VPN Primer for Noobs

[sdkid]

...

I configured the VPN using several guides because understanding how to generate certificates etc was difficult at the start and several ways of explanation helped me to grasp the setup process.

OMG-- that is EXACTLY where I am at. That bold part is a total UNDERSTATEMENT! please share the resources you used. I have dd-wrt running on a Netgear WNR3500L v2 router.
Man--- dd-wrt provides the input fields for everything--- but gives no real explanation about What to put there.... Am I going to have to learn Linux???

EDIT---- I think I am getting it now...... Cancel the Alarm

 

[bathuudamdin]

Hi guys,

I have set up openvpn server on Netgear Wndr3800 gargoyle router connected behind Technicolor dja0230tls modem/router. My phone connects to vpn server using mobile internet but tinycam, remote desktop etc apps won't work. Technicolor is in bridged mode with 192.168.0.1 address and netgear is on 192.168.0.100 address. I have forwarded 1194 port pointed to 10.8.0.1 vpn server in netgears firewall. What am i missing and why unable to access local device when vpn connected successfully?

 

[Slugger]

Hey guys - I see this thread is very, very long. Is there a "Best Practices Guide" of sorts for securing your network when adding IP cams and a Blue Iris PC? I have a bit of networking experience but definitely not a professional. But I think I can implement any strategy that is recommended... There's a lot of talk on here but I was hoping for a guide. Does that exist? Have I just missed it somewhere?

A little about my setup: I will be running a PC with Blue Iris and storing the footage there. But that PC will also be running a PLEX server... I've read the basic dual-NIC strategy and instructions but I'm concerned that it will limit the access to the cameras too much for my tastes. I want to see them on various devices like my FireTV, MacBook and iPhone (and Echo Show devices if I can).

I'm open to discussing and taking recommendations from people on this thread but I hate to make it even longer. Or maybe someone can reference a thread or pages dedicated to VLANs and other methods?

 

[SouthernYankee]

Read How to Secure Your Network (Don't Get Hacked!) in the wiki also.

You have no need to access the cameras after initial setup. You can directly access your cameras from the BI PC. Your cameras MUST NOT have access to the internet. Use two nics or a VLAN.

 

[Slugger]

Read How to Secure Your Network (Don't Get Hacked!) in the wiki also.

You have no need to access the cameras after initial setup. You can directly access your cameras from the BI PC. Your cameras MUST NOT have access to the internet. Use two nics or a VLAN.

Yea OK. I misspoke. When I said "access cameras" I meant access camera recordings/streams on Blue Iris...

Thank you for the direction. I already read that "How to Secure Your Network". It lead me here lol...

What is the downside to going the two NICs route? The VLAN setup just seems more flexible to me. And possibly more secure in the end if I set it up for my devices to access the computer, no? I'll see if I can find a comparison on here... I am open to either. I just don't want to be limited in accessing the recordings nor do I want it to be a lot of trouble to do so

 

[biggen]

I need to do a Wireguard writeup. It is sooo much simpler than OpenVPN.

Hmmm...

 

[samplenhold]

What is the downside to going the two NICs route?

I've gone the 2 NICs route. I really see no downside. It is plug and play, no configuring VLANS, etc. The cameras are physically separated from the internet. They come in to the BI server via one NIC. The BI server is accessed from my LAN (non-camera) via the 2nd NIC. I can use UI3 from any machine on my LAN. I can access the BI server from outside my LAN. If I need to access a camera web GUI, then I can either sit at the BI server and do that, sit at my office desktop (which also is using two NICs) and access them, or RDP into either of those two machines and bring up a camera via it's web GUI.

But I have a very basic setup. Those that have gone the VLAN route have reasons to go that way in stead of dual-NICs.

 

[reflection]

The VLAN setup just seems more flexible to me.

