VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    682

concord

Pulling my weight
Joined
Oct 24, 2017
Messages
356
Reaction score
229
First thing according to this article is to reboot all devices, however if a variant is able to survive a reboot...

 

pbc

Pulling my weight
Joined
Jul 11, 2014
Messages
842
Reaction score
119
80 is the web port and 554 is the RTSP port so yes on those. 8086 is a non-standard/registered so can be used for anything. Not sure what 1935 is. Probably something Dahua dependent.
So you don't have any port open on your firewall other than to allow connections to your Wireguard server?
Correct, nothing else port forwarded.

Based on the email I saw from the ISP,

data: TIMESTAMP: 2020-10-24 16:36:09
IP: 99.247.xxx.xxx
PORT: 4300
ASN: 812
GEO: CA
REGION: xxxx
CITY: xxxx
HOSTNAME: cpec4041517aace-cm98524ab27a38.cpe.net.cable.rogers.com
TYPE: tcp
INFECTION: mirai
CC_PORT: 23
NAICS: 517311
SECTOR: Communications

I assume it means port 4300 or 23 was the culprit, but my ISP would simply say they are "unable to help" with that email, other than warning me I needed to take care of it.

If it was port 23, that was literally the port I used to telnet into my router to fix an issue, and I may have had it enabled while having the router with it's original basic password while running some scripts on it (both of which are no no's of course!). Wonder if in that short amount of time (couple hours maybe?) I was targeted.

Going to run some scans on as many devices as possible in the mean time.
 

LittleBrother

Pulling my weight
Joined
Sep 16, 2014
Messages
477
Reaction score
112
Alright, I'm maybe a half decade too late but I finally got around to this.

I had a raspberry pi 3 kicking around so I got it setup tonight, and I'm using OpenVPN on my iphone.

Initially I had the pi connecting to network over wifi and the vpn connection with 1194 port forwarded and UDP only works fine, but although my cell signal grants me 4 mbps down where I am now, when running the pi wirelessly I'm more like 1-1.5mbps (even thought the pi is right next to router). Actual internet connection is around 12 mbps up.

So, I turned wifi off and hard wired the pi into the router. Also ensured the IP on the pi was locked down and updated port forwarding. I can now connect to the VPN but I get 0 activity to any external app.

So with wifi it worked entirely, but slowly. Now it connects to Openvpn (using openvpn connect app) but it's failing to communicate at all with my network. Any ideas?

FIXED: I found same complaint elsewhere online. Long story short if pivpn is installed on wireless it will not subsequently work on wired or vice versa. Perhaps there is a way to do it, but I'm a linux newb and using its default install stuff had to uninstall it and start again from scratch installing while it was wired in. Now it connects AND actually sends data.
 
Last edited:

Mike A.

Getting comfortable
Joined
May 6, 2017
Messages
816
Reaction score
668
Correct, nothing else port forwarded.

Based on the email I saw from the ISP,

data: TIMESTAMP: 2020-10-24 16:36:09
IP: 99.247.xxx.xxx
PORT: 4300
ASN: 812
GEO: CA
REGION: xxxx
CITY: xxxx
HOSTNAME: cpec4041517aace-cm98524ab27a38.cpe.net.cable.rogers.com
TYPE: tcp
INFECTION: mirai
CC_PORT: 23
NAICS: 517311
SECTOR: Communications

I assume it means port 4300 or 23 was the culprit, but my ISP would simply say they are "unable to help" with that email, other than warning me I needed to take care of it.

If it was port 23, that was literally the port I used to telnet into my router to fix an issue, and I may have had it enabled while having the router with it's original basic password while running some scripts on it (both of which are no no's of course!). Wonder if in that short amount of time (couple hours maybe?) I was targeted.

Going to run some scans on as many devices as possible in the mean time.
CC_PORT: from the email that you show is the Command & Control port on the remote end (i.e., the operator of the attack/bot) to which your machine is connecting, not the port on your device.

PORT:4300 would be the port on your device. Double check in all of the various port forwarding areas of your router to see if that port may have been opened at some point. And/or you can scan for that and other ports open from outside of your network. Turn off UPnP on your router. Block Internet access by the cams/other IoT devices in some way if you can.

