VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    857
So I'm not a network guy, know just enough to be dangerous, but I'm not sure about your strict nat comment?

I can tell you I have an iphone 8 with ATT as the provider, and I have no problem running openvpn and checking cams.


Yes the strict nat im referring to is more like a double nat. I cant port forward thru and get a public ip address.




Sent from my iPhone using Tapatalk
 
I have ASUS router & twice in the last few months the router has been compromised, despite having (what I thought to be) strong settings & passwords, after setting VPN Server up following instructions here.
Is there a way, once VPN Server (& client) is set up, to brute-force attempt to penetrate ones own system?
 
I have ASUS router & twice in the last few months the router has been compromised, despite having (what I thought to be) strong settings & passwords, after setting VPN Server up following instructions here.
Is there a way, once VPN Server (& client) is set up, to brute-force attempt to penetrate ones own system?

So you are using AES-256-CBC for the encryption cipher, and someone was able to break in through VPN?
From my limited understanding of this stuff, AES-256-CBC is quite secure, and its really hard to crack, so having someone do it a couple times in a few minutes seems strange, unless they are getting your key somehow.

How do you know you were compromised?
Did you look at the asus router logs?

Randy
 
Language on router been changed. I'm not suggesting the cause is via VPN server, but rather if there's a way to test/break it to ensure the settings used are indeed secure?
 
@xtropodx check that you don't have WAN management turned on in ASUS router. On mine it's under "Administration" >> "System" >> "Enable WEB Access on WAN" (set to NO)

Also disable AICloud and UPNP. On mine it's under "WAN" >> "Internet Connection" >> "Enable UPnP" (set to NO)

I've had this ASUS router on an always-on internet connection for literally YEARS, and never has it been hacked into. You just need to double check you have kept your firmware up-to-date and tweaked all the settings to ensure you have the most secure configuration running that you can.
 
Language on router been changed. I'm not suggesting the cause is via VPN server, but rather if there's a way to test/break it to ensure the settings used are indeed secure?
@xtropodx ,
Have you been keeping up with firmware updates?

I know that I have been and no issues. But then again I am running Merlin firmware.

Most likely a backdoor hacker got in, I have read the most common change from a hacker is the language.
 
@xtropodx There is also the kind of obvious suggestion that port forwarding should be disabled.
Also, if it happens again, I'd check the log asap, and see if there is a clue to how someone else got in.

This gave me an idea to revise my blog to add some suggestions for other settings to help secure an asus router.
1. Make sure firmware is up to date, and periodically check.
2. Make sure port forwarding is disabled (need to see what page to check)
3. Disable Web access on WAN: "Administration" >> "System" >> "Enable WEB Access on WAN" (set to NO)
4. Disable AICloud and UPNP: "WAN" >> "Internet Connection" >> "Enable UPnP" (set to NO)

I also think there is a setting to only let certain mac addresses into your router, need to look at that. I'd make sure you have at least a couple PCs enabled, in case one breaks you have a backup.

Any other suggestions?
 
  • Like
Reactions: xtropodx
Thanks all. I am running merlin firmware & running latest 384.5, most recent breach was on previous v384.4_2. Just looking at possible avenues & while I am still learning I'm pretty sure last breach all these settings etc were as they needed to be disabled etc.

I also think there is a setting to only let certain mac addresses into your router, need to look at that. I'd make sure you have at least a couple PCs enabled, in case one breaks you have a backup.

I thought mac addresses could be spoofed?
For your blog, perhaps a more comprehensive detailing of settings with security in mind? Your blog mentions how to get it working which is great, but there's many settings on VPN server & having some basic explanation or ideal minimum setting would be fantastic. EDIT: especially given the GUI looks slightly different now.


I'm now stuck at the moment trying to block my cameras from accessing the internet but can't access them via vpn server.
 
Thanks all. I am running merlin firmware & running latest 384.5, most recent breach was on previous v384.4_2. Just looking at possible avenues & while I am still learning I'm pretty sure last breach all these settings etc were as they needed to be disabled etc.



I thought mac addresses could be spoofed?
For your blog, perhaps a more comprehensive detailing of settings with security in mind? Your blog mentions how to get it working which is great, but there's many settings on VPN server & having some basic explanation or ideal minimum setting would be fantastic. EDIT: especially given the GUI looks slightly different now.


I'm now stuck at the moment trying to block my cameras from accessing the internet but can't access them via vpn server.

Yeah, you can spoof a mac address, but then a bad guy would need to know which mac address to spoof. Its another layer of protection.

My philosophy for security is to make your security good enough so its too much work to break in, so the bad guy will go find someone where its much easier. And unfortunately, there are a lot of people where its probably pretty easy to break in. Doesn't have to be perfect, just good enough so its not worth the trouble.

I'll try to update my blog, but honestly I don't understand all of the VPN settings, I just figured out how to make it work, and did some googling to figure out how to make it more secure. I'm a hardware type by trade, definitely not a network or it type.

BTW, I have my cameras on a VLAN to keep them safely segregated from my main network. Cams are known for having backdoors, so I feel safer keeping them locked out. They are only allowed to access each other, and my bi PC, nothing else.
 
  • Like
Reactions: xtropodx
Language on router been changed. I'm not suggesting the cause is via VPN server, but rather if there's a way to test/break it to ensure the settings used are indeed secure?

