VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    857
With a vpn, on a home router, would I be able to connect to the camera's web GUI just like I was on my home pc?

Also, do I leave my phone connected to it all the time, like when I am on cell data, or if I am in a different part of the country?

Does all my mobile data internet traffic go through my home internet while connected to Vpn? If I have a metered connection at home, does my phone connected to the VPN use my home data while not at home?

Is the VPN really free to setup as long as I have a router with ddwrt or a VPN specific router?
 
Running an Asus RT-AC3100 with OpenVPN. Everything seems fine other than I can't download anything from the Google app store when connected to the VPN with my OnePlus 5. Am I missing something or is that normal?
 
With a vpn, on a home router, would I be able to connect to the camera's web GUI just like I was on my home pc?

Also, do I leave my phone connected to it all the time, like when I am on cell data, or if I am in a different part of the country?

Does all my mobile data internet traffic go through my home internet while connected to Vpn? If I have a metered connection at home, does my phone connected to the VPN use my home data while not at home?

Is the VPN really free to setup as long as I have a router with ddwrt or a VPN specific router?

Yes.

You can if you want to.

Yes. And yes I believe so.

Yes.
 
My Pi at home runs...

Pihole (whole network advertising blocker. This also blocks ads on my phone because I stay connected to my VPN all the time when away from home)

Unifi Controller (for my 3 ubiquity unifi access points)

VNC viewer (I also have this on my phone and can have access to my remote desktop from my phone anytime I want. Comes in handy when I think a website is not working correctly on my mobile phone, and want to visit the webpage in a "real" browser on a "real" computer)

Domoticz (my home automation controller. Had to change the default Port of domoticz from 8080 Because the unifi controller needed that port.)

Kodi (my home entertainment)

I use juicessh app on my phone to shh into the pi quite often as well. Gives me quick access to the command line of a Linux box at home when I'm sitting at work, have an idea and want to try something really quickly.

This might be all....will update if I think of anything else. When we originally got the pi it was just to run Kodi and I also plugged a portable USB drive into it that acted as our Network storage. I have a NAS now that takes care of that though (my NAS also is my VPN server)

On my parents pi I have pihole and VPN server. I use nomachine once connected to their VPN to remote desktop into their computers to help them with computer issues since they live 1.5 hrs away.

Why the choice to use the NAS for VPN instead of the RPI? I’ve been using my Pi with PIVPN for a while with no problems but I’ve recently purchased a Synology NAS and am thinking of moving the VPN over.
 
No particular reason. The NAS was super easy to set up, I can easily add or remove clients and it's ALWAYS on.

It's probably more likely that your NAS will be running 24/7 more consistently than the PI. That would be the only consideration I would have.

Also if I decide to wipe the PI and start fresh for some reason it's one less thing I gotta set up. I've already done this once when upgrading SD cards in the PI.
 
  • Like
Reactions: Moose
Hi guys, I have been doing a lot of reading and have read this thread twice. Suppose I have gotten cold feat and need to run a few facts past you guys. My ISP is CenturyLink and their support sucks. Otherwise I would be getting a Static IP. As it is, I will be stuck with a Dynamic IP. And that is part that has me scared to proceed. My wife's small business depends on our network connection. So, I want to make sure I dont brink our ZyXEL PK5001Z modem/router. Read somewhere in another thread that once put into transparent mode. It might be hard to return to ADSL_ADSL2+ mode.

So I am thinking that I need to do the following after copying all of the setting in my PK5001Z, so I have them when setting up my Asus RT-AC66U_B1.

1. Turn off NAT, Turn off wireless radio. Anything else?
2. Change ISP Protocol to Transparent Bridging 8/35

On the Asus, follow Randy's notes.

If I get caught up with problems. How do I return the PK5001Z to the current mode of operation. I read were someone could not connect to the PK5001Z to make changes to the modem/router. I am good with simple networking, but this is a step up and could use a few pointers.

Thanks
 
The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video feeds, they want an always on linux box with decent internet connectivity that can be used to attack targets on the internet.. they want to turn your camera into a weapon of mass destruction.