Port 23 on routers is heavily targeted though for obvious reasons. Looking quickly at my logs I see about 500 connection attempts to port 23 over the last 24 hours, about 50 in the last hour.
 

pbc

Pulling my weight
Joined
Jul 11, 2014
Messages
842
Reaction score
119
CC_PORT: from the email that you show is the Command & Control port on the remote end (i.e., the operator of the attack/bot) to which your machine is connecting, not the port on your device.

PORT:4300 would be the port on your device. Double check in all of the various port forwarding areas of your router to see if that port may have been opened at some point. And/or you can scan for that and other ports open from outside of your network. Turn off UPnP on your router. Block Internet access by the cams/other IoT devices in some way if you can.

Port 23 on routers is heavily targeted though for obvious reasons. Looking quickly at my logs I see about 500 connection attempts to port 23 over the last 24 hours, about 50 in the last hour.
Thanks. My cameras are not open to the internet, though maybe the cheap Wyze ones might be, not sure how those work.

I ran nmap on my WAN address, and it implied these are open:

Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
53/tcp open tcpwrapped
80/tcp open http httpd


Though, if I check those ports at Port Scanner - Scan Network Ports - WhatIsMyIP.com® on my WAN address, and it says they're closed? 4300 also shows up as closed on that site.

Haven't had any new emails from my ISP, so hopefully it was the hour or two I was putzing around with the DD-WRT router.

But curious why those ports show as open on nmap, but closed on the whatismyip site?
 

pinecone

Young grasshopper
Joined
Dec 21, 2015
Messages
48
Reaction score
0
It has been several months since I read through his thread. What are the current model Asus routers that support OpenVPN? Any other brands that are ecomomically priced? thanks.
 

Vettester

Pulling my weight
Joined
Feb 5, 2017
Messages
216
Reaction score
123
Any other brands that are ecomomically priced?
Running PiVPN on a raspberry pi is a fairly cheap VPN server solution. For mobile apps I would highly recommend using WireGuard instead of OpenVPN. WireGuard is significantly faster.
 

pinecone

Young grasshopper
Joined
Dec 21, 2015
Messages
48
Reaction score
0
I run an old Asus RT-AC66U-B1. It has Open VPN and parental controls that lets you block based upon MAC address. It works for me. It is simple to set up.
I run very little wifi in my house, also all my wifi devices are old.

I'm the same, very little wifi. All streaming on devices that are hard wired to router. I just want to play with a tunnel VPN. The AC66U-B1 would work fine for me. I did notice that for just a few more dollars you can get the AC68U. I doubt there are any features that would be useful for me over the AC66, however it seems to be a newer router and I would assume Asus will offer support for it longer.

Building a Raspberry Pi setup would be fun but I'm not sure my networking knowledge is up to that. Lot's of videos out there on OpenVPN to help a novice like me.
 

JT_Singh

Young grasshopper
Joined
Apr 24, 2020
Messages
35
Reaction score
7
Location
United Kingdom
I read about "forwarding ports" is a complete NO if one wishes to secure its network. However after digging around how to configure HiDDNS for my Hikvision NVR, it does ask me to forward ports - so I am not sure which way to go about doing this.

Is there anyone who can help guide me on this? I currently have a Hikvision NVR which I am trying to setup via HiDDNS so that it allows me to get push notifications on my phone.
 

biggen

Known around here
Joined
May 6, 2018
Messages
1,081
Reaction score
911
Push notifications shouldn't require port forwarding I wouldn't think. That is going from the NVR > your phone which is open anyway.

If you want to connect back to your NVR then that is where port forwarding would come into play if you aren't using a VPN.
 

weigle2

Getting comfortable
Joined
Dec 30, 2016
Messages
627
Reaction score
360
Location
Somewhere in the space/time continuum
I would give a thumbs up for the AC68U. It has been around for a while and it is stable. There is a really active ASUS forum over on SmallNetBuilder Forums. They have sections for factory firmware as well as third party tuned firmware (RMerlin).
And with an AC68U you can often times get Mesh WiFi set up very easily. Finding a 2nd AC68U pretty cheaply, is also easy as T-Mobile has had them for sale for between $30 - $40 in the past. These can be flashed with stock Asus firmware, or several other firmware variants like Tomato.
 

jts2045

n3wb
Joined
Jan 7, 2021
Messages
2
Reaction score
3
Location
Clayton NC
The internet is a force of nature; no video surveillance system made was designed to be exposed to those forces.. NEVER FORWARD PORTS to your NVR or Cameras, doing such things not only exposes you to severe security problems, but everyone else on the internet too.. Hackers dont want your video feeds, they want an always on linux box with decent internet connectivity that can be used to attack targets on the internet.. they want to turn your camera into a weapon of mass destruction.

