VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    801

flynreelow

Getting comfortable
Joined
Dec 12, 2016
Messages
976
Reaction score
847
I did see that but sadly it looks like raspberry pis arent readily available to purchase right now. I could buy another dell box for like $100 i guess but if i can run my cams and vpn on the same box it would be more convenient and be less of a power draw.

For the record the dell i got is the i7-6700 @ 3.4GHZ w 16gb ddr4 memory. So not sure if that will be enough fire power or not. At max im prob looking at 6-8 cameras.
dell seems to be specd well with that processor, and ram. make sure u write direct to disk, and turn on quick sync

not really sure about the raspi situation, and i have open vpn on my synology router
 

tangent

IPCT Contributor
Joined
May 12, 2016
Messages
3,999
Reaction score
2,808
My router only offers L2TP or PPTP for VPN (no open VPN). I cant simply buy one of the Asus routers with OpenVPN because it wont provide sufficient wifi coverage for my house like my Mesh network so for now im stuck with my current router.

I also recently bought a dedicated Dell Optiplex running Win 10 pro that i will be putting BI on. I saw in the VPN sticky that you can run VPN service from a dedicated NVR. I might have missed it but how do you set up the VPN on the dedicated NVR windows box? Ive found many references to PiVPN but thats for linux not windows. Am i supposed to run a VM on the dedicated NVR thats running linux to set up the vpn? Am i better to try and get L2TP set up on my router or getting vpn running on my NVR box?

My router doesnt have a built in firewall so i assume id still need dual nics since i cant write firewall rules to block the cams from getting out to the net. Is that true? I tried to look around for a dedicated firewall box but they are expensive and feels like it may be overkill.

I hope my questions make sense, i have some networking experience but im rusty since its been about a decade since i worked in the field. Thanks.
You can connect mesh wifi up behind a different router or device / computer functioning as a router that has a VPN server.
You can expose a VPN or proxy server within your network (much more complicated, and if need instructions this isn't for you)

The simplest option would be to setup ZeroTier – Global Area Networking on your Blue Iris server.
 

staind204

n3wb
Joined
Nov 15, 2022
Messages
29
Reaction score
10
Location
US
You can connect mesh wifi up behind a different router or device / computer functioning as a router that has a VPN server.
You can expose a VPN or proxy server within your network (much more complicated, and if need instructions this isn't for you)

The simplest option would be to setup ZeroTier – Global Area Networking on your Blue Iris server.
Thanks i will look into ZeroTier. Looks like its free too for basic use which is great. If i go this route, how would my physical cabling need to be set up?

Right now i have modem -> mesh router -> unmanaged switch -> devices.

If my Dell NVR starts hosting VPN will it still just connect off my switch like any other device or does it need moved upstream? Might be a dumb question but im used to seeing the VPN built into the router so im not sure how the physical wiring needs to be. Same question on physical wiring if i go the Raspberry Pi VPN route..
 
Last edited:

TonyR

IPCT Contributor
Joined
Jul 15, 2014
Messages
11,898
Reaction score
25,271
Location
Alabama
+1 to @tangent 's statement: if you get an Asus router for OpenVPN and it has wireless you don't have to use the wireless....turn off the wireless but let it continue to perform the routing function.....continue to use your existing mesh wireless (possibly with minor changes so they are AP's and not trying to route also) .
 

randytsuch

Pulling my weight
Joined
Oct 1, 2016
Messages
495
Reaction score
176
I recently converted to FIOS, and Frontier gave me a couple of Eero's routers. The Eero's have better coverage than my Asus, so I use them both.
Here is a discussion in reddit how I setup.
Reddit Setup Story
Please read the entire thread, I made changes as described at the bottom.
I have wifi on both routers enabled, but you can turn off the Asus wifi if you prefer. OpenVPN works fine.
 

staind204

n3wb
Joined
Nov 15, 2022
Messages
29
Reaction score
10
Location
US
+1 to @tangent 's statement: if you get an Asus router for OpenVPN and it has wireless you don't have to use the wireless....turn off the wireless but let it continue to perform the routing function.....continue to use your existing mesh wireless (possibly with minor changes so they are AP's and not trying to route also) .
I just wanted to pop back in and thank you guys for the info. I was able to get WW-DRT installed on my old Netgear router. The router claims to support speeds up to 1750Mbps so it shouldn't be any kind of a bottle neck for me. I was able to disable Wifi on it and OpenVPN seems simple enough to set up.