What is a VPN? Its a Virtual Private Network, it provides you with full access to your home network when your on a remote/foreign network.. It tunnels you across the internet and back into your LAN and secures everything in transit with very strong crypto..

8y85l3.jpg

Your home LAN is the corp network

The VPN Tunnel is transparent, once connected its effectively as if you were connected directly to your home network.. All devices on your network will be reachable through there internal non-routable IP addresses.. The same configuration you use when your on your home wifi will work once the VPN is connected.. infact it will be exactly like your on your home wifi when the VPN tunnel is connected, all your fileshares, printers, cameras, IoT devices will be avilable and none will be aware of the VPN or the fact that your remote.

How hard is it to setup a VPN Server?, if you have a router that already included VPN Server built in its no more difficult than forwarding ports is, infact with some consumer routers like Asus many people find it even easier to setup than Port Forwards.. Site to Site VPN and some equipment may require very specific configurations that may require some more intense debugging and configuration.. It can range form very easy to very hard, stack the odds in your favor with good research and testing.

Do i have to pay for a VPN Service? No, this a common point of confusion.. there are services out there that will run a VPN Server for you on a remote network.. these are used to hide your location from public internet services.. such as watching Netflix from a US IP, or downloading Torrents without exposing your IP address to the swarm.. If you have an externally routable IP address you will run your own VPN Server on your own network, using free software.. so there are no subscription fees.

Will VPN Tunnel cause me to hit bandwidth limits faster? Practically no, the additional bandwidth used to encapsulate traffic in an encrypted tunnel is minimal and a tiny blip compared to your actual video stream.

Crypto Speeds, this is the only real performance concern.. The first throughput bottleneck your likely to encounter is how much data your VPN Server can encrypt in realtime.. As long as your VPN Server has more capability than your outbound/upload speeds you'll never encounter this bottleneck.. If you are on a typical residential internet with just a few Mbit of upload speeds this is rarely ever a problem.. However if you have fiberoptic/business/european/asian connectivity you will need to make some hardware considerations to ensure you have adequate performance to utilize your actual connectivity. Higher end equipment (Multicore 1Ghz+ routers) are typically capable of 20Mbit or more VPN speeds which is faster than most typical home internet upload ceilings.. a router with a 600MHz single core CPU will only do a few Mbit unless it has crypto hardware to help accelerate it.. A Raspberry Pi3 can do ~45Mbit, if you have faster uploads than that and wish to use those speeds over VPN then you need to research VPN Crypto benchmarks and find a device that can meet your needs, perhaps a dedicated VPN Crypto Appliance or PC.

Where do I run my VPN Server? the best place is on your home router, since it will be required to be online and reachable for all remote connections anyhow its the best candidate. However if you have an always on PC-NVR it can also run it on there with great performance capabilities, or on a dedicated VPN appliance such as a Raspberry Pi

What do I do first? First check your router and see if it already has a built in VPN Server that simply needs to be setup and configured.. Almost all business class routers, some ISP Provided hardware and the vast majority of modern decent off the shelf routers will already have support built in and just need you to use your GoogleFu to set it up; Check youtube for setup guides specific to your equipment.

My router does not have a built in VPN Server! Well then see if your hardware supports some of the WRT based firmware, you can simply upgrade the firmware to DD-WRT, OpenWRT, Tomato (Google it) and add this software to your existing equipment.. its easier than it looks like and there is a large consensus among power users that the OpenSource firmware projects are far superior to most OEM offerings..

My router dont have support, its old and I want something as simple as possible! Look at Asus's wireless routers they seem to be the easiest to for noobs to get going out of the box and the equipment is widely avilable.

I hate connecting VPN before I can open my cameras! VPN use is a requirement for every corporate employee in the world whom needs to access there email or corporate network remotely.. If millions of poorly trained monkeys can manage to connect a VPN Client daily what is your excuse? If you hate loosing your house keys, you'd be pretty stupid to take the doors off your house..