What is a VPN? Its a Virtual Private Network, it provides you with full access to your home network when your on a remote/foreign network.. It tunnels you across the internet and back into your LAN and secures everything in transit with very strong crypto..


Your home LAN is the corp network

The VPN Tunnel is transparent, once connected its effectively as if you were connected directly to your home network.. All devices on your network will be reachable through there internal non-routable IP addresses.. The same configuration you use when your on your home wifi will work once the VPN is connected.. infact it will be exactly like your on your home wifi when the VPN tunnel is connected, all your fileshares, printers, cameras, IoT devices will be avilable and none will be aware of the VPN or the fact that your remote.

How hard is it to setup a VPN Server?, if you have a router that already included VPN Server built in its no more difficult than forwarding ports is, infact with some consumer routers like Asus many people find it even easier to setup than Port Forwards.. Site to Site VPN and some equipment may require very specific configurations that may require some more intense debugging and configuration.. It can range form very easy to very hard, stack the odds in your favor with good research and testing.

Do i have to pay for a VPN Service? No, this a common point of confusion.. there are services out there that will run a VPN Server for you on a remote network.. these are used to hide your location from public internet services.. such as watching Netflix from a US IP, or downloading Torrents without exposing your IP address to the swarm.. If you have an externally routable IP address you will run your own VPN Server on your own network, using free software.. so there are no subscription fees.

Will VPN Tunnel cause me to hit bandwidth limits faster? Practically no, the additional bandwidth used to encapsulate traffic in an encrypted tunnel is minimal and a tiny blip compared to your actual video stream.

Crypto Speeds, this is the only real performance concern.. The first throughput bottleneck your likely to encounter is how much data your VPN Server can encrypt in realtime.. As long as your VPN Server has more capability than your outbound/upload speeds you'll never encounter this bottleneck.. If you are on a typical residential internet with just a few Mbit of upload speeds this is rarely ever a problem.. However if you have fiberoptic/business/european/asian connectivity you will need to make some hardware considerations to ensure you have adequate performance to utilize your actual connectivity. Higher end equipment (Multicore 1Ghz+ routers) are typically capable of 20Mbit or more VPN speeds which is faster than most typical home internet upload ceilings.. a router with a 600MHz single core CPU will only do a few Mbit unless it has crypto hardware to help accelerate it.. A Raspberry Pi3 can do ~45Mbit, if you have faster uploads than that and wish to use those speeds over VPN then you need to research VPN Crypto benchmarks and find a device that can meet your needs, perhaps a dedicated VPN Crypto Appliance or PC.

Where do I run my VPN Server? the best place is on your home router, since it will be required to be online and reachable for all remote connections anyhow its the best candidate. However if you have an always on PC-NVR it can also run it on there with great performance capabilities, or on a dedicated VPN appliance such as a Raspberry Pi

What do I do first? First check your router and see if it already has a built in VPN Server that simply needs to be setup and configured.. Almost all business class routers, some ISP Provided hardware and the vast majority of modern decent off the shelf routers will already have support built in and just need you to use your GoogleFu to set it up; Check youtube for setup guides specific to your equipment.

My router does not have a built in VPN Server! Well then see if your hardware supports some of the WRT based firmware, you can simply upgrade the firmware to DD-WRT, OpenWRT, Tomato (Google it) and add this software to your existing equipment.. its easier than it looks like and there is a large consensus among power users that the OpenSource firmware projects are far superior to most OEM offerings..

My router dont have support, its old and I want something as simple as possible! Look at Asus's wireless routers they seem to be the easiest to for noobs to get going out of the box and the equipment is widely avilable.

I hate connecting VPN before I can open my cameras! VPN use is a requirement for every corporate employee in the world whom needs to access there email or corporate network remotely.. If millions of poorly trained monkeys can manage to connect a VPN Client daily what is your excuse? If you hate loosing your house keys, you'd be pretty stupid to take the doors off your house..

