VPN Primer for Noobs

[Mike A.]

That's exactly what I've just been doing. I wanted to try some different adjustments to the camera's Day/Night mode and IR Illuminator, etc., and I just unblocked it temporarily by logging into the router itself, then blocked it again when I was done.

I wish the Asus router would allow me to block more than 16 devices from the internet. At some point, I'll probably have to move the cams to a separate network that has no internet connection, and then I'll lose the ability to play with them remotely altogether, I suppose. Still, this is all pretty sweet!

Yes, that limit is kind of a pain. Easy to have more things that you'd like to block than that. Again using the terminal interface you can do more with iptables directly. Been a long time since I've messed around with it and I'm not confident giving specific instructions. Search around some and you should find info if you want to try.

Short of that as a more simple fix you can set the gateway, DNS, and other settings on the device itself to its own IP or other non-valid values to prevent it from getting anything out. Assuming that you don't have ports forwarded or devices exposed otherwise, nothing should be coming in anyway other than your own traffic through the VPN. I usually do both so that if I forget or change one or the other at some point there will be at least some fall-back. That will break email, ftp, etc., from the device that some may want to work but behind BI or other system most won't use those much anyway.

You can access the cams behind another network/subnet/VLAN if you set up the routing.

 

[J Sigmo]

Yes, that limit is kind of a pain. Easy to have more things that you'd like to block than that. Again using the terminal interface you can do more with iptables directly. Been a long time since I've messed around with it and I'm not confident giving specific instructions. Search around some and you should find info if you want to try.

Short of that as a more simple fix you can set the gateway, DNS, and other settings on the device itself to its own IP or other non-valid values to prevent it from getting anything out. Assuming that you don't have ports forwarded or devices exposed otherwise, nothing should be coming in anyway other than your own traffic through the VPN. I usually do both so that if I forget or change one or the other at some point there will be at least some fall-back. That will break email, ftp, etc., from the device that some may want to work but behind BI or other system most won't use those much anyway.

You can access the cams behind another network/subnet/VLAN if you set up the routing.

I need to learn more about this all, and you give a lot of potential ways to secure the cameras without using the "parental controls" in the router.

If I was suggesting features for Asus to include in a firmware update, giving us the ability to completely block any and all IPs from the internet full-time would be on the list. They could still limit the parental controls with scheduling and all of that to 16 devices, and I can see where they're trying not to let that "database" grow too large. But in the case of the cameras, printers, some home-control gadgets, PLCs, etc., they can be blocked constantly with no need for any sort of scheduling, so it seems like giving us "all or nothing" blocking for every IP in the range (up to 255 devices) wouldn't suck up too much memory.

I figure setting up the routing tables could accomplish what I want, too, and as you said, securing the cameras themselves by giving them non-working DNSs, gateways, etc., would also be a good idea, and as you mention, it's a good backup, too. And you're right. I suspect a lot of us, particularly using BI, won't need the cameras to have any of the broken capabilities, anyhow.

Thanks!

 

[llarsx]

Here you are: https://swupdate.openvpn.org/community/releases/openvpn-install-2.4.6-I602.exe (from Community Downloads | OpenVPN which is thé official OpenVPN website btw). You can't configure lots of things in it, it can autostart with windows, you load your .ovpn file created on your router/openvpn server and off you og!
Good luck!

CC

Installed and seems working on my win 10 computer, but I am a newbie and can't find how to use the vpn-connection. May be because my test config won't work anyway.

I just installed asus 68u No.2 (192.168.1.1 after my aus 68u No.1 (192.168.10.136) (after ZyXEL bridge 192.168.10.1). Vpn router setting open vpn on No.2: LAN Route = Yes, Netw ip: 192.168.10.136-255.255.255.0, Gateway 192.168.10.1 and second line: 192.168.1.1 -255.255.255.0 and gateway 192.168.10.136. Using this I had access to internet from No.2 spite my two net could not “see” each other (I used Fing to discover ip). No DDNS.

Testing the vpn connection (imported client.ovpn) on my remote computer (192.168.10.140) It seems established OK and with tunnel 10.8.0.5 against 10.8.0.6.

I thought I should see the computer (192.168.1.144) (or camera) on the vpn server site (No.2) and be able to connect to it from remote. Should I look into "network" on my remote computer or use the exact lokal ip on the vpn server site or what else?

I have also installed vpn app on my mobil, but have the same question there. How to use the Connection?

