VPN Primer for Noobs

[llarsx]

You're welcome!
1&2. (these are the same question?): if you want to make sure you don't want to carry any misconfiguration with you, then you can reset. But then off course don't forget to harden everthing down again, as those settings will be reset too (eg. parental control/block internet access for the camera's etc). So if you're pretty sure all is well configured, my advice would be to simply pack your stuff, move to the cabin, unpack and change the ip (see question 3). If it works: hooray! If it doesn't work, you can still factory reset over there (hold reset button for 30 seconds, while holding down, unplug the power, wait for another 30 seconds while powered down and startup again - then you have a brand brand new router) on 192.168.1.1 & admin/admin password

2. If I understand your question well: your ISP "bridge" carries the 10.0.0.1 address - however does that "bridge" do routing/natting? If you plug your PC within that intenso network, which address does it get? Or do you have to put 10.0.0.2 and will that work? My ISP does provide a modem (not a bridge), that modem also carries a 10.0.0.1 address, however if a pc / router / .. sends out a DHCP request, it passes out a WAN IP address directly to the pc / router. Putting a 10.0.0.2 address in my pc / router does NOT give access to the internetz, only a login screen for that modem. So if you can share a bit more information on how this ISP Bridge is configured, that would answer your question n°3.

Hope this helps!
CC

Thank you again. I agree and understand 1&2. But I have not sufficient information about the inteno bridge to decide now. I of course need DHCP on the asus, but guess not on the inteno. However using 10.0.x.x instead of 192.168.1.1 is not important and I think I keep 192.168.1.1 to avoid any extra trouble.

This end my need for help now.
Regards,
llarsx

 

[llarsx]

Hallo again.
Now I can reach the remote vpn router and the camera attatched to it via openvpn. But I have a little problem as the ADSL Broadband there give me less than 1 Mbits upwards. With forward port I could look on online videos with quite good quality, but through vpn it is very much poorer. I have used AES-128-CBC as I am aware of that 256 would use more of the bandwith. But there is a lot of other choices.

If I accept poorer security - what choices can I use?

 

[catcamstar]

Hallo again.
Now I can reach the remote vpn router and the camera attatched to it via openvpn. But I have a little problem as the ADSL Broadband there give me less than 1 Mbits upwards. With forward port I could look on online videos with quite good quality, but through vpn it is very much poorer. I have used AES-128-CBC as I am aware of that 256 would use more of the bandwith. But there is a lot of other choices.

If I accept poorer security - what choices can I use?

It depends on your endpoint capability, there was a time that iOS couldn't handle all mixtures of encryption settings. However, keep in mind that you have both encryption (important as it uses cpu!) and compression (even more important as it uses both cpu & network), but also other parameters like fragment size, MTU etc. I recently read an interesting article, including great tips, on how to "improve" your VPN server: Optimizing OpenVPN Throughput | Hamy - The IT Guy

Read it through, and fiddle with these settings. You'll find for sure a much better way than doing port forwarding... which remains a no-go!

Hope this helps!
CC

 

[llarsx]

It depends on your endpoint capability, there was a time that iOS couldn't handle all mixtures of encryption settings. However, keep in mind that you have both encryption (important as it uses cpu!) and compression (even more important as it uses both cpu & network), but also other parameters like fragment size, MTU etc. I recently read an interesting article, including great tips, on how to "improve" your VPN server: Optimizing OpenVPN Throughput | Hamy - The IT Guy

Read it through, and fiddle with these settings. You'll find for sure a much better way than doing port forwarding... which remains a no-go!

Hope this helps!
CC

Thanks and sorry for not responding at once.
I don't dare to change the vpn server as I far away from it. The link is very instructive and I'll keep it and have a new look into it when I at my summer cabin after the winter and can "fiddle" with security and compression without loosing connection.

Thank you very much.

 

[Tyyees]

VPN usage question.

I have my Opensource VPN setup and running on my iPhone and pad 24/7, port 443.

When I’m using a public/private WiFi connection, airport, McDonalds, work etc., other than my network, I’m protected if doing my, online banking, surfing the web, etc. by using this VPN connection. I understand the use with my cameras but a bit confused about it other benefits.

 

[catcamstar]

VPN usage question.

I have my Opensource VPN setup and running on my iPhone and pad 24/7, port 443.

