VPN Primer for Noobs

[Stay Puft Marshmallow Man]

Thanks everyone for all the great info here. I am in the process of setting up a VPN following this step by step guide:
Easy_Windows_Guide – OpenVPN Community
My router is a 4 piece EERO set and I can't run the VPN on that so I am using a dedicated computer. I've ran into a handful of snags with the instructions but I am working my way through them.

I was dumb and had open ports for a while with my old setup. I understand why that is a bad idea now. This may be a dumb question, but, once I get my VPN setup and running, is there a potential that my cameras are already compromised with malicious code? Would I need to hard reset all my cameras or reinstall firmware or something like that to ensure there isn't anything malicious already on them?

 

[nayr]

The Marai botnet that is the mostly likely to be compromising devices was not writng to flash, simply rebooting it removed the malware until it was re-infected.

at this point I doubt any malware is writing its self to flash; tha'd risk damaging the device it wants to Hijack.. if you can hack it once, u can hack it again once its been rebooted.

 

[TVT73]

Maybe you can update your cam to a newer firmware release. Dahua has removed telnet and did some security enhancements.
Changing your password is also not false, and don't forget to define an second admin account, to prevent yourself from being blocked for password mistakes or hacker attempts.

In my nightly setup test round, I noticed, that with the Dahua release 2.460.0000.1R 2016-10-25 it's possible to use stronger passwords!!! You can use special characters, which was last year as I started with Dahua cam's not possible.
This shows me, that Dahua has done more security improvements than I expected.
Very good!

 

[BLKMGK]

Considering the heat they've taken, they were one of the named IOT companies called out specifically, I'm not surprised that they've made some attempts to tighten their security. However considering the number of SOHO routers I've seen found wanting in the security realm who have likely dedicated far more resources than they have I would still not trust it to have a live 'net IP. Segregate it for sure! I'd agree that it's not likely they've written anything to flash memory and IMO the risks of screwing up a working camera flashing it are higher than worrying that they've somehow improved tradecraft enough to have begun doing it.

 

[pal251]

At Nayr, so basically in a nutshell.

If I have a R7000 or R6400 netgear router at a location with cameras I would need to have a client on my end (such as phone or laptop) to access the VPN server and access those cameras.

Now if I had an nvr on My side and the cameras on the "other side" with vpn would I need something special on my router to have it see the cameras?

 

[nayr]

if your trying to do a remote NVR then you should setup a Site2Site VPN Link between routers on the edges of each network.. they will bridge the 2 networks transparently and VPN Clients will not be needed on either network

 

[Camit]

I was thinking about running private tunnel (OpenVPN) anyone tried private tunnel is it any good ? Also I was thinking I only want to run the vpn software on my BI machine,I really don't wanna run a vpn on the router, cuz I think it will slow my internet speed down to much. Anyhow if I run private tunnel on my BI machine I still need to port forward on the router side right?

Also BI on window on the web server do I still put the WAN ip
And what info to I put in for the android bi app ?

 

[slowhandfan]

I would like to know if I can setup a Windows 10 Pro pc to be my VPN server instead of OpenVPN which is my second choice (thus avoiding install of clients).

I've read nayr's post and the thread, plan is to have a dedicated desktop pc running my vpn and blueiris. I just installed Google Wifi mesh which atm doesn't allow advanced anything such as vpn.

I have googled but have only found a way to use WIndows XP pro to be a server using L2TP/IPsec. Is this possible and if so, can you suggest Google search terms or links? Searching variations of "setup Windows 10 pro as a L2TP/IPsec vpn server" gave me ways to set up remote access when you already have server info, not how to create the server. Thanks!

 

[Dytryn]

The VPN tab on my Asus router is telling me I have a "routing conflict" and I have no idea how to resolve.

 

[bug99]

Does ASUS (ex RT-AC66U_B1) support site-to site VPN? My guess is no. If it does, will it also allow for server to client VPN connections (in addition to an active STS) so that two sites can be bridged while allowing phone VPN. I suspect that a more powerful router is needed (or two ISP connections to two routers on one LAN, which just sounds ugly), like the EdgeRouterLite.

if your trying to do a remote NVR then you should setup a Site2Site VPN Link between routers on the edges of each network.. they will bridge the 2 networks transparently and VPN Clients will not be needed on either network

 

[nayr]

Should work, it has both a client and a server..

VPN server : IPSec Pass-Through, PPTP Pass-Through, L2TP Pass-Through, PPTP Server, OpenVPN Server
VPN client : PPTP client, L2TP client, OpenVPN client

according to this page: RT-AC66U B1 | Networking | ASUS USA

 

[bug99]

I am not sure that Pass-through is the same as site-to-site, and client server is not pier to peir. I think it lets it pass through to either a second server or out. This is what i found with a quick search. I thought IPSec was for site to site however, but i cant easily check that out.