May be I can’t perform a test before I have done a proper vpn server setup (move my asus No.2 to my cabin and set it after the ISP’s bridge), but I hope somebody can tell me how I can use the vpn tunnel when it is established (howto access camera etc.).

 

[catcamstar]

May be I can’t perform a test before I have done a proper vpn server setup (move my asus No.2 to my cabin and set it after the ISP’s bridge), but I hope somebody can tell me how I can use the vpn tunnel when it is established (howto access camera etc.).

This is not an easy "task" on a mobile device - if you use a "windows/linux" testmachine, you got tools like traceroute (tracerte) or variants to see where your packets are flying from and to.

But let's work with what you got:
1) have a look at the logfile from your VPN server: if that one states that the connection is made, you're already good. If not, something else in the config (eg certificates) is messed up
2) on your mobile: open your browser and surf to an IPC on your LAN. Even if you don't have the required plugins, you should already see the login screen. If you don't see the login screen, you know your LAN didn't get extended to your mobile device.

Hope this helps already a bit!
CC

 

[llarsx]

This is not an easy "task" on a mobile device - if you use a "windows/linux" testmachine, you got tools like traceroute (tracerte) or variants to see where your packets are flying from and to.

But let's work with what you got:
1) have a look at the logfile from your VPN server: if that one states that the connection is made, you're already good. If not, something else in the config (eg certificates) is messed up
2) on your mobile: open your browser and surf to an IPC on your LAN. Even if you don't have the required plugins, you should already see the login screen. If you don't see the login screen, you know your LAN didn't get extended to your mobile device.

Hope this helps already a bit!
CC

Here is what I got on my computer with vpn tunnel to the remote asus No.2. It seems OK and I can reach the asus router/vpn server from the remote, but nothing more which is my main question. How to reach my camera or else when the tunnel is established. May be easy for everybody, but not for me.

 

[catcamstar]

View attachment 34527
May be easy for everybody, but not for me.

No worries, we'll drag you through it. From your little screenshot, the vpn connection seems to be established. Do you know whether (or not) the redirect_gateway is on? To know, either look in your server configuration OR look for that line in the client.ovpn file. If you don't have a reason to turn it off, make sure it is turned on. Then open SAFARI, CHROME or any other browser on your vpn client device, and point it to http://internal-lan-IP of your camera. If it works, the tunnel is open and functional. If you don't get the login screen, then we need to dig a bit deeper.

 

[randytsuch]

This wasn't working for me. In a browser, on the remotely connected machine, when I entered an IP address for a camera or the Blue Iris server on my home network, I just got the typical error message that one gets for an unreachable IP address:

"The connection has timed out

The server at 192.168.XXX.XXX:81 is taking too long to respond."

So last night, I altered some settings in my Asus router's Open VPN setup. I switched to 2048 bit encryption (which, I doubt had anything to do with this at all). And I enabled access to both the LAN and The Internet where before I was only enabling access to the LAN. I thought this would just affect surfing through the VPN, but I now think changing that setting fixed the problem. Because now I can see my Blue Iris UI3 by simply typing its IP address and port into a browser at work when that PC is logged into my VPN. I'm not sure why that setting would affect me using this on a PC remotely, but not when using the Blue Iris app on my phone, but that's all I changed.

Anyhow, it's working the way I expected now, for whatever that's worth.

Just say your post, have been away

I never setup openvpn on a PC, just on android and iphone.
I recommend trying it on a phone, its actually pretty easy, and I expect in real life using it on a phone is more practical.

Randy

 

[llarsx]

No worries, we'll drag you through it. From your little screenshot, the vpn connection seems to be established. Do you know whether (or not) the redirect_gateway is on? To know, either look in your server configuration OR look for that line in the client.ovpn file. If you don't have a reason to turn it off, make sure it is turned on. Then open SAFARI, CHROME or any other browser on your vpn client device, and point it to http://internal-lan-IP of your camera. If it works, the tunnel is open and functional. If you don't get the login screen, then we need to dig a bit deeper.

