WIFI when at home and from our Windows phones when away from our home WIFI. What would be the easier ways to do both those things ?
If only one cam, then you might want to look at just using Hikvision's P2P service. Looks like the IVMS-4500 app does support what they call their Hik-Connect cloud service. Not as secure as VPN but better than having the cam just hanging off of the Internet on a forwarded port. I've not used their client or cloud service but I'm sure that someone else here has.

If you had an easier path to setting up a VPN, then I'd say yeah do that. But having to run some separate VPN server on a machine that's going to need to be left on and having to set up and troubleshoot all of that, etc., just for one cam seems like a lot to go through to me. That's vs something that you can do reasonably securely otherwise by just registering and scanning a bar code and you're pretty much done. The latter might be the better way to go. At least to get started and you can look at doing something more elaborate from there.
 
Last edited:
  • Like
Reactions: GKL

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
As an Amazon Associate IPCamTalk earns from qualifying purchases.

GKL

Getting the hang of it
Joined
Oct 20, 2017
Messages
167
Reaction score
8
If only one cam, then you might want to look at just using Hikvision's P2P service. Looks like the IVMS-4500 app does support what they call their Hik-Connect cloud service. Not as secure as VPN but better than having the cam just hanging off of the Internet on a forwarded port. I've not used their client or cloud service but I'm sure that someone else here has.

If you had an easier path to setting up a VPN, then I'd say yeah do that. But having to run some separate VPN server on a machine that's going to need to be left on and having to set up and troubleshoot all of that, etc., just for one cam seems like a lot to go through to me. That's vs something that you can do reasonably securely otherwise by just registering and scanning a bar code and you're pretty much done. The latter might be the better way to go. At least to get started and you can look at doing something more elaborate from there.
Thanks, and from what I read I definitely don't want a forwarded port open to the internet.

I'm going to first get my camera connected to my LAN this week (not installed outside yet, but just have it setting loose in the house just to get it set up before physically installing it outside)

Then I'll try the ivms-4500 app because it is a windows phone app so you would think it should work to view my camera right ?

If that don't work, I'll see about the Hikvision P2P you mentioned, it sounds like it should work if nothing else does, I tried doing a search to see if it was free as I cant be paying a monthly fee on a budget, but I did not yet see anything about any cost, so hopefully it's a free service for those who have bought their camera.
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
If that don't work, I'll see about the Hikvision P2P you mentioned, it sounds like it should work if nothing else does, I tried doing a search to see if it was free as I cant be paying a monthly fee on a budget, but I did not yet see anything about any cost, so hopefully it's a free service for those who have bought their camera.
avoid hivision p2p, unless you feel comfortable putting your security in the hands of the chinese government.
 

GKL

Getting the hang of it
Joined
Oct 20, 2017
Messages
167
Reaction score
8
@GKL, if there is no open vpn client that will run on your windows phone, you are out of luck...better off with a business router that supports l2tp that is built into windows...bite the bullet, and never look back...this unit for 229 has an EZ mode for easy setup including ez vpn setup..
https://www.amazon.com/Generation-Firewall-Gigabit-802-11ac-USG20W-VPN/dp/B01E1DSIMI/ref=sr_1_1_sspa?s=electronics&ie=UTF8&qid=1509414403&sr=1-1-spons&keywords=USG20W-VPN&psc=1
Thanks, I wish I could just get that, but being retired on social security my budget was doing good to get the camera and vpn router for now, it would have to be a consideration for later on perhaps.

As I mentioned to the other poster, I would think the ivms-4500 app should work since it is a windows phone app right ?

Also, what do you think of their idea of using about the Hikvision P2P service ?
 
As an Amazon Associate IPCamTalk earns from qualifying purchases.

GKL

Getting the hang of it
Joined
Oct 20, 2017
Messages
167
Reaction score
8
avoid hivision p2p, unless you feel comfortable putting your security in the hands of the chinese government.
Is there a similar p2p program that you think would be more trustworthy ?
 

fenderman

Staff member
Joined
Mar 9, 2014
Messages
36,897
Reaction score
21,250
Thanks, I wish I could just get that, but being retired on social security my budget was doing good to get the camera and vpn router for now, it would have to be a consideration for later on perhaps.

As I mentioned to the other poster, I would think the ivms-4500 app should wok since it is a windows phone app right ?

Also, what do you think of their idea of using about the Hikvision P2P service ?
ivms will do nothing for you if you cannot connect to the network...your asus router requires a vpn client on your phone.
I would not trust hikvision p2p for a second. No there is nothing else that will work.
Alternatively if you carrier is GSM (att, tmobile etc) there are a bunch of 50-100 dollar android phones available that will likely blow away your windows phone...
 
  • Like
Reactions: GKL

GKL

Getting the hang of it
Joined
Oct 20, 2017
Messages
167
Reaction score
8
ivms will do nothing for you if you cannot connect to the network...your asus router requires a vpn client on your phone.
I would not trust hikvision p2p for a second. No there is nothing else that will work.
Alternatively if you carrier is GSM (att, tmobile etc) there are a bunch of 50-100 dollar android phones available that will likely blow away your windows phone...
Wow, if that means all the window phone users of ivms-4500 also have to own expensive business class routers, that is a bummer indeed. If our phones were older switching back to android might be an option but our windows phones are fairly new.

So are you saying Hikvision would hack into our computers thru the p2p ?

It's beginning to look like Hikvision ip cameras and consumer class routers have such a limited compatibility I might have been better off waiting a few years for the technology to be more widely compatible :lol: Anyhow, I'll see this week if I can get it to work remotely somehow, otherwise I guess it will only be usable thru our home WIFI, or maybe I'll just store it away for a couple years till they make an openvpn app for windows phones. This stuff can be frustrating when you just wanted one simple camera setup but then it seems like you need to spend hundreds extra for other stuff to get one camera to work. Anyhow, I really do appreciate your efforts to be of help !
 

username

Getting the hang of it
Joined
Feb 7, 2016
Messages
116
Reaction score
18
Wow, if that means all the window phone users of ivms-4500 also have to own expensive business class routers, that is a bummer indeed. If our phones were older switching back to android might be an option but our windows phones are fairly new.
@GLK. Suggest you google "openvpn connect windows phone client" for some info on getting your windows phone to use openvpn. There is at least one hit with that search, whether or not it is suitable.... you will have to check
 
  • Like
Reactions: GKL

GKL

Getting the hang of it
Joined
Oct 20, 2017
Messages
167
Reaction score
8
ivms will do nothing for you if you cannot connect to the network...your asus router requires a vpn client on your phone.
I would not trust hikvision p2p for a second. No there is nothing else that will work.
Alternatively if you carrier is GSM (att, tmobile etc) there are a bunch of 50-100 dollar android phones available that will likely blow away your windows phone...
What about SoftEther VPN it looks like it might be a solution ?
softethervpnserver.jpg
 
Top