VPN Primer for Noobs

[Barboots]

Is it possible to set up remote access without port forwarding?

This thread is promoting the safest approach to remote access... which is VPN. A slightly less awful approach than port-forwarding is the P2P facility "hosted" by the NVR hardware manufacturer. However remember that they are Chinese State owned, and you are providing them access to your network.

I set up an extremely functional VPN using an older Netgear WNDR3800 and free Gargoyle firmware for it... it only serves my surveillance system so doesn't limit my online experience. Similar routers are virtually free second hand, so cost or lack of hardware is really not an excuse. New gear with VPN built in is available cheap at under $200 if you would prefer an all-in-one solution.

Here's my "work in progress"... I'm still tidying it up, but it's online and secure AF in time for my holidays.

Cheers, Steve

 

[58chev]

Is it possible to set up remote access without port forwarding?

@nuraman00
I believe (someone correct me if i'm wrong) you could setup a PC on your network with OpenVPN Server and the only port that would need to be forwarded from your router is the port to the server.
That's if you do not have a router that supports running a VPN Server.
@Barboots has got the idea, to use a cheap router with third party firmware that supports running a VPN Server.

I started with an old linksys WRT45 Series with DD-WRT running on it.

 

[randytsuch]

Thanks.

I came to this thread, because the wiki said to not forward ports, and to set up a VPN.

How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

If setting up a VPN is difficult because it requires hardware that I don't have, then what about the other precaution mentioned, about port forwarding?

Is it possible to set up remote access without port forwarding?

Also, how do I know if a camera was hacked? What would I see?

My response was about vlans (different from VPN) because that's what you asked about in your last post.
As the others have said, you can implement openVPN with an older router. Tmobile gives away rebranded asus routers to their customers, and these show up on ebay for good prices.

This thread was started by a network security guy because chinese cams are known to have backdoors, and subject to hacking, so you really don't want to port forward to your cams as it opens your network up to bad guys.
But then it depends how much money/time your willing to spend to make your network safer.

Randy

 

[pbc]

Holy cow, finally figured it out.

In case anyone else has the same issue with OpenVPN and their Galaxy S6 not connecting to local IP addresses, in the OpenVPN app on Android I had to go into preferences, and then in VPN Protocol I had to specifically select "UPD" instead of the default "Adaptive".

Also, had to click the checkbox on "Force AES-CBC ciphersuites" as well which by default is not checked in the app.

Not sure why as my S8 works fine at default settings.

Phew.

Okay, so this is mind boggling. So out of the completely blue yesterday, my Galaxy S8 stopped connecting in ivms-4500 via OpenVPN. Am now getting an 8200 error on that device when trying to connect. But my wife's S6 (originally had the problem) works fine.

Tried uninstalling and reinstalling 4500, tried the above settings which worked on my S6 originally, nothing.

WTH?? I've changed nothing on my router, phone settings, ivms, openVPN, nothing, just suddenly decided to start giving me an 8200 error. Any thoughts?

 

[Barboots]

... just suddenly decided to start giving me an 8200 error. Any thoughts?

There have been a lot of security updates for S8 pushed out over the past two weeks. Unlikely, but it might be worth checking the two revision levels against each other.

Cheers, Steve

 

[pbc]

There have been a lot of security updates for S8 pushed out over the past two weeks. Unlikely, but it might be worth checking the two revision levels against each other.

Cheers, Steve

What do you mean by checking the two revision levels against each other?

 

[Barboots]

Settings, About Phone,

 

[Barboots]

Another idea would be to build a new credentials file and try that.

 

[pbc]

Another idea would be to build a new credentials file and try that.

Already tried that. I'm connecting to OpenVPN just fine (show up as connected in my router). It's literally something on my S8 blocking it from viewing my cameras. Can't see them in ivms-4500 or TinyCam Pro. Neither connects.

So frustrating as it was working perfectly until yesterday.

 

[nuraman00]

This thread is promoting the safest approach to remote access... which is VPN. A slightly less awful approach than port-forwarding is the P2P facility "hosted" by the NVR hardware manufacturer. However remember that they are Chinese State owned, and you are providing them access to your network.

I set up an extremely functional VPN using an older Netgear WNDR3800 and free Gargoyle firmware for it... it only serves my surveillance system so doesn't limit my online experience. Similar routers are virtually free second hand, so cost or lack of hardware is really not an excuse. New gear with VPN built in is available cheap at under $200 if you would prefer an all-in-one solution.

Here's my "work in progress"... I'm still tidying it up, but it's online and secure AF in time for my holidays.

Cheers, Steve

@nuraman00
I believe (someone correct me if i'm wrong) you could setup a PC on your network with OpenVPN Server and the only port that would need to be forwarded from your router is the port to the server.
That's if you do not have a router that supports running a VPN Server.
@Barboots has got the idea, to use a cheap router with third party firmware that supports running a VPN Server.

I started with an old linksys WRT45 Series with DD-WRT running on it.

My response was about vlans (different from VPN) because that's what you asked about in your last post.
As the others have said, you can implement openVPN with an older router. Tmobile gives away rebranded asus routers to their customers, and these show up on ebay for good prices.

This thread was started by a network security guy because chinese cams are known to have backdoors, and subject to hacking, so you really don't want to port forward to your cams as it opens your network up to bad guys.
But then it depends how much money/time your willing to spend to make your network safer.