I'm sure I'll be back with more questions eventually but wanted to take a minute to say thank you for all the help so far.
 

staind204

n3wb
Joined
Nov 15, 2022
Messages
29
Reaction score
10
Location
US
Alright so I am about ready to put this WW-DRT Netgear in my network. Since I currently have a mesh network I need to put the Netgear/OpenVPN in front of my topology.

Current:
Modem -> Main Mesh Router/AP -> Switch -> Additional Mesh Routers/APs

New:
Modem -> Netgear/OpenVPN -> Mesh Router/AP -> Switch -> Additional Mesh Routers/APs

Do I need to put the Netgear into bridge mode?
 

Ollie

Young grasshopper
Joined
Aug 17, 2022
Messages
35
Reaction score
12
Location
Israel
Do you have a link for this suggestion ?
My knowledge is, the stream doesn´t goes over the manufacturers server (or p2p server), its only used for opening the connection, the stream goes directly to the client.
How does P2P IP camera work? | Technology News
What Is A P2P IP Camera And How Does It Work - Enterprise dynamics - News - Quanzhou Karassn Security Protection Electronics Co., Ltd
http://www.karassnsecurity.com/news-178733
But thats only from manufacturer. I found a much deeper artikel and discussion here: This is Why People Fear the ‘Internet of Things’ — Krebs on Security
I need to read more and search, but here is the same problem, who is trustworthy? What shall we believe?
The links which you provided here seems to be harmful, you better delete them.
 

sgt-flippy

Getting the hang of it
Joined
Sep 6, 2022
Messages
37
Reaction score
33
I realise this might have been covered here, but I'm too lazy to find it in these 76 pages.

I'm using OpenVPN on a TP-link Omada controller, works fine.
Except I'm also using Sharptools to view a dashboard, which can display my camera's. It works fine when I add my credentials in the link, but I hoped, since using the VPN, I would no longer need to login and simply use the no authentification on LAN setting.
But, Blue Iris seems to see the VPN IP instead of my phone's IP assigned to it. Is there any way around this? So I can delete my credentials from the links in Sharptools.

The VPN is working correct, I can visit my camera's on their 192. IP's, no problem. Only Blue Iris requires a login, even when I'm on my home wifi. When I turn the VPN off, it no longer asks credentials.
 

sgt-flippy

Getting the hang of it
Joined
Sep 6, 2022
Messages
37
Reaction score
33
Seriously, that's how you want to ask for help?
I'll add I searched and googled and only found other people with the same issue, but in the end they either had a different situation or other people started talking about a lot of things I don't understand and concluded it wasn't a solution.

Thanks for the help anyway.
 

samplenhold

Known around here
Joined
Aug 8, 2018
Messages
5,661
Reaction score
18,548
Location
Spring, Texas
I'll add I searched and googled and only found other people with the same issue, but in the end they either had a different situation or other people started talking about a lot of things I don't understand and concluded it wasn't a solution.

Thanks for the help anyway.
Do not despair. While I do not have the knowledge to help solve your problem, hopefully someone will be along that can help you.
 

truglo

Getting the hang of it
Joined
Jun 28, 2017
Messages
191
Reaction score
65
I would no longer need to login and simply use the no authentification on LAN setting.
In BI settings/Web server/Advanced..., I think you may need to uncheck "Use secure session keys and login page". As long as your VPN is setup properly, your LAN is otherwise secured, and you aren't port forwarding, it is OK to run this way.
 