GRCsecurity port scanners.
GRC | ShieldsUP! — Internet Vulnerability Profiling  
You possibly have something else on the network that has been hacked, not necessarily the router.
Power down everything on your network including router and modem, leave them all powered off for 10 minutes.
by power off, I mean unplug it from the wall.
Then power back up starting with the modem.
In some case's this may clear any hacks.
 
I'm now stuck at the moment trying to block my cameras from accessing the internet but can't access them via vpn server.

Do you have a route to your cameras IP range setup on your router?

@randytsuch

Great job on the document, one thing I did not see is setting up a route to get to your Cameras IP.
For a Hikvision NVR the camera network is typically 192.168.254.x.
Only the Gateway would be different than the gateway I use.

Camera_Route.jpg
 
Do you have a route to your cameras IP range setup on your router?

@randytsuch

Great job on the document, one thing I did not see is setting up a route to get to your Cameras IP.
For a Hikvision NVR the camera network is typically 192.168.254.x.
Only the Gateway would be different than the gateway I use.

I don't have a route to my cameras, I have them on a vlan as described here
Simple Port based VLAN
With them on a vlan, they are isolated from everything but my bi PC, so I don't worry about them further.

I could add your screenshot to my blog though, as another security measure to take to make sure the cameras only talk to who they are supposed to, I realized most don't have vlans, or switches that can support them.

Looks like this acts like a vlan?

Randy
 
Slow learner needs advice.
My current setup:
FIOS router >>>> Netgear AC1750 router >>>>> TP-Link 8 Port POE >>>>> IPC-HDBW4231F
I can hit the camera with a pc using Chrome browser and IDMSS on Iphone locallly.
The AC1750 is my home wifi source.
Next step is VPN.
My plan is to put DD-WRT on the AC1750 then turn on the OpenVPN client then view cameras from afar with Iphone on Sprint network or public wifi.
Good Plan ??
 
Do you have a route to your cameras IP range setup on your router?

@randytsuch

Great job on the document, one thing I did not see is setting up a route to get to your Cameras IP.
For a Hikvision NVR the camera network is typically 192.168.254.x.
Only the Gateway would be different than the gateway I use.

View attachment 30288

Can you explain exactly what this is used/beneficial for? I don't really understand. I thought this was for additional routers? Thanks.
 
Slow learner needs advice.
My current setup:
FIOS router >>>> Netgear AC1750 router >>>>> TP-Link 8 Port POE >>>>> IPC-HDBW4231F
I can hit the camera with a pc using Chrome browser and IDMSS on Iphone locallly.
The AC1750 is my home wifi source.
Next step is VPN.
My plan is to put DD-WRT on the AC1750 then turn on the OpenVPN client then view cameras from afar with Iphone on Sprint network or public wifi.
Good Plan ??

I'd try to run openvpn with the stock netgear firmware, did a quick google and it looks like it will support this.
Netgear also had a DDNS function, which you also need. DDNS is what lets your phone find your router when using openvpn, it provides the address to use. My Asus router provides DDNS too, which is one reason its easy to run openvpn on it.
I like dd-wrt, but then I think you will need to figure out how to handle the DDNS function.

Can you explain exactly what this is used/beneficial for? I don't really understand. I thought this was for additional routers? Thanks.

Think if you use a NVR, it creates another sub network, for the cameras, on a different ip address. Its like having another router, on a different ip address. Someone can correct me if I'm off base here

Randy
 
I read through the first page of this thread yesterday.

Then I posted a question about setting up a vlan in a thread that I've had running since last year.

No one responded yet.

I thought I would link to the post with my question in this thread:

#186

Can someone help? If possible, try to reply in the thread that I linked to, since I'm already receiving notifications for it. But any response, whether it's in there, or in here, would be appreciated.

Thanks.
 
Can you explain exactly what this is used/beneficial for? I don't really understand. I thought this was for additional routers? Thanks.

@xtropodx
It allows you to traverse from say 192.168.1.x network to 192.168.254.x network.

Without the route hard coded on to the router, you will not be able to remote to your cameras hard coded IP Address.

But there is a section in OpenVPN that this need to be placed also.

I'll have to screenshoot it later.

EDIT::::

Here is the route setting in the Advanced Settings section under OpenVPN.
At first I could not get to my cameras until this entry was there.

OpenVPN_Route.jpg
 
Last edited:
I read through the first page of this thread yesterday.

Then I posted a question about setting up a vlan in a thread that I've had running since last year.

No one responded yet.

I thought I would link to the post with my question in this thread:

#186

Can someone help? If possible, try to reply in the thread that I linked to, since I'm already receiving notifications for it. But any response, whether it's in there, or in here, would be appreciated.

Thanks.

I think no one has replied because no one knows. I did a quick look at the documentation, and I"m not sure if its possible.
VLANs tend to be harder to implement, I was lucky that I bought a used commercial switch that could implement it for my cams. Stuff intended for home use doesn't support vlans, in general.
 
I think no one has replied because no one knows. I did a quick look at the documentation, and I"m not sure if its possible.
VLANs tend to be harder to implement, I was lucky that I bought a used commercial switch that could implement it for my cams. Stuff intended for home use doesn't support vlans, in general.

Thanks.

I came to this thread, because the wiki said to not forward ports, and to set up a VPN.

How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

If setting up a VPN is difficult because it requires hardware that I don't have, then what about the other precaution mentioned, about port forwarding?

Is it possible to set up remote access without port forwarding?

Also, how do I know if a camera was hacked? What would I see?