If you are comfortable with VLANs, it will be more flexible. Some reasons to use VLANs include:

• if you run Blue Iris as a virtual machine (you can use a combination of VLANs and dual virtual nics if you want)
• if you have one physical nic and can't add a second nic (not sure why you can't because USB nics work well). You can trunk to your BI machine and separate it to two VLANs.
• you have a managed switch with plenty of ports and don't want to buy another switch. Good to save energy anyway.
• you have other home tech that would be nice on a separate VLAN. For example, an IoT VLAN. You don't want your refrigerator or garage door opener talking on your internal network with some sort of watchful eye. If these IoT devices need to talk to the Internet (which they do if you want to remotely open your garage door), it might be prudent to put them on a DMZ.
• if you are a total geek and virtualize your other servers and you do service chaining between VMs (pfSense to Blue Iris on a seperate L2 segment (perhaps a 2nd DMZ off pfSense)).

If you have a switch that supports VLANs, you could do a dual NIC with VLAN approach. Just configure two VLANS (let's call it 100 and 200). Some ports on the switch are configured to be on VLAN 100 and others on VLAN 200. VLAN 100 is for your internal network and VLAN 200 is for cameras. Have your dual NIC Blue iris server plug one port into VLAN 100 and the other into VLAN 200. Don't configure any inter-vlan routing and don't set an SVI on VLAN 200. Now you have a dual NIC setup with one physical switch. You might save about 30-50W or more depending on how much energy a 2nd switch consumes (running 24/7/365).

 

[Slugger]

Thanks a lot for the input and ideas guys. It sounds like the dual-NIC setup is more flexible than I thought. I don’t really want to over complicate things unnecessarily. But I do like the idea of having the ability to do other things with my network down the road.

I don’t already own a managed switch OR a large switch. And I do need a large switch for the new house no matter what I do. I really need at least 24 ports non-PoE and 8 PoE at a minimum.

So I guess the real question becomes what all might I want to do with my network in the near future... Any advice on general security issues I should address otherwise?

I am amassing quite a bit of smart home tech that I really want to make more secure and keep away from the internet When possible... But I’m not advanced enough and haven’t spent the time to figure it all out... Right now I just have a very simple setup with a few small unmanaged switches pieced together and connected to a couple Velop nodes acting as a router.

Feel free to offer advice on the basics

 

[pbc]

Not sure if this is the best place to ask... I purchased BlueIris and am moving over from my Hikvision cameras. I'm following an online tutorial and at one point it suggests configuring the web server and using a high numbered port. I'm curious, if I do that, is it effectively opening up that port to any outsider? Is there something I should be configuring before doing this, or not setting up the web server at all for that matter?

Edit: Hmmm...same person is suggesting opening up a forwarding port in the router, which I don't want to do. On that note, is there a more secure method of setting up the web server function in BI?

 

[cmderden79]

So I am trying to power through and learn the VPN things as I take @nayr at his word...obviously knows his stuff. Thus far I have been able to get OpenVPN up and running using this video however I am now stumped on how to create the config file for the client, which will be an android phone using OpenVPN for android. I will say I am pretty embarrassed how much of this process is new to me. I am good with computers, and programs, but networks/routers and security are just not in my skillset so talk to me like I am a baby cause I feel like one. If needed below is the config of the server and it works. However in the video he does not really get into configuring a client. I have read and viewed some examples, but am fairly stumped at what to enter for the remote server address (not even sure where to find that) and really what all information is required. Each example seems to be different in what they include or leave out. Any direction would be appreciated. I can give an example of my failed attempt at the client config as well if needed. I also highlighted in red the information on the server file that I am not sure if that is correct or not, just followed the video.

dev-node "ServerVPN"
mode server
port 443

proto tcp4-server
dev tun

tls-server
tls-auth "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ta.key" 0

tun-mtu 1500
tun-mtu-extra 32
mssfix 1450

ca "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ca.crt"
cert "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ServerVPN.crt"
key "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\ServerVPN.key"
dh "C:\\Program Files\\OpenVPN\\easy-rsa\\keys\\dh2048.pem"

server 10.10.10.0 255.255.255.0

client-to-client
keepalive 10 120
cipher AES-128-CBC
comp-lzo

persist-key
persist-tun
client-config-dir "C:\\Program Files\\OpenVPN\\config"

verb 3

route-delay 5
route-method exe

push "route 192.168.0.0 255.255.255.0"
route 192.168.182.0 255.255.255.0

 