When I’m using a public/private WiFi connection, airport, McDonalds, work etc., other than my network, I’m protected if doing my, online banking, surfing the web, etc. by using this VPN connection. I understand the use with my cameras but a bit confused about it other benefits.

Hang on, depending on the configuration of your VPN tunnel setup, not all traffic can be rerouted OVER the VPN tunnel - if you setup your VPN without the "redirect gateway" option, your netbanking session will still be send "out in plain sight". So first of all, make sure your VPN is setup well. Which not only gives you the "nonymisation ofyour data, but also all traffic is encrypted. Plus you can easily "restrict" local access on a per-device metric (eg. the kids' tablet can't access the cams).

Hope this helps!
CC

 

[Tyyees]

Catcamstar thanks

I checked my Asus router and under the VPN option the “Direct Clients to Redirect Internet Traffic” option is set to NO. Is this the setting I should set to YES to make what you say work? If so is everything I do remotely redirected through my router?

Any other options in the VPN setup I should check.

Also when I do change settings on my Asus router VPN must I also update all my devices to take advantage of these changes? Export function?

 

[catcamstar]

Catcamstar thanks

I checked my Asus router and under the VPN option the “Direct Clients to Redirect Internet Traffic” option is set to NO. Is this the setting I should set to YES to make what you say work? If so is everything I do remotely redirected through my router?

Any other options in the VPN setup I should check.

Also when I do change settings on my Asus router VPN must I also update all my devices to take advantage of these changes? Export function?

So indeed, with that option set to "no", your VPN tunnel is "smart" to see if your phone wants to access an internal LAN ip (eg 192.168.x.x), and only "pulls" that traffic over the tunnel. Which means that surfing to google.com is going over plain 4g/hotspot internet access. Putting that option to "yes" will send all traffic secured over the VPN tunnel, but do take into account that this behavior has a side-effect: your home ISP bandwidth consumption is doubled! All data coming from/to your phone is send over the VPN tunnel, to your VPN server, and, in case of non-LAN traffic, send out to the internet on your home ISP connection. In numbers: if you watch a youtube movie 20MB on your phone, there is 20MB from youtube to your home ISP plus 20MB from your home (VPN server) to your VPN client. The good news is that a VPN tunnel also applies (some) compression on top of the encryption.

Hope this clarifies a bit more the general concept!
CC

 

[Tyyees]

Thanks Catcamstar

So the YES option is not really and option if my internet download speed is at best 5mbps a bit more at certain times but nothing above 7? Not safe using WiFi’s in public still if set to NO?

 

[catcamstar]

Thanks Catcamstar

So the YES option is not really and option if my internet download speed is at best 5mbps a bit more at certain times but nothing above 7? Not safe using WiFi’s in public still if set to NO?

The classic answer applies: "it depends". If it is for "casual surfing" or your "occasional netbanking", these apps are made for mobile device usage, your 4g might not be able to handle these 7mbps either. So yes, it will go a bit slow(ish), however, keep in mind that with the option set to NO, even when applying for HTTPS to your netbanking, the DNS requests are still done over unencrypted UDP/TCP, which means they still reveal where you are surfing too. Decyphering of the https traffic should not be your main concern, and like someone on this forum already wrote: if you are a potential target, they already have stuff planted on your device itself which can log directly on it and not having to look into the encrypted packets itself.

Bottom-line: even with 5mbps, I would enable the option anyhow, and take the slowdown as an advantage. In the long run, you could configure 2 OpenVPN servers (eg. one on 443 and one on a randomly selected port), the first with the option enabled, and the second not, you install the two .ovpn profiles on your devices and you can choose the one you feel "comfortable" with.

Life is about choices. And this is one of them ;-)

Hope this helps!
CC

 

[Tyyees]

Catcamstar

I tested my VPN at McDonalds and everything seemed to work great, no problems accessing my cameras. I tried first without turning on the VPN setting and it would not connect. Turned on it worked great.

Decided to give, Direct Clients to Redirect Internet Traffic, option a try. Big mistake. Router locked up and I couldn’t do anything with it. I did reboot the router before trying anything but that shouldn’t have caused a problem, again I assume. I guess the 5mbps I get just wasn’t enoungh to do the job. Without being able to even sign into the router I had to reset. Not a problem as I can set up the VPN in my sleep now.

I like the idea of this option but i’ll settle for securely viewing my cameras.