Thank you again.
My test lan has not the camera, but I hope to be clever enough to fullfill the setup at my summer cabin later where I will stay only one or two days hope to setup the new asus 68u as a vpnserver. You say: "point it to http://internal-lan-ip" is - sorry to say, greek to me. Do you mean the ip like 192.168.1.144 or http://internal-lan-ip:??????? or else?
In my test case I hope to reach my laptop 192.168.1.144 in the subnet 192.168.1.1 on Asus No.2 where the vpn server is from the home computer on asus lan No.1. I enclose a pic of the vpn client Connection from my home computer 192.168.10.135 and a pic from the asus (merlin) vpn server status on lan No.2. It all seems OK?

On the asus No.1 (home router) I have a "generic" (ASUSTek) 192.168.10.140 that might be the asus No.2 on the other lan. I of course have looked for the laptop on the other lan but can't see it in Fing.

 

[catcamstar]

Thank you again.
My test lan has not the camera, but I hope to be clever enough to fullfill the setup at my summer cabin later where I will stay only one or two days hope to setup the new asus 68u as a vpnserver. You say: "point it to http://internal-lan-ip" is - sorry to say, greek to me. Do you mean the ip like 192.168.1.144 or http://internal-lan-ip:??????? or else?
In my test case I hope to reach my laptop 192.168.1.144 in the subnet 192.168.1.1 on Asus No.2 where the vpn server is from the home computer on asus lan No.1. I enclose a pic of the vpn client Connection from my home computer 192.168.10.135 and a pic from the asus (merlin) vpn server status on lan No.2. It all seems OK?

On the asus No.1 (home router) I have a "generic" (ASUSTek) 192.168.10.140 that might be the asus No.2 on the other lan. I of course have looked for the laptop on the other lan but can't see it in Fing.

You are indeed trying to replicate your future "to-be" situation in your current "as-is". That has its advantages, but also its disadvantages. For example, if your asus router gets confused by any change of internal lan addresses, you might have to "rebuild" that configurations (which is not that hard on asus).

If you don't have the camera's at hand right now, you can use any other device to "simulate" being a camera. For example, if you'd have a media player (or anything else getting an ip address on your second asus router) - look up the IP address it got from that asus (eg 192.168.1.113), fire up your openvpn client and try to ping 192.168.1.113. If you can ping it with VPN on, you're good, but make sure you can't ping it with VPN off, otherwise you have run into circles.

And affirmative: with "internal-lan-ip" I mean the ip address of the IP camera in the cabin, when doing "http://to-that-internal-ip" should give you the web interface of that camera. MUST work locally (otherwise you have a wiring issue), but SHOULD ONLY work with VPN tunnel activated.

Besides Alpha Papa Tango, I don't know any greek ;-)

 

[J Sigmo]

Just say your post, have been away

I never setup openvpn on a PC, just on android and iphone.
I recommend trying it on a phone, its actually pretty easy, and I expect in real life using it on a phone is more practical.

Randy

Indeed, it was really easy to get the android phones set up to work with our system, and we use them a lot. I used your guide to set that all up, and it went well. So thanks!

But at work, I really am enjoying being able to use a desktop PC and UI3 to check my home's BI server now that I have that set up and running correctly.

Setting up OpenVPN on the desktop (Win7) PC wasn't too hard, but I did initially fall into to the trap of downloading and installing the OpenVPN program that wants you to pay them for a VPN service, and that was confusing. So I had to uninstall that and then find the "real" version. I see that @catcamstar has posted the correct link to get that correct client program a few posts up from here in this thread. That is the version I now have installed on that PC, and it's working well for me.

If you have a PC to play with, I think you'd like using it, too. I need to learn more about it all because I have some other potential uses for VPN access into at least one other network at work. This needs to be very secure, and this may well be a good way to accomplish the security we would need before exposing this other network in any way to the internet.

 

[llarsx]

You are indeed trying to replicate your future "to-be" situation in your current "as-is". That has its advantages, but also its disadvantages. For example, if your asus router gets confused by any change of internal lan addresses, you might have to "rebuild" that configurations (which is not that hard on asus).

If you don't have the camera's at hand right now, you can use any other device to "simulate" being a camera. For example, if you'd have a media player (or anything else getting an ip address on your second asus router) - look up the IP address it got from that asus (eg 192.168.1.113), fire up your openvpn client and try to ping 192.168.1.113. If you can ping it with VPN on, you're good, but make sure you can't ping it with VPN off, otherwise you have run into circles.

And affirmative: with "internal-lan-ip" I mean the ip address of the IP camera in the cabin, when doing "http://to-that-internal-ip" should give you the web interface of that camera. MUST work locally (otherwise you have a wiring issue), but SHOULD ONLY work with VPN tunnel activated.

