Jack B Nimble
Pulling my weight
I have the 6 version I believe cannot get easier.
VPN Primer for Noobs
- Thread starter nayr
- Start date
This might help you guys, I remember having to change some of the settings to get it to work
Randy : OpenVPN on a Asus router
Thanks for that. I can connect via the OpenVPN app and when I do the user I created on the router says "connected". I then entered the BI license information on the BI app and when I pressed "Get IPs" the correct IP information populated. So, I entered my BI name and password and tried to connect but keep getting a message that it is "unable to make connection; check server address."
bug99
Pulling my weight
- Dec 27, 2016
- 398
- 154
confirm that the gateway and mask are set correctly on the BI server. they should be the LAN address of the ASUS and likely 255.255.255.0. also confirm that the LAN subnet is not the identical subnet you are on. The need to be unique to be able to route/bridge from one to the other through the tunnel.
Can you connect to BI at home? I make sure it works at home first, before I try it through VPN. I haven't had any problems if it works at home.
Yes, no problem connecting from home. That's what's frustrating me. I figured the app would be the easy part.
Then I'm confused because you talked about entering that information. I'm on an android, and use Blue Iris lite client, and I don't have to enter anything when I connect from VPN, already entered it all at home when I was trying it out.
When you open the BI iphone app it asks you to "add new server". When you hit that button it asks for your BI license info. When you add that it populates your IP address info.
Some VPN won't give you access to the local network after making a connection but will only allow you to route out to the 'net. I ran into this with PFSense and had to make a firewall rule to allow access to the local network. There's an IOS app named "Net Analyzer" that has a ping application. Load this and try pinging Google and then try local workstations on the network that aren't firewalled. You should be able to sort out the issue if you first verify network connectivity.
My private setup is as follows:
- Cable Internet Connection with static ip
- ipfire (similar to pfsense) with dmz for my cams / P2P / Port Forwarding
inside my dmz it doesn´t bother me if there is going something wrong.
Of course there are as strong as possible passwords (unlikely the password code of dahua is not really safe, it starts with only letters and numbers are allowed) blocking on password fails, notifications, separate users with less rights and a second admin account
I also use for a 4G / LTE Setup an openvpn based solution, together with feste-ip.net (if someone is using this service from my link it would be nice, because i will receive for every charge 10% bonus)
its based on openvpn and an raspi. The raspi is controlling an AVM Fritzbox 6840 LTE Router also as watchdog device. The vipbox provides an https tunnel and an public ipv4 address.
I can also use p2p in this setup
This service costs only 20 Euro / year. A good working suppport is included. The System can be build by ourselves or a all in one product with raspi for 99 Euro.
For customers i normally use a Fritzbox with the included ipsec function and app. It´s simple and fast to set up and easy to use.
- Cable Internet Connection with static ip
- ipfire (similar to pfsense) with dmz for my cams / P2P / Port Forwarding
inside my dmz it doesn´t bother me if there is going something wrong.
Of course there are as strong as possible passwords (unlikely the password code of dahua is not really safe, it starts with only letters and numbers are allowed) blocking on password fails, notifications, separate users with less rights and a second admin account
I also use for a 4G / LTE Setup an openvpn based solution, together with feste-ip.net (if someone is using this service from my link it would be nice, because i will receive for every charge 10% bonus)
its based on openvpn and an raspi. The raspi is controlling an AVM Fritzbox 6840 LTE Router also as watchdog device. The vipbox provides an https tunnel and an public ipv4 address.
I can also use p2p in this setup
This service costs only 20 Euro / year. A good working suppport is included. The System can be build by ourselves or a all in one product with raspi for 99 Euro.
For customers i normally use a Fritzbox with the included ipsec function and app. It´s simple and fast to set up and easy to use.
Full ack to all, but ...
What should happen in a dmz ? There is nothing else exepts the cams. So if someone would like to hack them, he could see nothing else than my cams. This is quite not a normal setup, less people are having a real dmz. On my LTE setup it similar. There is no other device.
dmz´s are used p.e. for exchange setups...
I haven´t investigated the p2p security, but isn´t it better than port forwarding? Sure that the cam stream goes over china? What i can imaging is, that there exist a hidden backdoor.
I dont give a shit about watching you; your cameras are gonna be hacked so they can be used to attack other people on the internet...
Did you even read anything here I wrote? or did you just not comprehend it?
All your P2P shit, including video is going through China servers.. thats how it works, establishes an outbound connection to relay through so it dont have to open an inbound one..
Your setup is convoluted; insecure, and outright amateur attempt at worthless security.. Clearly you dont know what a DMZ is, let alone anything at all about network security.
Did you even read anything here I wrote? or did you just not comprehend it?
All your P2P shit, including video is going through China servers.. thats how it works, establishes an outbound connection to relay through so it dont have to open an inbound one..
Your setup is convoluted; insecure, and outright amateur attempt at worthless security.. Clearly you dont know what a DMZ is, let alone anything at all about network security.
I think, i know how a dmz of a firewall is working. It´s not possible to access anything in green from a dmz in a firewall setup like ipfire or better know pfsense. It´s a totally separated network. Especially for unsecure services like exchange, webservers and anything else what can be hacked, to prevent your local data from being stolen or compromised. I don´t speak of router dmz´s which only pass everything to a dedicated ip.
The difficult question is, do we trust in dahua to do everything to prevent bots in capturing there devices? I think, a hole can be found sometime anywhere. Of course it´s not fine to host a bot in my network, but compared to many more things which are connected to the internet, there are much more insecure manufacturers. I think about many routers, which are know to be insecure. I am really afraid of tr 069 which are many providers are using...
Just happend to the TELEKOM and all of their devices. I still see the remote port opens by himself on cable routers although it should only be opend when requested and afterwards being closed. Its in fact not. And so on...