You can route just your home LAN over the VPN connection, in this configuration leaving it permanently connected should not cause any issues and you wont have to do it manually every time.. some VPN clients/apps do auto-reconnect and/or dial on demand

OpenVPN vs L2TP/IPSec vs Other? Really the only choice is OpenVPN vs L2TP/IPSec, little else is trustworthy as those two; for most people OpenVPN is easier to setup and run.. OpenVPN requires clients to be installed on all your devices, whereas L2TP/IPSec clients are built in natively on every modern device (Windows/OSX/iOS/Android/Linux).. typically its best use what you have avilable already.. If you configure your OpenVPN server to listen on port 443, the same port as HTTPS websites, then you can expect it to work on even the most restrictive remote networks.

Credentials/Logins & Security? Give each device its own unique login and generate a one time password for it and save it to the device.. this way if a device gets lost or stolen you can simply delete that user account, or if you upgrade/replace the device you just generate a new password and render everything else unable to login without having to change the credentials on all your devices anytime you upgrade/loose an item.

Why is a VPN more secure than just setting a strong password on my video system?
Most video systems have undocumented backdoor credentials so the installer/vendor can unlock the device when the end user locks them selves out, for starters.. They do not come secure by default, They are also susceptible to remote attacks that can bypass your logins all together to run malicious code directly on the hardware without your knowledge.. They do not automatically update security issues without intervention like your desktop/laptop/phone and you cant easily even tell what software is running on them.. Where as VPN Servers are designed for direct internet exposure, have been audited by security professionals, they receive constant scrutiny that results in vulnerabilities being exposed quickly and fixed promptly.. Updating firmware on cameras is risky, recovery options in event of failure are minimal if they even exist at all.. when an update blows up on your computer/mobile you can reinstall and restore come worst case, but thats not an option for your video surveillance devices.

Site to Site VPN or Remote Client VPN?
Typically you want to setup a remote client VPN unless you want to permanently bridge two networks so no clients are required on them.. for example if you have a vacation property you may want to setup a Site to Site VPN to your vacation property then use a Remote Client VPN into your home LAN.. then your remote VPN connection can access both video surveillance systems on the same network and both networks are directly connected.

Dynamic DNS? Yes you'll want to set this up, preferably on your router or VPN Server but your cameras/NVR are also likely to have these features.. Most internet connections have dynamic addresses, and this ensures you can always find your VPN Server and not have to reconfigure VPN Clients when your Server IP changes.

Most common VPN Setup mistakes:
  • Using a commonly used subnet for your home network, you may want to re-address your network to a subnet your unlikely to encounter remotely.. for example if your Home network is 192.168.1.0 and your work network is 192.168.1.0 you'll find your remote VPN routes wont work, from work heh.. but if your home network is 192.168.253.0 your less likely to encounter a remote network that collides with your home subnet..
  • Not using your VPN for everything when on a public Wifi, when your on an unencrypted public wireless network anyone nearby can sniff your traffic right out of the air.. but once you enable that VPN Tunnel back to your home network all your traffic is encrypted and secure from anyone.. even the local network admins.
  • Not specifying gateway addresses for IoT devices, thinking this would keep them accessing the internet all together it can also prevent you from accessing it via LAN because your VPN Server is likely to put you in its own subnet and route traffic to your LAN and the VPN on its own.
  • Not disabling uPNP and shutting down old port forwards after having VPN Setup.
  • Not Syncing time correctly, Crypto requires your devices to have the correct time set.. if your server or clients do not have a time-source configured they will be unable to login.
  • Not having an externally routable IP, if your VPN Server is on a Satellite or a Mobile Network you may not be able to remotely connect to anything.. port forwards wont work either. The best option for these networks is to establish a point to point VPN outbound connection to an external server you run on another network or subscribe to.

I need step by step handholding because I am so dense I can bend light w/my gravity! Sounds like you should ask your grandkids, or whomever managed to teach you the internet.. Properly securing a network requires understanding and comprehension, and there is no single best way to do any of this.. You need to read, ask questions, and help your self.. nobody is going to do this for you, if you want to operate an internet connected IP network in the modern world, this is basic stuff you have to understand or else you are putting us all at risk.

this post is living and may be updated/changed at any time.


Nayr

Thank you Sir for taking the time to put this together this is some of the best info ever. I understood everything and have now successfully setup an OPENVPN using my Asus RT68 Router I cannot belief how nice everything works and I do not have to forward ANY ports.

