VPN Primer for Noobs

[wittaj]

So I have been reading and learning with great interest and have since purchased 3 different models of "Andy-cams" and love the ability to customize, etc. compared to my old analog system.

So I have been of the mindset that with strong passwords on the units you are fine. Granted it is better than the default passwords, but enough people on here are adamant that isn't enough and you need to VPN.

In the interim, I have my cameras set up on its own router and wifi unit (192.168.10.xxx) that is different than everything on the house wifi unit (192.168.20.xxx). I can only see the cameras with the respective vendors camera app if I log into the camera wifi and I cannot see them on the home wifi.

So the system is completely isolated from the internet (except for doorbell cam). When I leave the house I simply plug the ethernet cable into the cameras wifi so that I can access the system remotely. This method minimizes the amount of time that the cameras would be discoverable or have the ability to call home. But of course if I forget to plug it in, then I can't see the cams.

I am struggling with wrapping my head around how VPN would work in my situation, or anyone's in general and I guess I am overthinking the process.

So for me to dummy it down, is the process:

• I take my camera wifi router and block the cameras and soon to be acquired NVR from reaching out to the internet (like a parental block) and then provide internet access to that router? But how does that stop the internet from not talking to the units?
• Replace a router with one capable of VPN - should that be the house wifi router or the camera wifi router?
• Here is where I struggle grasping the concept - do you VPN into another address (like maybe 192.168.30.xxx or I guess the IP address of the modem or DDNS) in my case and then internally in the router it links that to the camera wifi address (192.168.10.xxx)? By doing this, my phone is acting like it is at home and the respective camera/NVR apps will work on phone remotely?
• By setting it up like this, does that completely prevent the NVR or cameras from sending emails or text messages?

 

[crw030]

• I take my camera wifi router and block the cameras and soon to be acquired NVR from reaching out to the internet (like a parental block) and then provide internet access to that router? But how does that stop the internet from not talking to the units?

• Traffic from internet would have to pass-thru the firewall on home wifi/router. Unless you enable port forwarding the primary purpose of the firewall is to reject unrequested traffic. However, firewalls are typically much less restrictive against traffic trying to leave your network.

• Replace a router with one capable of VPN - should that be the house wifi router or the camera wifi router?

• Either could be made to work, but I would replace the house router/wifi with VPN aware one.

• Here is where I struggle grasping the concept - do you VPN into another address (like maybe 192.168.30.xxx or I guess the IP address of the modem or DDNS) in my case and then internally in the router it links that to the camera wifi address (192.168.10.xxx)?

• You will establish the VPN connection to your WAN (public IP address). If, like most consumers, you are unable to get a fixed IP your router might implement DDNS so that if your external IP changes the dynamic DNS service will update so you can reach it using the same friendly name regardless of the current IP.

• By doing this, my phone is acting like it is at home and the respective camera/NVR apps will work on phone remotely?

• Exactly, a VPN connection puts your phone "inside your home network"

• By setting it up like this, does that completely prevent the NVR or cameras from sending emails or text messages?

• This is more complicated, you need to segment the cameras & NVR on a VLAN and have a VLAN aware router that can "turn off" internet access to those devices to prevent them from trying to call out of your network and other crap (since you can't use dual nic config like a PC). If you do this successfully you cannot send emails and text messages from the NVR/cameras without routing them through an onsite SMTP mail server or allowing traffic via just the SMTP port coming from the devices.

 

[Inigo]

So I have been reading and learning with great interest and have since purchased 3 different models of "Andy-cams" and love the ability to customize, etc. compared to my old analog system.

So I have been of the mindset that with strong passwords on the units you are fine. Granted it is better than the default passwords, but enough people on here are adamant that isn't enough and you need to VPN.

In the interim, I have my cameras set up on its own router and wifi unit (192.168.10.xxx) that is different than everything on the house wifi unit (192.168.20.xxx). I can only see the cameras with the respective vendors camera app if I log into the camera wifi and I cannot see them on the home wifi.

