VPN Primer for Noobs

[SouthernYankee]

@Sam.oliv3ira

For your NVR can you access it from a hardwired PC. If yes then the VPN will work, if NO then it will not work.

-----------------------------------------------
My general VPN post
There are two types of VPN, do not get them confused.
The type depends on where the traffic conversation originates

1) origination: local home network, destination the internet.
This type of VPN is purpose to hides your activity from the internet, it is outbound, it normally costs a monthly fee to use. Direction is from your home PC to the internet, going to your bank, google, porn sites,,,, this not what you want. This VPN uses a VPN server that is in the middle of your communications.It gives a third/fourth party 100% of your outbound internet information.

2) Origination: the internet world wide web, destination: your home network.
This VPN type is used to provide a secure connection onto your local network, in bound to your local home network, from your office computer, your cell phone in your car, tablet at the coffee shop.. This is what you want, it does not have a monthly fee and is normally completely free. OpenVPN is this type of VPN.

If you home internet provider is a cellular network, then DDNS (dynamic Domain Name System) may not work, the DDNS is needed for most Inbound VPN services (OpenVpn) to get your home IP address (it is not static) so OpenVPN may not work for you.

A video on the paid VPN.

------------------------------------------------------
Hacked VPNs

Report: No-Log VPNs Reveal Users' Personal Data and Logs

A group of free VPN (virtual private network) apps left their server completely open and accessible, exposing private user data for anyone to see. This lack of basic security

www.vpnmentor.com

Naked Security – Sophos News

nakedsecurity.sophos.com

-----------------------------------------------------

 

[Sam.oliv3ira]

Hello SouthernYankee , thank you very much for your excellent explanation. I have access to the NVR from a computer, both by cable and Wi-Fi, as long as it is connected to the same router where the NVR is also connected. Even in the DMSS application, if I am connected via Wi-Fi to the same router as the nvr, I can see everything. If I'm outside that network, I can't access anything. Logically, I am supposed to be able to access with Open VPN Free, but in practice we know that it is not quite like that. I already ordered an asus router, to connect my Fibergetway (isp by fiber), to configure the vpn, and in a few days I will already test it. Many thanks

 

[Joe11]

A relative n00b question coming in, about port forwarding/VPN etc.

Here's what my network looks like today. ISP router (not in bridge mode) handing out 192.168.1.x IPs - my NVR/associated cameras are directly connected to this (no other devices, besides the UDM router, are connected to this router). I currently have port-forwarding enabled on my ISP router so that I can access the cameras when I'm outside of the LAN. On my ISP router, I've blocked internet access from the NVR.
Question: I realize port-forwarding is not ideal, but is there a risk that I'm overlooking? If somebody breaks into this NVR, they can't really traverse down into my UDM VLANs, can they?

The "VLAN for VPN" is still being configured - I am struggling to get the UDM VPN set up (I've created port forwarding rules on the ISP router for UDP ports 500 & 4500, set up RADIUS server/user etc) - but for whatever reason, when I connect using my Android device, it gets assigned a 192.0.0.4 IP which makes no sense. No internet access when I'm connected on this VPN. I've submitted a request to Unifi support, but not holding my breath. Anyway, if I can get that to work, I'll disable the port forwarding for the NVR anyway

 

[crw030]

First I'm surprised your ISP is letting you hook up more than 1 distinct device to their equipment.

NVR is blocked from internet access both in/out via ISP router configuration? NVR is a low-security device and is potentially exposed to the internet via ISP/you misconfiguring.
If port forwarding cameras, I think it's only a matter of time before the cameras get hacked in the wild.

Why would a hacker want to take control of devices on your network:

• Sure propagation to higher value computers, probably ok there since you have another firewall between them and the insecure device.
• Maybe the hackers just wants to take control of your cameras to spy on you, creep out your family (wife/kids) etc. Read up on kids getting talked to by their cameras in the middle of the night.
• Hackers will turn your NVR or cameras into compromised members of their botnets, using your internet connection to launch DDos attacks, if there are ANY security holes in your plan. Sure it isn't hurting you directly but hurting others, plus theft of your internet for their purposes.
• Port forwarding really exposes the cameras to whatever attacks are occurring in the wild imho.