Have a great week Sir.

CaliChris
 
@Paulx I just took a quick look at CenturyLink DSL Modem and according to them. there should be no issues with reverting back if need be.



 
  • Like
Reactions: Paulx
Thanks 58chev. Just what I needed to see and a few others. Have found some conflicting info.
But these videos cleared up which setup I needed to apply. I am it appears a PPPoe customer of CenturyLink.
 
  • Like
Reactions: 58chev
BIG THANK YOU goes out to @nayr for staring this thread and to the HowToo by @randytsuch You guys rock :headbang::headbang:

First I had to upgrade my internet from an old 30 Down/5 Up (60Gb cap) to 500 Up / 20 down unlimited cap

Then it was replace my old Linksys WRT300N router for an ASUS RT-AC66U_B1 running the latest Merlin.

Took me all of maybe 20/30 minutes and I'm up and running on OpenVPN off my phone and no impact to my internet connection. (running multiple speed tests) while viewing a feed from a camera.
Even checked out my port status on ShieldsUP! and all is just great ( stealth ) for all.

Only thing I got hung up on was routing the 10.8.0.0 to see my cameras on 192.168.254.x
Can see my FTP file repository for Line Crossing and Intrusion detection.
 
Hi there,
I just joined to this forum so maybe not the right place to ask my question but I give a try.
I am just planning to setup my security cam (IP cam software running on ANDROID phone) on a place where no wired internet access available therefore I am going to use mobile (LTE) network.
The basic need is to be able access my IP cam (my phone) from internet. (I already setup my "prototype" on LAN and it is working well but I have trouble if I use mobile (LTE) NET
Well, as far as I know my mobile ISP does not allow port forwarding so I cannot access my phone (server) from internet.
my idea is:
1. from my phone I connect to a VPN server
2. i forward my server port from phone to VPN /Edit: forward request coming from internet to VPN's 'private port/
As a result I expect to be able access my phone (server) from internet via IP given by VPN and port I forwarded to from VPN
My question is: is this idea viable? If yes anyone can suggest (possible) free VPN and port forwarding for Android?
if the idea is wrong would somebody point out what should do on different way?

I have tried to use "setupVPN" service and "Fwd: port forwarding" android app on my phone but no success.
(I have an account on "setupVPN" and it is working well on PC and even on my phone too. I tried forward port with "Fwd" android app on thi way:
protocol: tcp
from: rmnet0 port:8080
target: ip address 'got' from VPN port 8080

thank you.
 
Last edited:
Thanks 58 Chev, Took me a few more minutes than you. Made a typo in my PPP password on the new router. Got that fixed, it lit right up. Its been the past day fighting all of the Echo dots, Brother printer that is almost a decade old and barely let me use WPA2-PSK or -personal AES. But I now have everything secured up to this point. Now to go and follow Randy's instructions for setting up VPN and firewall settings. These past few post might not have been in the right section. Thanks guys for giving me a little wiggle room.
 
my VPN is connected 100% of the time I'm away from home and this is what mine uses.

And my upload speed at home is 2mbps (recently bumped up from 1) and it's definitely slower than when on 4G...but it's not the worst.

And I don't know how long it takes to connect as I have Tasker do it automatically for me as soon as my phone disconnects from my home WiFi.

This interests me so I don't have to connect/disconnect when I leave the house. What is Tasker. How could I use this on my iOS devices? I don't see it in the App Store.

I run OpenVPN on my Asus router.
 
Another question

When you are connected to the vpn does anyone know how to actually use the internet service from your home on your phone/tablet/computer? Example, when browsing safari you are using your home internet access instead.
 
Are you thinking you can go without a data plan for your phone? That is not how it works, you still need a data connection (either 4G or wifi) to make the connection to your VPN.
 
No I understand that. You still need internet access to connect to the vpn.

I thought I read somewhere that you could use your home internet connection as well for safer browsing?
 
That happens by default when your connected to the VPN.

I wouldn't connect to my works WiFi without my VPN, and it's extra nice because in doing so I bypass the strict filter they have in place. They have no idea what I'm doing. (Not that I'm doing anything really wrong, but a lot of shopping and video/music sites are blocked.)