So the system is completely isolated from the internet (except for doorbell cam). When I leave the house I simply plug the ethernet cable into the cameras wifi so that I can access the system remotely. This method minimizes the amount of time that the cameras would be discoverable or have the ability to call home. But of course if I forget to plug it in, then I can't see the cams.

I am struggling with wrapping my head around how VPN would work in my situation, or anyone's in general and I guess I am overthinking the process.

So for me to dummy it down, is the process:

• I take my camera wifi router and block the cameras and soon to be acquired NVR from reaching out to the internet (like a parental block) and then provide internet access to that router? But how does that stop the internet from not talking to the units?
• Replace a router with one capable of VPN - should that be the house wifi router or the camera wifi router?
• Here is where I struggle grasping the concept - do you VPN into another address (like maybe 192.168.30.xxx or I guess the IP address of the modem or DDNS) in my case and then internally in the router it links that to the camera wifi address (192.168.10.xxx)? By doing this, my phone is acting like it is at home and the respective camera/NVR apps will work on phone remotely?
• By setting it up like this, does that completely prevent the NVR or cameras from sending emails or text messages?

Here is a basic layout of my system for illustration purposes:

View attachment 54453

If you set up appropriate firewall rules on the router that all of the cameras and NVR are connected to, there is No reason to unplug the Ethernet cable.
- Outbound Rule - Block all traffic
- Inbound Rule - Block all trafffic
- Enable exceptions:
-- Allowing syncing with an external time server: Outbound UDP to 0.pepwave.pool.ntp.org Port 123
-- Send TLS email: Outbound TCP to Port 587
- Set up VPN between phone and router to allow you to tunnel into the network
If your router doesn't support these, take a look at the Pepwave Peplink Surf SoHo

 

[wittaj]

@crw030 and @Inigo - thank you so much for taking time to respond and help clear this up in my head (well a little clearer, I still have questions)!

So in my setup above, in IT terms, my system has two physical LANs - the house wifi router (192.168.20.xxx) and the camera wifi router (192.168.10.xxx) - is that correct? When I am on the house wifi I cannot access the camera wifi unless I switch to that router and vice versa (at least every way I have tried I cannot). And I take it there is no way to be able to connect to the camera router from the outside unless P2P is enabled or I disable P2P and go the VPN route.

My wifi routers do not support VPN unless I flash firmware and would just as soon upgrade anyway. Plus, unless it is changed with a firmware update, the firewall is either on or off, so I don't think I have the option above to block all traffic inbound and outbound and it just blocks what it thinks is bad?

So I am thinking about either one of the VPN capable ASUS routers, the Ubiquiti EdgeRouter X, or now the suggested Pepwave Peplink Surf SoHo. I love the writeup/tutorial someone is currently doing on the Ubiquiti but that seems to be a lot of work but has incredible flexibility and customization. I suspect the Pepwave would be somewhat similar?

Will the ASUS be able to support the advice provided above?

If I go with the ASUS router, would I then take an ethernet cable from the cameras/NVR switch and go directly to the ASUS router and then either eliminate what I am calling the camera wifi router or rename it to be a guest LAN/wifi off of the main LAN that would be used for guests and media services? I am having trouble in my mind figuring out how the VPN would work if I had the cameras on its own separate LAN instead of VLAN? Or maybe I am over complicating it and my setup above is overkill...

 

[Barboots]

The Asus option makes it nice and easy to implement the VPN, and you're possibly going to gain improvements in WiFi performance as a bonus. That said flashing your existing router with an open source firmware will probably do the job just fine. I used Gargoyle on a Netgear and it was possibly easier to understand than the Asus which followed... only because of my desire to achieve overall network performance gains.

FWIW, the Neatgear/Gargoyle was "behind" an ISP supplied modem/router in bridge mode, and worked just fine. I believe that it would also have been able to be configured to work "router behind a router" as in your current layout.

If you do not have other wants, maybe flash one of the firmwares before you buy new gear?

Cheers, Steve

 

[wittaj]

@Barboots thanks for the reply. I just looked up my router and it doesn't show it being a supported model to flash the VPN firmware to it. I guess I could get the ASUS and try flashing the old one and if it bricks it bricks - I just don't want to go without service either LOL. Trying to grasp my head around this is exhausting!