You can route just your home LAN over the VPN connection, in this configuration leaving it permanently connected should not cause any issues and you wont have to do it manually every time.. some VPN clients/apps do auto-reconnect and/or dial on demand

OpenVPN vs L2TP/IPSec vs Other? Really the only choice is OpenVPN vs L2TP/IPSec, little else is trustworthy as those two; for most people OpenVPN is easier to setup and run.. OpenVPN requires clients to be installed on all your devices, whereas L2TP/IPSec clients are built in natively on every modern device (Windows/OSX/iOS/Android/Linux).. typically its best use what you have avilable already.. If you configure your OpenVPN server to listen on port 443, the same port as HTTPS websites, then you can expect it to work on even the most restrictive remote networks.

Credentials/Logins & Security? Give each device its own unique login and generate a one time password for it and save it to the device.. this way if a device gets lost or stolen you can simply delete that user account, or if you upgrade/replace the device you just generate a new password and render everything else unable to login without having to change the credentials on all your devices anytime you upgrade/loose an item.

Why is a VPN more secure than just setting a strong password on my video system? Most video systems have undocumented backdoor credentials so the installer/vendor can unlock the device when the end user locks them selves out, for starters.. They do not come secure by default, They are also susceptible to remote attacks that can bypass your logins all together to run malicious code directly on the hardware without your knowledge.. They do not automatically update security issues without intervention like your desktop/laptop/phone and you cant easily even tell what software is running on them.. Where as VPN Servers are designed for direct internet exposure, have been audited by security professionals, they receive constant scrutiny that results in vulnerabilities being exposed quickly and fixed promptly.. Updating firmware on cameras is risky, recovery options in event of failure are minimal if they even exist at all.. when an update blows up on your computer/mobile you can reinstall and restore come worst case, but thats not an option for your video surveillance devices.

Site to Site VPN or Remote Client VPN? Typically you want to setup a remote client VPN unless you want to permanently bridge two networks so no clients are required on them.. for example if you have a vacation property you may want to setup a Site to Site VPN to your vacation property then use a Remote Client VPN into your home LAN.. then your remote VPN connection can access both video surveillance systems on the same network and both networks are directly connected.

Dynamic DNS? Yes you'll want to set this up, preferably on your router or VPN Server but your cameras/NVR are also likely to have these features.. Most internet connections have dynamic addresses, and this ensures you can always find your VPN Server and not have to reconfigure VPN Clients when your Server IP changes.

Most common VPN Setup mistakes:
  • Using a commonly used subnet for your home network, you may want to re-address your network to a subnet your unlikely to encounter remotely.. for example if your Home network is 192.168.1.0 and your work network is 192.168.1.0 you'll find your remote VPN routes wont work, from work heh.. but if your home network is 192.168.253.0 your less likely to encounter a remote network that collides with your home subnet..
  • Not using your VPN for everything when on a public Wifi, when your on an unencrypted public wireless network anyone nearby can sniff your traffic right out of the air.. but once you enable that VPN Tunnel back to your home network all your traffic is encrypted and secure from anyone.. even the local network admins.
  • Not specifying gateway addresses for IoT devices, thinking this would keep them accessing the internet all together it can also prevent you from accessing it via LAN because your VPN Server is likely to put you in its own subnet and route traffic to your LAN and the VPN on its own.
  • Not disabling uPNP and shutting down old port forwards after having VPN Setup.
  • Not Syncing time correctly, Crypto requires your devices to have the correct time set.. if your server or clients do not have a time-source configured they will be unable to login.
  • Not having an externally routable IP, if your VPN Server is on a Satellite or a Mobile Network you may not be able to remotely connect to anything.. port forwards wont work either. The best option for these networks is to establish a point to point VPN outbound connection to an external server you run on another network or subscribe to.

I need step by step handholding because I am so dense I can bend light w/my gravity! Sounds like you should ask your grandkids, or whomever managed to teach you the internet.. Properly securing a network requires understanding and comprehension, and there is no single best way to do any of this.. You need to read, ask questions, and help your self.. nobody is going to do this for you, if you want to operate an internet connected IP network in the modern world, this is basic stuff you have to understand or else you are putting us all at risk.

this post is living and may be updated/changed at any time.
This is a great post. And I laughed so hard at the I am so dense I can bend light. I told that one to anyone that would listen. Thanks again!!
 
Top