Besides Alpha Papa Tango, I don't know any greek ;-)

OK. I changed my mobil wifi to the lan on asus No.2 and could ping 192.168.1.49 from my computer 192.168.10.135 on lan No.1, but trying the simular against my laptop on 192.168.1.144 don't work.
Second, when vpn Connect "on" on my mobil (same lan) I could not ping it (on the No.2. lan).

But back to my main question which must be a very silly one, because it seems nobody understand what I am asking for: When the tunnel is established and I can ping, how can I use this tunnel to run programs like ivms-4200 from remote computer (home) reaching the camera which is connected to the vpn server (in the cabin)?

With port forward I only need the extern ip and :80 (from ipad or mobil :8000). Those ports can be changed in the camera.

 

[catcamstar]

OK. I changed my mobil wifi to the lan on asus No.2 and could ping 192.168.1.49 from my computer 192.168.10.135 on lan No.1, but trying the simular against my laptop on 192.168.1.144 don't work.
Second, when vpn Connect "on" on my mobil (same lan) I could not ping it (on the No.2. lan).

Opening VPN connection when being with your mobil on wifi n°2 is a no go: it will connect, but routing is broken (as you are on the same subnet connecting to the same subnet). That will never work. You'll have to connect your mobile to router n°1, open vpn connection against router n°2 and ping something on router n°2. That you can ping 192.168.10.135 is logic, as upstream routing is covered by router n°2.

But back to my main question which must be a very silly one, because it seems nobody understand what I am asking for: When the tunnel is established and I can ping, how can I use this tunnel to run programs like ivms-4200 from remote computer (home) reaching the camera which is connected to the vpn server (in the cabin)?

With port forward I only need the extern ip and :80 (from ipad or mobil :8000). Those ports can be changed in the camera.

Your question is not silly: as long as your ivms-4200 computer can create the openvpn tunnel over your cabin ISP, they can reach all internal network components, being camera, nvr, domotica etc. That is the core concept of VPN.

 

[randytsuch]

Indeed, it was really easy to get the android phones set up to work with our system, and we use them a lot. I used your guide to set that all up, and it went well. So thanks!

But at work, I really am enjoying being able to use a desktop PC and UI3 to check my home's BI server now that I have that set up and running correctly.

Setting up OpenVPN on the desktop (Win7) PC wasn't too hard, but I did initially fall into to the trap of downloading and installing the OpenVPN program that wants you to pay them for a VPN service, and that was confusing. So I had to uninstall that and then find the "real" version. I see that @catcamstar has posted the correct link to get that correct client program a few posts up from here in this thread. That is the version I now have installed on that PC, and it's working well for me.

If you have a PC to play with, I think you'd like using it, too. I need to learn more about it all because I have some other potential uses for VPN access into at least one other network at work. This needs to be very secure, and this may well be a good way to accomplish the security we would need before exposing this other network in any way to the internet.

I can't vpn from work to home, so maybe that's why I'm phone oriented. I guess it would be nice to sit at work, turn on VPN and check out the cams, but my work IT doesn't allow it.

 

[catcamstar]

I can't vpn from work to home, so maybe that's why I'm phone oriented. I guess it would be nice to sit at work, turn on VPN and check out the cams, but my work IT doesn't allow it.

OpenVPN standard ports 1194 is mostly blocked in IT environments, but you might succeed when changing your OpenVPN server port to 443TCP, that way you'll have higher chance to pass by, as https traffic (like on google or even this site) might be allowed.

 

[randytsuch]

OpenVPN standard ports 1194 is mostly blocked in IT environments, but you might succeed when changing your OpenVPN server port to 443TCP, that way you'll have higher chance to pass by, as https traffic (like on google or even this site) might be allowed.

Thanks, but don't want to get in trouble with my IT so I'll just keep doing what Ive been doing.

 

[llarsx]

Opening VPN connection when being with your mobil on wifi n°2 is a no go: it will connect, but routing is broken (as you are on the same subnet connecting to the same subnet). That will never work. You'll have to connect your mobile to router n°1, open vpn connection against router n°2 and ping something on router n°2. That you can ping 192.168.10.135 is logic, as upstream routing is covered by router n°2.

Your question is not silly: as long as your ivms-4200 computer can create the openvpn tunnel over your cabin ISP, they can reach all internal network components, being camera, nvr, domotica etc. That is the core concept of VPN.