I read many of your posting, but of course not all. And if you had read my comments, i normally agree to you. But it´s not every thing just black and white, you understand? I have done much more than most of any users to be securer than default. But i want also to use the benefits of alternatives. With your last comment it sounds to me, that you are missing the point of balance to this. (I hope my english says what i mean)
The difficult question is, do we trust in dahua to do everything to prevent bots in capturing there devices? I think, a hole can be found sometime anywhere. Of course it´s not fine to host a bot in my network, but compared to many more things which are connected to the internet, there are much more insecure manufacturers. I think about many routers, which are know to be insecure. I am really afraid of tr 069 which are many providers are using...
Just happend to the TELEKOM and all of their devices. I still see the remote port opens by himself on cable routers although it should only be opend when requested and afterwards being closed. Its in fact not. And so on...
I read many of your posting, but of course not all. And if you had read my comments, i normally agree to you. But it´s not every thing just black and white, you understand? I have done much more than most of any users to be securer than default. But i want also to use the benefits of alternatives. With your last comment it sounds to me, that you are missing the point of balance to this. (I hope my english says what i mean)
tangent
IPCT Contributor
- May 12, 2016
- 4,592
- 3,943
THE POINT of this thread is to discuss VPN setup and explain to n00bs why it's a good idea. Certainly not a thread where you'd expect people to be tolerant of bad security advice...
Do you have a link for this suggestion ?
My knowledge is, the stream doesn´t goes over the manufacturers server (or p2p server), its only used for opening the connection, the stream goes directly to the client.
How does P2P IP camera work? | Technology News
What Is A P2P IP Camera And How Does It Work - Enterprise dynamics - News - Quanzhou Karassn Security Protection Electronics Co., Ltd
http://www.karassnsecurity.com/news-178733
But thats only from manufacturer. I found a much deeper artikel and discussion here: This is Why People Fear the ‘Internet of Things’ — Krebs on Security
I need to read more and search, but here is the same problem, who is trustworthy? What shall we believe?
I always also advice to use a vpn tunnel! Many customers don´t want to have mails but a notification and easy access. Port forwarding is a really bad and insecure way, with a p2p service i am not sure what i shall believe.
In generally i think, it´s not so insecure as some here are suggesting. Does a bot can use this? Or can it be opened by others? Then if they can use my device, it depends on where it´s mounted. Outside ? Shall they have fun, it doesn´t bother me. We must difference the surrounding and customers usage.
tangent
IPCT Contributor
- May 12, 2016
- 4,592
- 3,943
The P2P (NAT traversal based) cloud based services are a matter of trust, they're better than port forwarding but how much? The question is how much do you trust a company like dahua or hikvision. Even if you trust them on some level, do you trust them to secure their own network/connection to your cam adequately. In the case of Hikvision, it's worth mentioning that they are a state (china) owned company.
Last edited:
There's much better and safer ways to isolate your cameras from your main network; like using VLAN's and Routers w/Firewalls.. DMZ does not inherently mean its isolated, just that its exposed.. the term's been abused and just saying DMZ is meaningless for implying isolation.
Forwarding Ports is dangerous; like I said nobody cares about your video streams.. they want an army of cameras to wage war on the internet with; your camera, your network, and your money are being used to attack other people on the internet.. if you dont care about the rest of us just unplug ur self.
P2P Works by relaying everything through there servers if nessicary; Ive seen two devices both that dont allow incoming connections make a connection with eachother bypassing all inbound firewall rules and distributing everything through a 3rd party server.. if one side is connectable then it might drop the heavy data directly but thats not guaranteed, espically on mobile networks where your phone is unlikely to have a routable IP.
Theres absolutely zero encryption on any of the video streams or authentication for them; so anyone can intercept your NVR logins or just use some bug in the firmware to bypass authentication all together and run there own arbitrary software on your hardware without you ever knowing.
Forwarding Ports is dangerous; like I said nobody cares about your video streams.. they want an army of cameras to wage war on the internet with; your camera, your network, and your money are being used to attack other people on the internet.. if you dont care about the rest of us just unplug ur self.
P2P Works by relaying everything through there servers if nessicary; Ive seen two devices both that dont allow incoming connections make a connection with eachother bypassing all inbound firewall rules and distributing everything through a 3rd party server.. if one side is connectable then it might drop the heavy data directly but thats not guaranteed, espically on mobile networks where your phone is unlikely to have a routable IP.
Theres absolutely zero encryption on any of the video streams or authentication for them; so anyone can intercept your NVR logins or just use some bug in the firmware to bypass authentication all together and run there own arbitrary software on your hardware without you ever knowing.
Last edited:
I'm with NAYR, placing these cameras on an IP exposed to direct internet traffic is awful. They WILL be attacked, they WILL get compromised, and they WILL be used to relay attacks or to directly attack others. In fact this has already occurred in the past! Put the cameras behind a firewall in a restricted network segment (pick your poison of implementation) and then use the VPN to access that segment. This goes for NVR as well as cameras. These are untrusted devices and also VERY valuable devices, not for what can be viewed from them but for the bandwidth opportunity they present to an attacker.
As for the P2P services, I turned them off as soon as my cameras were turned on. They pierce firewalls by beaconing out and are only as good as the company that built the service. In this case that's a Chinese company that cares less about my systems than I do I'm quite sure. Use these services at your own risk but I'd segment them off if doing this for sure just like the above case of using a VPN.
As for the P2P services, I turned them off as soon as my cameras were turned on. They pierce firewalls by beaconing out and are only as good as the company that built the service. In this case that's a Chinese company that cares less about my systems than I do I'm quite sure. Use these services at your own risk but I'd segment them off if doing this for sure just like the above case of using a VPN.