The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces..
NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video feeds, they want an always on linux box with decent internet connectivity that can be used to attack targets on the internet.. they want to turn your camera into a weapon of mass destruction.
What is a VPN? Its a Virtual Private Network, it provides you with full access to your home network when your on a remote/foreign network.. It tunnels you across the internet and back into your LAN and secures everything in transit with very strong crypto..
Your home LAN is the corp network
The VPN Tunnel is transparent, once connected its effectively as if you were connected directly to your home network.. All devices on your network will be reachable through there internal non-routable IP addresses.. The same configuration you use when your on your home wifi will work once the VPN is connected.. infact it will be exactly like your on your home wifi when the VPN tunnel is connected, all your fileshares, printers, cameras, IoT devices will be avilable and none will be aware of the VPN or the fact that your remote.
How hard is it to setup a VPN Server?, if you have a router that already included VPN Server built in its no more difficult than forwarding ports is, infact with some consumer routers like Asus many people find it even easier to setup than Port Forwards.. Site to Site VPN and some equipment may require very specific configurations that may require some more intense debugging and configuration.. It can range form very easy to very hard, stack the odds in your favor with good research and testing.
Do i have to pay for a VPN Service? No, this a common point of confusion.. there are services out there that will run a VPN Server for you on a remote network.. these are used to hide your location from public internet services.. such as watching Netflix from a US IP, or downloading Torrents without exposing your IP address to the swarm.. If you have an externally routable IP address you will run your own VPN Server on your own network, using free software.. so there are no subscription fees.
Will VPN Tunnel cause me to hit bandwidth limits faster? Practically no, the additional bandwidth used to encapsulate traffic in an encrypted tunnel is minimal and a tiny blip compared to your actual video stream.
Crypto Speeds, this is the only real performance concern.. The first throughput bottleneck your likely to encounter is how much data your VPN Server can encrypt in realtime.. As long as your VPN Server has more capability than your outbound/upload speeds you'll never encounter this bottleneck.. If you are on a typical residential internet with just a few Mbit of upload speeds this is rarely ever a problem.. However if you have fiberoptic/business/european/asian connectivity you will need to make some hardware considerations to ensure you have adequate performance to utilize your actual connectivity. Higher end equipment (Multicore 1Ghz+ routers) are typically capable of 20Mbit or more VPN speeds which is faster than most typical home internet upload ceilings.. a router with a 600MHz single core CPU will only do a few Mbit unless it has crypto hardware to help accelerate it.. A Raspberry Pi3 can do ~45Mbit, if you have faster uploads than that and wish to use those speeds over VPN then you need to research VPN Crypto benchmarks and find a device that can meet your needs, perhaps a dedicated VPN Crypto Appliance or PC.
Where do I run my VPN Server? the best place is on your home router, since it will be required to be online and reachable for all remote connections anyhow its the best candidate. However if you have an always on PC-NVR it can also run it on there with great performance capabilities, or on a dedicated VPN appliance such as a Raspberry Pi
What do I do first? First check your router and see if it already has a built in VPN Server that simply needs to be setup and configured.. Almost all business class routers, some ISP Provided hardware and the vast majority of modern decent off the shelf routers will already have support built in and just need you to use your GoogleFu to set it up; Check youtube for setup guides specific to your equipment.
My router does not have a built in VPN Server! Well then see if your hardware supports some of the WRT based firmware, you can simply upgrade the firmware to DD-WRT, OpenWRT, Tomato (Google it) and add this software to your existing equipment.. its easier than it looks like and there is a large consensus among power users that the OpenSource firmware projects are far superior to most OEM offerings..
My router dont have support, its old and I want something as simple as possible! Look at Asus's wireless routers they seem to be the easiest to for noobs to get going out of the box and the equipment is widely avilable.
I hate connecting VPN before I can open my cameras! VPN use is a requirement for every corporate employee in the world whom needs to access there email or corporate network remotely.. If millions of poorly trained monkeys can manage to connect a VPN Client daily what is your excuse? If you hate loosing your house keys, you'd be pretty stupid to take the doors off your house..