 

[saltwater]

I'm not an expert in networking and vpn but I think you may need to connect your NVR/Cameras to either the UDM Router or Switch if you want to VPN into your NVR. Having said that, you may was well replace your ISP router with the UDM router. Also, having said that, I've assumed you are using the VPN software as provided by the UDM.

 

[Joe11]

First I'm surprised your ISP is letting you hook up more than 1 distinct device to their equipment.

NVR is blocked from internet access both in/out via ISP router configuration? NVR is a low-security device and is potentially exposed to the internet via ISP/you misconfiguring.
If port forwarding cameras, I think it's only a matter of time before the cameras get hacked in the wild.

Why would a hacker want to take control of devices on your network:

• Sure propagation to higher value computers, probably ok there since you have another firewall between them and the insecure device.
• Maybe the hackers just wants to take control of your cameras to spy on you, creep out your family (wife/kids) etc. Read up on kids getting talked to by their cameras in the middle of the night.
• Hackers will turn your NVR or cameras into compromised members of their botnets, using your internet connection to launch DDos attacks, if there are ANY security holes in your plan. Sure it isn't hurting you directly but hurting others, plus theft of your internet for their purposes.
• Port forwarding really exposes the cameras to whatever attacks are occurring in the wild imho.

Thank you - I should have been clearer - the ISP equipment (router) has a 4 port switch built into it (as do most of the routers on the market), so I can connect multiple devices to it, including other switches/routers.
These are exterior cameras only, so even if somebody gets into it, that doesn't bother me as much. Botnet - DDoS - that is worrisome, and I'd like to mitigate that.

Since I am effectively double natted, the recommended approach from Unifi (port forward ports 500/4500) is confusing - is (isn't) that a risk?

 

[Joe11]

I'm not an expert in networking and vpn but I think you may need to connect your NVR/Cameras to either the UDM Router or Switch if you want to VPN into your NVR. Having said that, you may was well replace your ISP router with the UDM router. Also, having said that, I've assumed you are using the VPN software as provided by the UDM.

I can't seem to get UDM VPN to work unfortunately. The reason I'm trying to VPN into the UDM VLANs is because from there, I can traverse to the 192.168.1.x network to access the NVR.
I didn't put the NVR on the UDM router because the UDM router is doing deep packet inspection - and with 8 video streams running 24x7, it will keep the UDM CPU very very busy

 

[saltwater]

...snip...
I didn't put the NVR on the UDM router because the UDM router is doing deep packet inspection - and with 8 video streams running 24x7, it will keep the UDM CPU very very busy

Are you sure it works like that? If the cameras are contained within your local network, which they are, is there any need for deep packet inspection? I thought deep packet inspection related to what is coming into your network from the outside.

 

[Joe11]

Are you sure it works like that? If the cameras are contained within your local network, which they are, is there any need for deep packet inspection? I thought deep packet inspection related to what is coming into your network from the outside.

You are right - I should try it out and see what it actually does. I was reading/watching the reviews of the UDM and one reviewer had mentioned he had run into that performance issue. So, I didn't try it out. I'll give it a shot.
Before I implement the solution though, I still need to get my VPN working, because once I do this, I likely won't be able to get remote viewing to work even with port forwarding (and I don't want to port forward into my UDM VLANs

 

[saltwater]

You are right - I should try it out and see what it actually does. I was reading/watching the reviews of the UDM and one reviewer had mentioned he had run into that performance issue. So, I didn't try it out. I'll give it a shot.
Before I implement the solution though, I still need to get my VPN working, because once I do this, I likely won't be able to get remote viewing to work even with port forwarding (and I don't want to port forward into my UDM VLANs

I can't at the moment, but when I get home, I'll look up a You Tube video I followed that helped me setup my VPN. I also use a UDM Pro and Unifi switch. All my cameras are hooked into the switch. If in the meantime, others may be able to guide you.

 

[Joe11]

I can't at the moment, but when I get home, I'll look up a You Tube video I followed that helped me setup my VPN. I also use a UDM Pro and Unifi switch. All my cameras are hooked into the switch. If in the meantime, others may be able to guide you.

