VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    836

Moose

n3wb
Joined
Feb 24, 2017
Messages
27
Reaction score
6
Yes, you'd port forward the VPN traffic to the PI and when you connect your device is presented on your network and you connect to BI using your normal connection details you'd use at home.

Sent from my ONEPLUS A3003 using Tapatalk
Another question, trying to wrap my head around this. I've got my server established on the PI, but how would BI be configured to enable only those on the network to view?

EDIT: Disregard this I was able to find it on my own.
 
Last edited:

Chase

Getting the hang of it
Joined
Feb 12, 2017
Messages
144
Reaction score
28
Location
Ohio
If I set up a VPN on my home network (for the security system) does every electronic unit that wants access to my wifi in the house have to then sign into the VPN?

Or can it be configured that only my NVR need to be signed in.

Just thinking that it's gonna be a pain for multiple members in house and guests to have to sign their phones, tablets, etc into the network when they want on.
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
You don't need to connect to the VPN when your at home. It's only for when you are on a different network. Be it the WiFi at your work, airport, Starbucks, strip club whatever. It will also work over your cell plan. No need to actually be connected to WiFi.

You'll need to have every device (that you want to be able to access your network. For example, cell phones, tablets or laptops) get a certificate that's generated by the VPN server to access the VPN. Any device that is already on your Lan 100% of the time (desktop, NVR, whatever) won't need to do anything related to the VPN. Generally it's a good idea to create a different certificate (with different PW) for each device so that if it becomes compromised, you revoke that certificates ability to connect.

I would definitely advise against giving guests access to your VPN. Two reasons, 1) since they're at your house, they won't need to VPN in. Just give them your wifi password and let them connect. Or give them your guest wifi pw if you have a guest network set up.
2) once your guests leave your house, if they're still connected to the VPN they can access your local network. There's no need for that since there guests and it can creates a security issue if they lose their phone.
 

Chase

Getting the hang of it
Joined
Feb 12, 2017
Messages
144
Reaction score
28
Location
Ohio
Ahhh I didn't realize or fully understand when you connect to the VPN. Good to know.

Another question then...

Can you elaborate on what you mean by saying that any device (for me, my NVR) that is on my lan 100% of the time that I won't need to anything related to the VPN.

Do you mean that I don't need to sign that device in all the time? Once it's signed in its all set.

Also do you recommend on creating a separate certificate with a different password for each ip cam?
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
Your not getting it...The reason you use a VPN is to securely connect to your home network when you're not home. Anything already on your home network(cameras) doesn't need to use a VPN to connect to the network it's already on.
 

PSPCommOp

Getting the hang of it
Joined
Jun 17, 2016
Messages
694
Reaction score
91
Location
Northeastern PA
Think of the VPN as a castle. When it's running, all of your devices on your home network are secured by its walls. When you activate the VPN on your mobile device when you are on the wifi at work or whoever, it gives u a secure and direct link or tunnel into the castle that no one can break into. It secures and prohibits other people on that network from stealing any data you transmit, but it also makes it seem like that device is now in your home network and not miles away on a different one.

So while you can just open your BI App and see your cameras while you're on your home network, the VPN on your phone makes it so the device is directly and securely connected to your home network as if you were inside it.


Sent from my iPhone using Tapatalk
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
I don't think that's quite right... The VPN we're talking about (connection to your home network vs hiding your ip address) does absolutely nothing security wise for anything on your home LAN. It is more like a special dock on the castle side of the moat around your castle. The VPN creates a secure bridge to that dock that you can then walk across and nobody can shoot you while on that bridge.
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
not quite.. VPN Is the guarded draw bridge on your castle, the moat and exterior is your firewall.. forwarding ports is a hole in your wall and a bridge across your moat with nobody keeping an eye on it... P2P is like one of your peasants lowering a rope ladder down from the top of your castle wall hoping whoever they are lowering it too is legit.

VPN is more like having a magic network cable that you can pull out of your pocket and the other end is plugged into your network from 5000m away... except it transits the internet and uses strong crypto.. since all that is required is internet access, its technically a cable reaches all the way out to the ISS, and perhaps one day the Moon/Mars.

For example I work from home, when I login to work VPN I have access to everything on the work network like I was sitting in my office and plugged into the outlet under my desk..
 