 

[pbc]

Okay, so this is mind boggling. So out of the completely blue yesterday, my Galaxy S8 stopped connecting in ivms-4500 via OpenVPN. Am now getting an 8200 error on that device when trying to connect. But my wife's S6 (originally had the problem) works fine.

Tried uninstalling and reinstalling 4500, tried the above settings which worked on my S6 originally, nothing.

WTH?? I've changed nothing on my router, phone settings, ivms, openVPN, nothing, just suddenly decided to start giving me an 8200 error. Any thoughts?

Well, getting back to this as I've been seeing illegal logins from some russian address 80.251.50.20.

I'm at a complete loss here, as I was using OpenVPN with success until, well, out of the blue, I was no longer able to connect to my cameras and now just get 8200 errors. Has anyone seen similar behaviour in their android phones and figured out what the issues were?

Seems currently my options are 1) don't view my security cameras unless I'm at home, which doesn't seem like a great option or 2) keep port forwarding and somehow apply more protection than I currently am (not sure what that would be...using a different port from 8000??).

Really frustrated at this point as no phone are working now. Not my S8, nor my S6's (two of them).

But I get a connection with OpenVPN just fine, and when I input my local IP address into the ivms-4500 app while connected via mobile data (not wifi so an external network), it recognizes that there are 7 cameras so must be seeing the device??

 

[Barboots]

Which OpenVPN app are you using? I found this one performed more reliably for me on the S8 and S8+.

https://play.google.com/store/apps/details?id=de.blinkt.openvpn

Cheers, Steve

 

[pbc]

OpenVPN Connect. Doesn't matter though, just tried the one linked and get the same error in ivms unfortunately, but thanks for the quick response.

 

[SouthernYankee]

PBC

On your home network where is openvpn located, on a router or on a computer ?
If on a router what is the type and model number ?
Who is the DDNS provider ? Or are you using a static IP address ?

the Russian ip address is nothing to be concerned about if you have good security. My system is being scanned by foreign IP address daily.

 

[pbc]

Netgear r7000 (first Gen model) . Though I just bought an Asus AC68U to check to see if a pure Asus firmware router that has better OpenVPN capability native to it will work better. Odd thing is that it was fine for a period of time... Then I read some negative stuff about the Asus firmware for the R7000 and tried ddwrt and stock netgear to no avail, then reverted back to Xwrt-vortex and it still didn't work.

So back to stock...and still won't connect even though Open VPN app implies it is. Connecting. I can't get ivms4500 to do live view (recognizes 7 cams but get an 8200 error when I try to view the cam feed). Plus I can't access any local IPs (times out) through VPN.

The issue is more I am port forwarding, and now that I've learned how to check the logs in my NVR see repeated login attempts by various IPs (Russian, Chinese and Germany) . I assume I am only seeing the unsuccessful ones.. I. E. If their brute force attacks are eventually successful I don't see those as illegal logins?

Ddns I whatever came with netgear (No-IP if I recall?) .

Hoping the new Asus router works, but wondering more if it is an issue with a setting on my phones even though I've tried everything it seems at this point.

 

[SouthernYankee]

Start with the stock Asus router and use the Asus service for DDNS. Set up the ASUS OPENVPN.
follow direction here
Randy : OpenVPN on a Asus router

I have had absolutely no problems with the asus openvpn in the 8 months i have used in from my android phone, nexus 10, windows 7 laptop.

Do not test OPENVPN from your phone. test from a laptop at a remote location (coffee shop). A number of phone providers have problems (block) openvpn. Test only with wifi.

 

[pbc]

Yeah, that's the link I followed when I first set it up on my R7000 running Asus firmware. Will do.

 

[pbc]

BTW, just tried it via wifi as well (hooked up to my company network here). Same issue. What I don't understand is that it is clearly getting information from my NVR. I.e., it correctly identifies 7 cameras that are hooked up to it. But then just hangs when I hit "Start Live View" or try to connect say to my NVR's local IP Address.


If I go to my NVR's local IP Address (192.168.1.xx), sometimes I can log in and see the web interface (right now it is letting me in and allowing me to access Config, etc.), othertimes it just hangs....well, right now it's hanging again.

So maybe it is the OpenVPN server struggling on the Negear R7000 for some reason and it isn't passing on enough data to the ivms4500 app before it hangs? Hopefully the new router fixes it. Think it arrives Wednesday.

 

[pbc]

Anyone using a Raspberry Pi 3 or the like as an OpenVPN server?