[wittaj]

You are thinking way too much (easy to do I was there too LOL). Simply have your router create a openvpn certificate and copy that to your android device. Install OpenVPN on your android device and then select that certificate and magic happens. There might be a step missing, but I recall that once I quit overthinking it, it really was fairly simple.

 

[cmderden79]

You are thinking way too much (easy to do I was there too LOL). Simply have your router create a openvpn certificate and copy that to your android device. Install OpenVPN on your android device and then select that certificate and magic happens. There might be a step missing, but I recall that once I quit overthinking it, it really was fairly simple.

I think you may be assuming I used an ASUS router with VPN built in. I am not...using my BI server PC to act as the OpenVPN server. I read the post on ASUS and see that it generates the required files for you...this method does not. I believe I have all the keys and certificates created properly for both server and client...but the config files I am less confident (server) and clueless (client) on their creation

 

[wepee]

@cmderden79 , I was in your shoes before.
I had the same idea of setting OpenVPN server on the BI PC.
I also watched the video: https://www.youtube.com/watch?v=hKfHwQgAsUo that you posted earlier.
After watching it and reading the OpenVPN help sample, I was pulling my hair out!!!!
In the process I took too many assumptions (that I am not an expert at) to make things work.
I had spent most of my weekends trying to figure out how things work.
After doing all the hard work, my reward of success paid off.

If you insist to get OpenVPN server up and running then stop reading here and walk away.

Or if you want to know the other alternative, keep reading my thread.....

My solution to implement OpenVPN was to use a free and open source program called:
SoftEther VPN: https://www.softether.org/
Note: you require to open Openvpn ports (port forwarding) on you router to work.
======================================================================
Please watch this video by Bernado:


It may be very long, but commit your time and watch the entirety of the tutorial.
And also follow the steps as descrbied by Bernado closely.
==============================================================================================
The other 2nd alternative will be Wireguard(also free and open source, which I think is the EASIEST to set up by far:
How to Setup Wireguard VPN Server On Windows - Henry's Portal

 

[reflection]

Not sure if this is the best place to ask... I purchased BlueIris and am moving over from my Hikvision cameras. I'm following an online tutorial and at one point it suggests configuring the web server and using a high numbered port. I'm curious, if I do that, is it effectively opening up that port to any outsider? Is there something I should be configuring before doing this, or not setting up the web server at all for that matter?

Edit: Hmmm...same person is suggesting opening up a forwarding port in the router, which I don't want to do. On that note, is there a more secure method of setting up the web server function in BI?

You could try stunnel. It will add a TLS layer over your web session. You will still have forward a port for your connection, but it will be encrypted.

 

[aerospace1]

I've been testing OpenVpn on my Asus AC66U-B1 which is connected behind my primary internet facing FiOS Actiontec router. Actiontec LAN connected to Asus WAN, Asus LAN connected to all other home devices. I set up the Actiontec to port forward TCP 1194 to the Asus WAN port. Asus has a fixed WAN IP. I installed Openvpn on my android phone and Openvpn on the Asus and I can successfully connect.
Here's my questions .... I port forwarded 1194 from the Actiontec so the Asus would see Openvpn connection requests but that makes 1194 open to the internet. I did a Shieldsup scan at GRC.com, it shows open. Is that a critical security concern ? The Asus has it's firewall and NAT turned on, the only thing connected to the Actiontec (besides the Asus WAN) is the TV set top boxes via coax connection. And yes I don't/can't replace the Actiontec because of TV and bridging can't be done because it's a REV I which from what I understand can't be bridged.
This is some experimenting for my eventual access to cameras not yet purchased, that's the next step.
Thanks