Randy

Ok. I was confusing VLANs with VPN. I re-read about them.

Let me try summarizing the situation. Please correct me if I'm wrong.

* Can I configure a VPN with my existing Arris Interactive, L.L.C. TG862G router? Or do I have to have a new router for any VPN, because by definition, it needs its own router?
How can I tell if it supports a VPN?

* If I need a new dedicated router for the VPN, I can get a "like new" Netgear WNDR3800 N600 for $55 - $70.

* Once I know which router to use, I can download OpenVPN and configure it.

OpenVPN - Open Source VPN

It is free with no license?

* There will still be port forwarding, but only the port that is configured on OpenVPN.

Let me see if I understand this much, before asking more questions.

 

[randytsuch]

Ok. I was confusing VLANs with VPN. I re-read about them.

Let me try summarizing the situation. Please correct me if I'm wrong.

* Can I configure a VPN with my existing Arris Interactive, L.L.C. TG862G router? Or do I have to have a new router for any VPN, because by definition, it needs its own router?
How can I tell if it supports a VPN?

* If I need a new dedicated router for the VPN, I can get a "like new" Netgear WNDR3800 N600 for $55 - $70.

* Once I know which router to use, I can download OpenVPN and configure it.

OpenVPN - Open Source VPN

It is free with no license?

* There will still be port forwarding, but only the port that is configured on OpenVPN.

Let me see if I understand this much, before asking more questions.

I'll try to answer some of your questions
TG862? I don't think it supports on openvpn server, did a search and could not find anything to say it does. In general, these all in one devices have limited router capabilities.
So in this case, you need some other device (router, pi or pc) to act as the openvpn server. Note that you need a openvpn server, not a client. There are many vpn services out there, but they act as the server and you would need a client to support them, but that is NOT what you want, won't help you for what we are trying to do.
I don't have any experience running a 2nd router to your TG862 or similar. Seems like you will need to port forward one port to the 2nd router, but maybe someone with more experience can chime in.

Based on barboots post, the netgear will support openvpn. In my asus, you don't need to download anything, just need to enable openvpn server. Not sure about the netgear, google is your friend, there should be instructions for setup out there.
openvpn is free, no cost to use.

Randy

 

[pbc]

Already tried that. I'm connecting to OpenVPN just fine (show up as connected in my router). It's literally something on my S8 blocking it from viewing my cameras. Can't see them in ivms-4500 or TinyCam Pro. Neither connects.

So frustrating as it was working perfectly until yesterday.

So just tried on TinyCam Pro, same thing, cameras won't connect.

Tried a whole whack of different settings on the OpenVPN app to no avail. Anyone using this on a Samsung Galaxy S8 here?

Any other suggestions? Kind of frustrating that I'm camera less at this point from my phone (but not my wife's Galaxy S6...which was the one originally having issues when I first setup OpenVPN months ago).

 

[SouthernYankee]

I have comcast as my internet provider. I use the Arris Interactive, L.L.C. TG1862G as a modem with is connected to my Asus Rt-AC66U router. The arris 1862G also provides my internet phone service. The Asus Rt-AC66U router is configured for OPENVPN. Also on the Asus Rt-AC66U I use parental controls to prevent the cameras from accessing the internet. I use ASUSCOMM.COM for my DDNS.

 

[Barboots]

Tried a whole whack of different settings on the OpenVPN app to no avail. Anyone using this on a Samsung Galaxy S8 here?

Actually this might have been a problem I had when setting up... I have an S8. The device appeared on my network but couldn't get anything to view. I changed apps to "OpenVPN for Android" and it worked straight away. Check out this exact version and see if it helps. It's not the first offering on Google Play if you simply search for OpenVPN.

Cheers, Steve

 

[pbc]

Actually this might have been a problem I had when setting up... I have an S8. The device appeared on my network but couldn't get anything to view. I changed apps to "OpenVPN for Android" and it worked straight away. Check out this exact version and see if it helps. It's not the first offering on Google Play if you simply search for OpenVPN.

Cheers, Steve

Uninstalled OpenVPN, installed Open VPN for Android. Exact same issue.

 

[pbc]

How can it work fine on a Galaxy S6, but not my S8??

 

[Barboots]

How can it work fine on a Galaxy S6, but not my S8??

They're very different hardware, and will run different firmware as a result.

Can you view the cams using your S8 when directly connected to the local surveillance network, or is this test not possible?

Cheers, Steve

 

[pbc]

They're very different hardware, and will run different firmware as a result.

Can you view the cams using your S8 when directly connected to the local surveillance network, or is this test not possible?

Cheers, Steve

If you mean when simply connected via wifi... Yes. Can view the cams without issue.

Had this exact problem months ago with my S6. Had to tweak some settings in OpenVPN to get it to work.

Unfortunately now it is on my S8 and can't seem to get it to work at all. Mayne I should factory reset my phone...

 

[Barboots]

Maybe I should factory reset my phone...

God no!

Before you uninstall the OpenVPN app again, delete the cache and data. Do the uninstall. Restart.

Repeat for the other version of the app, installing it first if you have already uninstalled it. Restart.

Restart again. Reinstall your preference of OpenVPN app and test.

 

[pbc]

Thanks for sticking with this. That didn't work either.

Just thought of something. When I turn on Openvpn it now asks for a client certificate or says to continue without one. I click on continue without one.

Don't recall this before. Maybe I need a cert?