"VPN Passthrough is a feature of routers which allows computers on a private network to establish outbound VPNs unhindered. VPN passthrough has nothing to do with inbound VPNs, only outbound ones. The term comes from allowing the VPN traffic to “passthrough” the router"

 

[nayr]

OpenVPN Client on one side and OpenVPN Server on other side, and perhaps some static routes defined, done.

 

[Jack B Nimble]

For some reason after a lenghty time of all was good , when I access my Open vpn from my Samsung 6 to my Asus router I have no browser access on the phone and some times even cameras don't load up.

 

[DavidDavid]

So what's the biggest issue with keeping my android connected to my VPN server (OpenVPN running on NAS at home) 100% of the time? I almost never connect to a public WiFi (most of my WiFi connections are at work or friends houses) but I still want to be connected all of the time so I can open one app and get an instant view of all of my cameras at home. Should I bother disconnecting the VPN when I get home and connect to the same WiFi that my VPN server is running on?

The biggest issue I can see is that it might be slower, if for example when I visit a website on my phone on my home WiFi, does it go thru my WiFi into the outside Internet, and then back into the VPN connection? And also I think it might eat up my bandwidth (monthly allowance from ISP) if this is the case because it would be coming in and going out 2x...if that is true and makes any sense.

 

[DavidDavid]

Also, I got my very first very cheap ip camera last year and instantly downloaded their app to remotely view. That worked well but obviously not the best idea because it used UPNP to set up its own port forwarding and used their Chinese servers. Now that I have the VPN set up, I've disabled UPNP on my router, port forwarded the VPN port to the NAS so I could connect (this stopped working when I disabled the UPNP so this is the only port forward I have manually set up) and I set the router to block Internet access to that camera (using parent controls). I think this is a fairly decent set up, but my question is, how to I make sure I've disabled the port forward that the camera set up when I made it connect using UPNP? It doesn't show up in the port forwarding rules. When I disabled the UPNP on the router, did it effectively close whatever port the camera opened? I have tested the remote viewing thru their app and I can't connect, so I think I'm good, but how can I be sure?

EDIT: I just opened that app again on my phone and I may have been confusing UPNP with P2P.
I tried to connect to the camera, and even though I'm connected to my VPN it won't connect to the camera thru their app. I'm guessing this is because I disabled its Internet access using the parent controls on the router... Which seems to be working well.

 

[lovemyram4x4]

With iOS devices it's possible to configure them to connect to the VPN on demand (IPSec/L2TP only). Meaning you can set it so whenever you try to access your cams it will automatically connect. This takes a few more steps but is worth considering.

So it will connect to VPN whenever you open up your camera app only?

I'd also like some more info about this so I can set it up on my wife's idevices. Being an Android guy it drives me nuts trying to do things on an iphone and I prefer to know exactly what I need to do before getting so I don't have spend much time on it. Is this all done with native support or will I need to install a certain app?

 

[DavidDavid]

I use openvpn connect on Android, not sure but I assume it's available on ios. I would prefer to keep it on 100% of the time and never bother turning it off, that way I can access my network files, pictures and view cameras whenever I want. I check my live feeds constantly (although that may stop once I get a motion notification set up)

I can't see why you'd want to ever disconnect from your VPN. The main reason I asked my question 2 posts up was specifically for my wife. She won't bother turning it on/off when needed. She honestly doesn't care to view cams, I just want her connection to be secure since she leaves WiFi on all the time.

 

[tangent]

I'd also like some more info about this so I can set it up on my wife's idevices. Being an Android guy it drives me nuts trying to do things on an iphone and I prefer to know exactly what I need to do before getting so I don't have spend much time on it. Is this all done with native support or will I need to install a certain app?

leaving it on all the time isn't much of an issue. The easiest way to setup vpn on demand is using apple configurator (mac only).

 

[lovemyram4x4]

I use openvpn connect on Android, not sure but I assume it's available on ios. I would prefer to keep it on 100% of the time and never bother turning it off, that way I can access my network files, pictures and view cameras whenever I want. I check my live feeds constantly (although that may stop once I get a motion notification set up)

I can't see why you'd want to ever disconnect from your VPN. The main reason I asked my question 2 posts up was specifically for my wife. She won't bother turning it on/off when needed. She honestly doesn't care to view cams, I just want her connection to be secure since she leaves WiFi on all the time.

You know you can setup an always connected VPN with Androids native VPN settings. If what you have is working for you that's fine, I just prefer to not install anything I don't need to(I already have 256 apps on my daily driver)

My wife's the opposite, she only cares about connecting to our network to check the cams, hence I'd like to automate her VPN connection.

leaving it on all the time isn't much of an issue. The easiest way to setup vpn on demand is using apple configurator (mac only).

Oh, this would be for her ipad, I guess I'll just set up so it's on all the time then. To bad there isn't an iTasker.

 

[DavidDavid]

My android only allows the always on VPN for PPTP or L2TP/IPSec, not for openvpn.

Since my NAS and Linux has OpenVPN built in and from what I've read, OpenVPN seems to be top dog that's what I went with and it is working great so far. They have on/off buttons I've got on my home screen that offer one touch connect/disconnect that also works very well.