 

[wittaj]

The Asus option makes it nice and easy to implement the VPN, and you're possibly going to gain improvements in WiFi performance as a bonus. That said flashing your existing router with an open source firmware will probably do the job just fine. I used Gargoyle on a Netgear and it was possibly easier to understand than the Asus which followed... only because of my desire to achieve overall network performance gains.

FWIW, the Neatgear/Gargoyle was "behind" an ISP supplied modem/router in bridge mode, and worked just fine. I believe that it would also have been able to be configured to work "router behind a router" as in your current layout.

If you do not have other wants, maybe flash one of the firmwares before you buy new gear?

Cheers, Steve

OK, so I am going crazy trying to make this ASUS work. As mentioned above, my existing system is two wifi routers (one for the house electronics and another for just the cams). Neither wifi router talk to one another, so when I am on the home network I cannot see the cams and vice versa.

So I get the Asus and replace the home wifi with this unit. I can now see the cams network when on Asus, which isn't surprising since I didn't do any configuration yet. I find the option to make the cam router a "router behind a router". Now I cannot see the cams when on home wifi - which is good.

So then I set up VPN and that was easy, but when I log into VPN, it puts me on my house network and I cannot figure out how to get it to direct to the cam network?

Frustrated and the family wanting on internet, I take the Asus offline and replace with old router. Asus then did something to cam router and I cannot log into to get to its configurations? I ended up having to reset the cam router and upload the config file to access the configurations menus again.

Thoughts?

 

[crw030]

Frustrated and the family wanting on internet, I take the Asus offline and replace with old router.

Based on your diagram, if you replaced the router that was plugged into your modem, at that point all the internet devices (TVs etc) should have been working and had internet access.

I can now see the cams network when on Asus, which isn't surprising since I didn't do any configuration yet.

This is strange to me because I would have expected the 2nd router to have a firewall, that would naturally block traffic trying to enter the camera network. It's actually probably backwards of what you want. Need you to confirm which port on that second router is plugged into which port on the first. Should be LAN-to-WAN imho.

I find the option to make the cam router a "router behind a router". Now I cannot see the cams when on home wifi - which is good.

I don't think you want it setup this way, when on your "home network" unless your 2nd router supports configuring the firewall to prevent the cameras from accessing your home internet (goal is to prevent them from "calling home"), and you can setup access so you can view the camera computer transparently through the 2nd router.

What brand is the 2nd router? And are you certain that one isn't actually the one hooked to the modem?

 

[wittaj]

Based on your diagram, if you replaced the router that was plugged into your modem, at that point all the internet devices (TVs etc) should have been working and had internet access.


This is strange to me because I would have expected the 2nd router to have a firewall, that would naturally block traffic trying to enter the camera network. It's actually probably backwards of what you want. Need you to confirm which port on that second router is plugged into which port on the first. Should be LAN-to-WAN imho.


I don't think you want it setup this way, when on your "home network" unless your 2nd router supports configuring the firewall to prevent the cameras from accessing your home internet (goal is to prevent them from "calling home"), and you can setup access so you can view the camera computer transparently through the 2nd router.

What brand is the 2nd router? And are you certain that one isn't actually the one hooked to the modem?

Thanks for the response - it is quite strange indeed! When I installed the ASUS, I had access to everything, but didn't want access from that network to the cam network and now I could see it. It should have been a simple swap out I think...oh yea, when I set up the ASUS I didn't rename the SSID to the old SSID because I was trying it out, so nothing wifi connected because the SSID it was looking for wasn't active LOL.

Yes, so the second wifi router has a firewall and its own separate ip address from the home wifi. It is backwards from what I want with the ASUS LOL!. All I did was replace the existing home wifi router with the ASUS. I just went over and confirmed that the wiring is LAN from ASUS to WAN of the cam wifi router. The cam wifi router is an old Belkin in another room, so I can clearly see that the modem is connected to the ASUS that is right next to it.