Last edited:

PSPCommOp

Getting the hang of it
Joined
Jun 17, 2016
Messages
694
Reaction score
91
Location
Northeastern PA
I don't think that's quite right... The VPN we're talking about (connection to your home network vs hiding your ip address) does absolutely nothing security wise for anything on your home LAN. It is more like a special dock on the castle side of the moat around your castle. The VPN creates a secure bridge to that dock that you can then walk across and nobody can shoot you while on that bridge.
Use of a VPN is more secure then the use of open ports. While it doesn't add additional levels of secure to the LAN, it allows secure connections for the VPN clients.

Given what he's said in previous comments I was trying to explain it as such. Hopefully he's read this tutorial in its entirety and understands how the VPN is a better option (i.e. Castle) then open ports (wide open doors and windows to a building). When I was first learning, bp explained it to me like that and it then made total sense.


Sent from my iPhone using Tapatalk
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
Shifting lanes here, I've had the feeling that it's not quite exactly like having a network cable plugged into my home router. For example, when I'm not home and open up my tinycam app and "scan network" for local ip cameras, it won't find anything on my home network. If I scan the network at home it will find them. Then as long as I don't delete them it'll work when I'm away from home obviously as that's exactly what it's intended to do.

Now, if I manually enter the ip address and stuff I'm sure it would work. Nayr, can you explain that? I've never even seen something like that explained anywhere. It's always explained as "your connected device will behave exactly as if your sitting on your couch at home"
 
Last edited:

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
thats because your using a routed VPN solution and your sitting on another subnet and your router is routing traffic from your LAN to your VPN.. those Discovery services only broadcast the subnet they are on, if your device is on another subnet autodiscovery becomes impractical but as long as you know the host/ip its fine.

If you were using a bridged VPN solution you'd be on the same subnet as the LAN and broadcast packets would find your cameras.. its largely dependant on how you set it up, and I actually perfer routed (TAP) over bridged (TUN) setups as it offers several benefits.. like being able to add firewall rules between the VPN Clients and the LAN if you wish to further restrict access.
 

Chase

Getting the hang of it
Joined
Feb 12, 2017
Messages
144
Reaction score
28
Location
Ohio
Great info guys. I'm learning more as you guys explain this.
 

mmdb

Getting the hang of it
Joined
Dec 18, 2016
Messages
242
Reaction score
52
Location
Croatia
great explanation !! I will also do VPN as soon as my new asus router arrive i also wait andy to get stock of 49ptz ...5 turrets 5231 are already install on my work place and tried ,great cams ..
1question i have on my work pc install teamviewer ,as my bookkeeper need to do his job and connecting to my pc ..with VPN can he still connect to team viewer to my pc?
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
at work you'll want to configure the VPN so it only routes your home subnet over VPN and not all traffic, then it should not interfere with any local work network access..

make sure your home subnet and your work subnets dont collide..
 

Chase

Getting the hang of it
Joined
Feb 12, 2017
Messages
144
Reaction score
28
Location
Ohio
@nayr does it matter if my modem can host a VPN server or is a capable router a better option?
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
your modem would be fine if its capable of doing what you need; the logic behind hosting it on your router is that without your router online your network wont be accessable anyhow, so its less points of failure.. it would be the same of your modem.
 

DavidDavid

Getting comfortable
Joined
Jan 29, 2017
Messages
605
Reaction score
267
Location
Ohio
TeamViewer can work over a LAN (either by physically being on the same LAN or VPN into that LAN) or over the Internet (with no VPN)

I don't know how secure their service is over the Internet with no VPN...i guess it depends on how much you trust them.

I'm working on setting up a router with dd-wrt and VPN set up on that at my parents house right now so I can securely connect to my mom's laptop to transfer tax documents to her. I don't trust using TeamViewer or nomachine to transfer sensitive info such as tax documents over the Internet without connecting thru VPN, and since she a CPA that does my taxes each year, it'll beat waiting until we meet up to give her a thumb drive with all that info on it.
 

bug99

Pulling my weight
Joined
Dec 27, 2016
Messages
397
Reaction score
154
TeamViewer uses 256 bit encryption over its tunnel. it is VPN, just with a proxy service server as a man in the middle so there is virtually no configuration hassle. It is scary how much it does and how easy it is. You do have to trust that they aren't going to have their own backdoor on their servers if you chose this path. there are ways to make TeamViewer poorly secure and several options to drastically improve security, just like OpenVPN, going from easy to use to a pain in the ass fairly quickly. I am no expert at either, but i have done some reading, as everyone should on their own :).
 
Top