 

[reflection]

I've been testing OpenVpn on my Asus AC66U-B1 which is connected behind my primary internet facing FiOS Actiontec router. Actiontec LAN connected to Asus WAN, Asus LAN connected to all other home devices. I set up the Actiontec to port forward TCP 1194 to the Asus WAN port. Asus has a fixed WAN IP. I installed Openvpn on my android phone and Openvpn on the Asus and I can successfully connect.
Here's my questions .... I port forwarded 1194 from the Actiontec so the Asus would see Openvpn connection requests but that makes 1194 open to the internet. I did a Shieldsup scan at GRC.com, it shows open. Is that a critical security concern ? The Asus has it's firewall and NAT turned on, the only thing connected to the Actiontec (besides the Asus WAN) is the TV set top boxes via coax connection. And yes I don't/can't replace the Actiontec because of TV and bridging can't be done because it's a REV I which from what I understand can't be bridged.
This is some experimenting for my eventual access to cameras not yet purchased, that's the next step.
Thanks

Your WAN gateway (in your case Actiontec) is only allowing TCP 1194 to your Asus. I think you are okay.

If there was no Actiontec in the path, and the Asus was your WAN gateway, a scan would still show TCP 1194 as being open.

Ideally, if your WAN gateway had stateful firewall functionality, you inspect to ensure it was TLS traffic that it was letting through - but this is not something that most home routers can do.

 

[aerospace1]

Your WAN gateway (in your case Actiontec) is only allowing TCP 1194 to your Asus. I think you are okay.

If there was no Actiontec in the path, and the Asus was your WAN gateway, a scan would still show TCP 1194 as being open.

Ideally, if your WAN gateway had stateful firewall functionality, you inspect to ensure it was TLS traffic that it was letting through - but this is not something that most home routers can do.

Thanks reflection, yeah the FiOS AT doesn't have that functionality in fact it doesn't have alot of useful features

 

[Mike A.]

Thanks reflection, yeah the FiOS AT doesn't have that functionality in fact it doesn't have alot of useful features

What you can to to make things more simple... Reverse things and put the ActionTec behind your Asus on another subnet and point the gateway to it. The only thing that you need it for is to act as a bridge to the coax and to pull the directory for the TV listings. The boxes don't need anything other than some gateway out to do that. What you will lose are in-coming functions to the boxes... remote DVR control, using the app to do things, etc. Technically you can make that work but they use dynamic port assignments so you'd have to open up a large range of ports kind of defeating the purpose of locking things down. You'll also lose the ability for them to do end-to-end diagnostics but they're used to customer-owned routers now and still will help in most cases if you have some issue. At least up to your router.

The other thing that I don't like about the ActionTec up front is that they can open up ports and make changes to things as they want. At least in the default config. If you do a good full scan on it, then you'll see a bunch of ports open.

 

[reflection]

What you can to to make things more simple... Reverse things and put the ActionTec behind your Asus on another subnet and point the gateway to it. The only thing that you need it for is to act as a bridge to the coax and to pull the directory for the TV listings. The boxes don't need anything other than some gateway out to do that. What you will lose are in-coming functions to the boxes... remote DVR control, using the app to do things, etc. Technically you can make that work but they use dynamic port assignments so you'd have to open up a large range of ports kind of defeating the purpose of locking things down. You'll also lose the ability for them to do end-to-end diagnostics but they're used to customer-owned routers now and still will help in most cases if you have some issue. At least up to your router.

The other thing that I don't like about the ActionTec up front is that they can open up ports and make changes to things as they want. At least in the default config. If you do a good full scan on it, then you'll see a bunch of ports open.

Yep, this is what I do. My ActionTec is on my DMZ. The ActionTec wifi also is my guest wifi. The Guest wifi is double-nat'd. We only have one STB which my wife insists on keeping so I have to keep the ActionTec. LOL.