My intent and goal was to have the home wifi router be separate from the cam wifi router simply to create yet another barrier. With the old router configuration, the home wifi router is 192.168.20.xx and the cam wifi router is 192.168.10.xx. So if I were home, I would just connect to the cam wifi to view the cams. If I were away, I had to remember to plug the ethernet cable back into the wifi router to view cameras away from home, which then of course opened the ability at that time for the cameras to call home.

I was hoping to be able to set up a VPN so that I could use that feature and then completely block the cams from accessing the internet instead of manual plugging and unplugging ethernet LOL. Actually I was hoping to be able to VPN into the cam wifi router instead of the home router or be able to configure the router to only access the cam router thru VPN. I don't have a need or desire to be able to access that remotely. I think what I envisioning is possible, maybe not with this router? Would flashing the firmware to Merlin give me that ability?

So I guess my options are:

• keep as is with old routers and accept they may call home from time to time when I remember to plug the ethernet in!
• switch to ASUS and eliminate the wifi router (is my current setup too much redundancy isolation?)
• Figure out a different option to VPN.
• Move the ASUS to the cam wifi router instead and see if VPN will work going thru another router first?
• Another approach?

 

[Barboots]

So I guess my options are:

• keep as is with old routers and accept they may call home from time to time when I remember to plug the ethernet in!
• switch to ASUS and eliminate the wifi router (is my current setup too much redundancy isolation?)
• Figure out a different option to VPN.
• Move the ASUS to the cam wifi router instead and see if VPN will work going thru another router first?
• Another approach?

Perhaps look at setting up a VLAN on the Asus for the cams... it's a similar arrangement to having the second router, which you sound quite set on. I just use the one network and ensure that all security settings are maximised. My cams have no outbound internet access.

Apologies I missed you quoting me. For some reason I didn't get notifications.

Cheers, Steve

 

[wittaj]

@Barboots no problem! So I am looking at the EdgeRouter to set up VLAN capabilities as I found conflicting info about how to make it work on the Asus. In your setup, do you have VLANs? Do you have email notifications for motion?

 

[Barboots]

@Barboots no problem! So I am looking at the EdgeRouter to set up VLAN capabilities as I found conflicting info about how to make it work on the Asus. In your setup, do you have VLANs? Do you have email notifications for motion?

No VLAN. Was planning to, set up without, tested, thought about it, but really don't think it necessary. Some others will surely disagree. I've run some scanners and network monitors, and can't see any connections that slightly interest me.

Yes, I get email notifications, however they're from the NVR. I've not looked if you can set an exception for SMTP traffic when you block the cameras simplistically like I have. Perhaps that's where the VLAN becomes invaluable?

Your questions are beyond my pay grade now

Cheers, Steve

 

[wittaj]

No VLAN. Was planning to, set up without, tested, thought about it, but really don't think it necessary. Some others will surely disagree. I've run some scanners and network monitors, and can't see any connections that slightly interest me.

Yes, I get email notifications, however they're from the NVR. I've not looked if you can set an exception for SMTP traffic when you block the cameras simplistically like I have. Perhaps that's where the VLAN becomes invaluable?

Your questions are beyond my pay grade now

Cheers, Steve

@Barboots - I'm still learning and most of this is beyond my pay grade LOL. But you still VPN to access cameras remotely? I struggle with grasping how the NVR can be reaching the internet yet not phoning home or home phoning it. I am guessing it is all in firewall protections and rules in routers. Still learning lol!

 

[Barboots]

@Barboots - I'm still learning and most of this is beyond my pay grade LOL. But you still VPN to access cameras remotely? I struggle with grasping how the NVR can be reaching the internet yet not phoning home or home phoning it. I am guessing it is all in firewall protections and rules in routers. Still learning lol!

Yes, I use the Asus' OpenVPN with No-IP (free) and "OpenVPN for Android"... the latter being the Arne Schwabe build, not the official app. It works seamlessly, and has numerous other uses once you can dial-in to your home network.

In understanding the security side, firstly it's important to appreciate that connections are unique, so exposure depends on which device is allowed to initiate the communication. We stop the cameras initiating connections by "blocking internet access". Secondly, the VPN connection you establish is secured point to point with a key. The camera can't break out of this communication channel to contact other systems.