Thank you so much! I think the double natting is causing this VPN issue. Ubiquiti support is also helping troubleshoot

 

[Joe11]

Sure propagation to higher value computers, probably ok there since you have another firewall between them and the insecure device.

• Maybe the hackers just wants to take control of your cameras to spy on you, creep out your family (wife/kids) etc. Read up on kids getting talked to by their cameras in the middle of the night.
• Hackers will turn your NVR or cameras into compromised members of their botnets, using your internet connection to launch DDos attacks, if there are ANY security holes in your plan. Sure it isn't hurting you directly but hurting others, plus theft of your internet for their purposes.
• Port forwarding really exposes the cameras to whatever attacks are occurring in the wild imho.

So, in theory, if I move my NVR to be under the IOT network in my UDM VLAN, would keeping the ISP router/switch active as the gateway router help add an additional layer of security for my devices? (since all my devices are now under the UDM). This assumes that I can get my UDM VPN set up of course. and turn off the port forwarding on the ISP gateway router (except the port forwarding for getting the VPN traffic thru)

Edit: Or, since I'm planning to use Blue Iris on a PC, I could skip UDM VPN, and just look at running OpenVPN on the windows PC - any issues with that? Then I can completely get rid of port forwarding, and stay double natted

 

[saltwater]

Thank you so much! I think the double natting is causing this VPN issue. Ubiquiti support is also helping troubleshoot

Here's the Youtube video that I followed to set up my vpn.

 

[Joe11]

Here's the Youtube video that I followed to set up my vpn.

Thanks - looks like I was missing 2 ports (1701/1812) - but unfortunately, even with those ports being forwarded, the connection is not successful. I will need to look at possibly running openvpn on my PC instead

 

[thebluesportscar]

Thanks - looks like I was missing 2 ports (1701/1812) - but unfortunately, even with those ports being forwarded, the connection is not successful. I will need to look at possibly running openvpn on my PC instead

I advise you not to pursue double NAT-ing as the benefits are nowhere the cost of your time and any frustration. Specifically in your scenario it would be like adding a security screen door to your front door. Definitely helps, but easily circumvented through means such as packet spoofing where one can trick the router into believing it's legitimate traffic. Most importantly, getting rid of the double NAT will make it a lot easier for you to get things running initially. We can always pivot to add on the second NAT at a later time while preserving your working configuration.

Your hunch is correct, and your problems with VPN are stemming from the double NAT as it is not configured properly. Truthfully even I find it to be a PITA to configure, and do not use a double NAT at home. If it was me I'd make the UDM my main router and simplify your network configuration. Your ISP modem/router combined unit should have the option to turn off its DHCP server, and if not automatically done by the interface after, NAT should also be disabled on that unit. Put the cameras and NVR on their own/same VLAN, and configure it so that it is completely isolated, and cannot initiate any connections to anywhere.

Now allow exactly one connection from your VPN VLAN and any functional ports required to the NVR VLAN. The functional ports would be the same as the "port forward" ones, except we are not forwarding it to the outside -- just allowing it to another device inside of the home network (e.g. you opened an interior door of your house). In this configuration the only way to get access to those cameras is through your VPN which serves two purposes. First, no one is going to be able to "hack" your cameras as they have no viable route in other than logging into your VPN. Secondly, any mischievous cameras will become inert from the inability to call home.

With IPS/IDS enabled along with deep packet inspection (DPI) the UDM has a maximum throughput of 850 Mbps (UDM Pro is 3.5 Gbps). So add your internet speed with the bandwidth your cameras are using and you'll know if it can support it or not. Alternatively, you could just test with it on and see CPU usage if that information is not readily available to you. Hope that helps!

 

[Joe11]

I advise you not to pursue double NAT-ing as the benefits are nowhere the cost of your time and any frustration. Specifically in your scenario it would be like adding a security screen door to your front door. Definitely helps, but easily circumvented through means such as packet spoofing where one can trick the router into believing it's legitimate traffic. Most importantly, getting rid of the double NAT will make it a lot easier for you to get things running initially. We can always pivot to add on the second NAT at a later time while preserving your working configuration.