You can route just your home LAN over the VPN connection, in this configuration leaving it permanently connected should not cause any issues and you wont have to do it manually every time.. some VPN clients/apps do auto-reconnect and/or dial on demand
OpenVPN vs L2TP/IPSec vs Other? Really the only choice is OpenVPN vs L2TP/IPSec, little else is trustworthy as those two; for most people OpenVPN is easier to setup and run.. OpenVPN requires clients to be installed on all your devices, whereas L2TP/IPSec clients are built in natively on every modern device (Windows/OSX/iOS/Android/Linux).. typically its best use what you have avilable already.. If you configure your OpenVPN server to listen on port 443, the same port as HTTPS websites, then you can expect it to work on even the most restrictive remote networks.
Credentials/Logins & Security? Give each device its own unique login and generate a one time password for it and save it to the device.. this way if a device gets lost or stolen you can simply delete that user account, or if you upgrade/replace the device you just generate a new password and render everything else unable to login without having to change the credentials on all your devices anytime you upgrade/loose an item.
Why is a VPN more secure than just setting a strong password on my video system? Most video systems have undocumented backdoor credentials so the installer/vendor can unlock the device when the end user locks them selves out, for starters.. They do not come secure by default, They are also susceptible to remote attacks that can bypass your logins all together to run malicious code directly on the hardware without your knowledge.. They do not automatically update security issues without intervention like your desktop/laptop/phone and you cant easily even tell what software is running on them.. Where as VPN Servers are designed for direct internet exposure, have been audited by security professionals, they receive constant scrutiny that results in vulnerabilities being exposed quickly and fixed promptly.. Updating firmware on cameras is risky, recovery options in event of failure are minimal if they even exist at all.. when an update blows up on your computer/mobile you can reinstall and restore come worst case, but thats not an option for your video surveillance devices.
Site to Site VPN or Remote Client VPN? Typically you want to setup a remote client VPN unless you want to permanently bridge two networks so no clients are required on them.. for example if you have a vacation property you may want to setup a Site to Site VPN to your vacation property then use a Remote Client VPN into your home LAN.. then your remote VPN connection can access both video surveillance systems on the same network and both networks are directly connected.
Dynamic DNS? Yes you'll want to set this up, preferably on your router or VPN Server but your cameras/NVR are also likely to have these features.. Most internet connections have dynamic addresses, and this ensures you can always find your VPN Server and not have to reconfigure VPN Clients when your Server IP changes.
Most common VPN Setup mistakes:
- Using a commonly used subnet for your home network, you may want to re-address your network to a subnet your unlikely to encounter remotely.. for example if your Home network is 192.168.1.0 and your work network is 192.168.1.0 you'll find your remote VPN routes wont work, from work heh.. but if your home network is 192.168.253.0 your less likely to encounter a remote network that collides with your home subnet..
- Not using your VPN for everything when on a public Wifi, when your on an unencrypted public wireless network anyone nearby can sniff your traffic right out of the air.. but once you enable that VPN Tunnel back to your home network all your traffic is encrypted and secure from anyone.. even the local network admins.
- Not specifying gateway addresses for IoT devices, thinking this would keep them accessing the internet all together it can also prevent you from accessing it via LAN because your VPN Server is likely to put you in its own subnet and route traffic to your LAN and the VPN on its own.
- Not disabling uPNP and shutting down old port forwards after having VPN Setup.
- Not Syncing time correctly, Crypto requires your devices to have the correct time set.. if your server or clients do not have a time-source configured they will be unable to login.
- Not having an externally routable IP, if your VPN Server is on a Satellite or a Mobile Network you may not be able to remotely connect to anything.. port forwards wont work either. The best option for these networks is to establish a point to point VPN outbound connection to an external server you run on another network or subscribe to.
I need step by step handholding because I am so dense I can bend light w/my gravity! Sounds like you should ask your grandkids, or whomever managed to teach you the internet.. Properly securing a network requires understanding and comprehension, and there is no single best way to do any of this.. You need to read, ask questions, and help your self.. nobody is going to do this for you, if you want to operate an internet connected IP network in the modern world, this is basic stuff you have to understand or else you are putting us all at risk.
this post is living and may be updated/changed at any time.