Cheers, Steve

 

[nowandthen]

I've spent days and countless hours reading through this thread. I like to be a good member and try not to repeat questions that have already asked. I am up to page 46 but I am concerned about one thing I see and I don't want to wait any longer.

I use an Asus RT-AC88U router with OpenVPN enabled, BI PC, OpenVPN connect app on my iPhone, and the BI iPHone app. After some intial struggling I have it working . Seems so simple now.

When OpenVPN is enabled and I do a Shields Up, I use the scan that runs up to port 1056 (I beleive that's it, work computer won't let Shields up run). All ports are stealth except port 443, the port I am using for OpenVPN as recommended by Nayr. When I disable OpenVPN, Shields Up shows all ports stealth, including port 443.

Someone back on page 38, post 752 reported his/her Shields Up scan showed all Stealth (maybe they used the term "closed"). Anyway that made me wonder if I have a problem or perhaps that person was using the default OpenVPN port or 1192 (or is it 1194?), so he/she didn't see that port is open because the scan stopped at 1056.

Should port 443 should show open but it's okay because OpenVPN is guarding the "door"?

I don't recall anyone mentioning this through the first 46 pages of this thread other than post 752.

 

[catcamstar]

Should port 443 should show open but it's okay because OpenVPN is guarding the "door"?

Long answer: if you want ANY traffic from the internet to your internal LAN, you need somewhere somehow an "open" port. We all know (hence this VPN topic) that port forwarding an sich is a real open door, with all its disadvantages (especially if the underlying system is not 100% "internetproof" (eg no password strenght enforcement, no 2FA, no encryption, "default" admin backdoors etc etc). Golden rule: if you don't trust the back-end, don't expose it to the front-end. Period.
But .. for OpenVPN server to be reachable on the internet, you need to "open" certain ports to work. OpenVPN service is secure (as today, unless "they" find something hackable - remember, there WAS a time that PPTP VPN was the standard too!). VPN Service runs on 1194 UDP/TCP (standard) ports, but some companies (wifihotspots/cellulars/...) might block these ports (because they cannot spy on your surfing behavior because a VPN tunnel encapsulates (= read: hides) your data within the VPN tunnel stream. Hence @nayr's advice to change to port 443, which is (default) HTTPS traffic, which is commonly used (eg even Google works that way).
Which means, port 1194/TCP or 443/TCP WILL be open through any portscanner (eg GRC).
There are internet services which can be "hidden" (eg block ICMP reply), but what you might try is run your VPN Service on UDP/443 (instead of TCP) - GRC will not detect it.

Short answer: as long as you have configured your VPN server with an adequate security system, you shouldn't be worried.

Good luck reading the further posts
CC

 

[justabeginner]

My ISP furnishes my router/modem. I do not have the option to customize it and it shows no brand/model number. If I purchase an Asus router and install OpenVPN will it work to plug it into my ISP router to access my home network and view BI? Or what other route should I take?

 

[tigerwillow1]

My ISP furnishes my router/modem. I do not have the option to customize it

I'm in the same position. The ISP furnishes the router, won't open any ports, and won't let me access it. You can't run a VPN server without an open port. There's an alternative touched on in the BI manual, described in the Remote Access section, called a Secure Tunnel. "...if your ISP simply disallows these type of connections on any port (some satellite services notoriously), your recourse is to use a secure tunnel. " I'm at the Sgt. Schultz level on this: "I know nothing". At first glance, it looks to me like your surveillance system establishes a connection with a 3rd party system, then your remote system establishes a connection with the same 3rd party system, and the 3rd party system relays the traffic back and forth.

 

[fenderman]

My ISP furnishes my router/modem. I do not have the option to customize it and it shows no brand/model number. If I purchase an Asus router and install OpenVPN will it work to plug it into my ISP router to access my home network and view BI? Or what other route should I take?

Is it a specialized dsl/sat modem? what is the model number. Most of the time you can swap theirs for your own.

 

[justabeginner]

It doesn’t have a sticker or any branding. I’ll ask them about swapping.