Thank you.
Just to be sure. The info that is needed from ipad and mobil (with ivms-4500) is: alias (name), modus (ip/domain), address (ip/hostname), port, username and password. Alias and modus as ip/domain is standard, but address from vpn-tunnel is my question. As mentioned above it is extern ip/hostname, but what should it be via vpn tunnel? The rest: port (8000), username and password I think should be as before.

 

[J Sigmo]

Thanks, but don't want to get in trouble with my IT so I'll just keep doing what Ive been doing.

I'm lucky with my work situation to have a lot of autonomy and control in these areas. But many places would simply not allow much to happen on their networks, and I can understand that.

The OpenVPN app works great on my wife's and my android gadgets, and that gives us good access no matter where we are. She cannot access the internet from her work PCs, either, so the phone fills that need.

And having the VPN available for secure surfing anytime we're away from home and on a public WiFi system is also really handy, too.

 

[catcamstar]

Thank you.
Just to be sure. The info that is needed from ipad and mobil (with ivms-4500) is: alias (name), modus (ip/domain), address (ip/hostname), port, username and password. Alias and modus as ip/domain is standard, but address from vpn-tunnel is my question. As mentioned above it is extern ip/hostname, but what should it be via vpn tunnel? The rest: port (8000), username and password I think should be as before.

Oh, now I understand your question! The way to do this: you configure your ipad & mobil on your LAN in your cabin. If that local address of the cabin camera is 192.168.1.144, you simply use that IP in both devices. That MUST work, without any VPN. Now comes the VPN trick: like I wrote earlier: a VPN tunnel simply extends the local network towards the mobile endpoint at the other side of the VPN tunnel. Even if you are in Australia, Africa or on 4g in the woods: when you open your VPN tunnel, that same 192.168.1.144 is reachable OVER that tunnel. If you would put the WAN ip address of your router at the cabin, you are doing portforwarding on port 8000, and that's exactly what you don't want.

Hope this helps!
CC

 

[llarsx]

Thank you very, very much, catcamstar. Now I can close this case. Just some practical details left:

1. Until now I have tested the new asus 68u at home as a No.2 router, but I am going to move it to my cabin. I use the Merlin software and wonder if it must be reinstalled if I start there with a reset of the asus?

2. Is it recommended to a reset in that situation or is it recommendable to only change ip and details from my home network? That will be much easier.

3. I also plan to change the asus from 192.168.1.1 to 10.0.0.2 as the ISP’s bridge will be 10.0.0.1 and hope that will work or should I not do that?

 

[catcamstar]

Thank you very, very much, catcamstar. Now I can close this case. Just some practical details left:

1. Until now I have tested the new asus 68u at home as a No.2 router, but I am going to move it to my cabin. I use the Merlin software and wonder if it must be reinstalled if I start there with a reset of the asus?

2. Is it recommended to a reset in that situation or is it recommendable to only change ip and details from my home network? That will be much easier.

3. I also plan to change the asus from 192.168.1.1 to 10.0.0.2 as the ISP’s bridge will be 10.0.0.1 and hope that will work or should I not do that?

You're welcome!
1&2. (these are the same question?): if you want to make sure you don't want to carry any misconfiguration with you, then you can reset. But then off course don't forget to harden everthing down again, as those settings will be reset too (eg. parental control/block internet access for the camera's etc). So if you're pretty sure all is well configured, my advice would be to simply pack your stuff, move to the cabin, unpack and change the ip (see question 3). If it works: hooray! If it doesn't work, you can still factory reset over there (hold reset button for 30 seconds, while holding down, unplug the power, wait for another 30 seconds while powered down and startup again - then you have a brand brand new router) on 192.168.1.1 & admin/admin password

2. If I understand your question well: your ISP "bridge" carries the 10.0.0.1 address - however does that "bridge" do routing/natting? If you plug your PC within that intenso network, which address does it get? Or do you have to put 10.0.0.2 and will that work? My ISP does provide a modem (not a bridge), that modem also carries a 10.0.0.1 address, however if a pc / router / .. sends out a DHCP request, it passes out a WAN IP address directly to the pc / router. Putting a 10.0.0.2 address in my pc / router does NOT give access to the internetz, only a login screen for that modem. So if you can share a bit more information on how this ISP Bridge is configured, that would answer your question n°3.

Hope this helps!
CC