Your hunch is correct, and your problems with VPN are stemming from the double NAT as it is not configured properly. Truthfully even I find it to be a PITA to configure, and do not use a double NAT at home. If it was me I'd make the UDM my main router and simplify your network configuration. Your ISP modem/router combined unit should have the option to turn off its DHCP server, and if not automatically done by the interface after, NAT should also be disabled on that unit. Put the cameras and NVR on their own/same VLAN, and configure it so that it is completely isolated, and cannot initiate any connections to anywhere.

Now allow exactly one connection from your VPN VLAN and any functional ports required to the NVR VLAN. The functional ports would be the same as the "port forward" ones, except we are not forwarding it to the outside -- just allowing it to another device inside of the home network (e.g. you opened an interior door of your house). In this configuration the only way to get access to those cameras is through your VPN which serves two purposes. First, no one is going to be able to "hack" your cameras as they have no viable route in other than logging into your VPN. Secondly, any mischievous cameras will become inert from the inability to call home.

With IPS/IDS enabled along with deep packet inspection (DPI) the UDM has a maximum throughput of 850 Mbps (UDM Pro is 3.5 Gbps). So add your internet speed with the bandwidth your cameras are using and you'll know if it can support it or not. Alternatively, you could just test with it on and see CPU usage if that information is not readily available to you. Hope that helps!

Thank you. I spend this morning first trying to just remove the ISP modem/router, and making the UDM the main router/gateway. Unfortunately, that led to my STBs completely losing their mind, and TV service being disabled. Tried to put the ISP modem/router back, but in bridge mode. STBs still have issues (no program guide, no DVR service etc). Looks like I'll need to spend a few hours with the ISP (read on dslreports about this issue, and apparently, it is a known issue with this ISP - there are some workarounds, which will require the ISP to send a tech out).
This is more complicated than it needs to be, but I'm hopeful this can be figured out

 

[Mike A.]

Might try putting the ISP router behind yours on another subnet with a gateway out through yours. That's what we do mostly with Verizon FIOS when STBs are involved. Most all TV services (directory, video on demand, etc.) will work then. They just require a path from the STBs out to the Internet. What will not work are things requiring incoming connections (remote DVR control, control through the app, remote diagnostics, etc.). You can make most of that work but they rely on having a huge range of dynamically assigned ports to open so kind of defeats the purpose to a large extent.

 

[iwanttosee]

I bought a used Raspiberry Pi Zero W then followed the instruction and made myself a wireless VPN server. Turn Your Raspberry PI Zero into A VPN Server with OpenVPN (kriztechblogs.blogspot.com)

My Pi Zero W kept crashing when I try to do sudo apt-get update && sudo apt-get upgrade, then I lowered the cpu clock speed to 700mhz and increased voltage to 4 to make it stopped crashing. I may drop the voltage and run more test later but for now I have a working OpenVPN server for $5 plus the cost of a micro SD card.
Overclocking options in config.txt - Raspberry Pi Documentation

 

[iwanttosee]

Dropped the voltage back to default and kept the 700 mhz, my Pi zero W seems has been stable for over 24 hours even with all the uninstall and installation of software.

I opened a DDNS account at Dynu so it can updated my ever changing private IP to my domain.

Then I installed and configured the ddclient to my Pi zero W so the Pi zero W can updated my IP address to dynu.com automatically. Dynu

So far so good and the underclocking from 1 Ghz to 700mhz really doesn't affect anything as the cpu usage is hovering at 4-5% and only 53mb of ram out of 430mb used.

 

[randytsuch]

I'm back with an Asus router, bought a RT-AX86U on Friday, installed over the weekend.

Was fairly straightforward to get OpenVPN working with it. Didn't work the first time I tried, not sure if it just needed more time, was less then an hour after setting up openVPN. Or if the Home Assistant page I was testing need internet and local access. I started with local network access only. I enabled both, tried the next day, and it worked fine.

So I'm in the process of updating my blogger instructions based on what I did.

Note that I installed ASUSWRT-MERLIN before I did anything, so this will be based on merlin, and not the stock asus firmware.

Link

Randy