Attachments

Last edited:

sgt-flippy

Getting the hang of it
Joined
Sep 6, 2022
Messages
37
Reaction score
33
In BI settings/Web server/Advanced..., I think you may need to uncheck "Use secure session keys and login page". As long as your VPN is setup properly, your LAN is otherwise secured, and you aren't port forwarding, it is OK to run this way.
I guess it's setup okay. I'm using a TP-link ER605 with OpenVPN. Not much setting up to do.
Will try this tonight, thanks!
 

sgt-flippy

Getting the hang of it
Joined
Sep 6, 2022
Messages
37
Reaction score
33
In BI settings/Web server/Advanced..., I think you may need to uncheck "Use secure session keys and login page". As long as your VPN is setup properly, your LAN is otherwise secured, and you aren't port forwarding, it is OK to run this way.
I checked and that option was already unchecked.

But on the same reasoning, is it okay to run it with no login request on any connection? And then only allow connection from set IP's as an extra safety? So it's only working on LAN and specific IP's from the LAN and VPN.

This confuses me slightly, because in my head anyone with the same IP would then be able to connect to it, but that's not true, because they need the VPN details to connect to it, right?
 
Last edited:

truglo

Getting the hang of it
Joined
Jun 28, 2017
Messages
191
Reaction score
65
I checked and that option was already unchecked.

But on the same reasoning, is it okay to run it with no login request on any connection? And then only allow connection from set IP's as an extra safety? So it's only working on LAN and specific IP's from the LAN and VPN.

This confuses me slightly, because in my head anyone with the same IP would then be able to connect to it, but that's not true, because they need the VPN details to connect to it, right?
Running a vpn on a router doesn't have anything to do with other perhaps more important security items, like open ports. Like even if your vpn server and client use a secured connection, you could still be hacked hacked if there is an open port on the router. I presume if you didn't mess with things, your router defaults won't have port forwards enabled.

WRT using an IP list for security... yeah you are correct. On most ovpn servers found on routers you setup an IP specific to a client (or a range for multiple clients). This OVPN ip address (or range) is usually setup on a different subnet (so no chance to access lan without being connected through ovpn). So configuring BI to allow non-auth access from the ovpn ip (or range) is fairly secure. As you can see, I have 2 ip ranges that are allowed access in BI, one for ovpn clients and one for lan. To fill in more on this subject... windows behaves similarly, and may need firewall rules added to let vpn clients connect (for example if windows gets 192... from dhcp, it needs to be told connections from 10... are OK).

OTOH, you probably also need BI to allow LAN ip's access as well. So you have to also be sure all lan clients can be trusted... or setup some static ip's on your router and limit BI to only those devices (rather than like the whole lan dhcp range).
 

sgt-flippy

Getting the hang of it
Joined
Sep 6, 2022
Messages
37
Reaction score
33
Running a vpn on a router doesn't have anything to do with other perhaps more important security items, like open ports. Like even if your vpn server and client use a secured connection, you could still be hacked hacked if there is an open port on the router. I presume if you didn't mess with things, your router defaults won't have port forwards enabled.

WRT using an IP list for security... yeah you are correct. On most ovpn servers found on routers you setup an IP specific to a client (or a range for multiple clients). This OVPN ip address (or range) is usually setup on a different subnet (so no chance to access lan without being connected through ovpn). So configuring BI to allow non-auth access from the ovpn ip (or range) is fairly secure. As you can see, I have 2 ip ranges that are allowed access in BI, one for ovpn clients and one for lan. To fill in more on this subject... windows behaves similarly, and may need firewall rules added to let vpn clients connect (for example if windows gets 192... from dhcp, it needs to be told connections from 10... are OK).

OTOH, you probably also need BI to allow LAN ip's access as well. So you have to also be sure all lan clients can be trusted... or setup some static ip's on your router and limit BI to only those devices (rather than like the whole lan dhcp range).
That's perfect and seems to work. I used to have ports open, but I closed it for the VPN. I'm also running the router behind a NAT, that has ports forwarded to let a VPN run, but I'll try if it still works without them, since that was for a different approach than OpenVPN.

I already have static IP's for all devices that need access to BI and already listed them. They work as well.

So this solves things. Thanks!

PS: removed the VPN ports from my NAT and OpenVPN still works. No more forwards!
 
Last edited:
Top