Hi, I have
several many questions...
^ FIFY ; )
- If implemnting a VPN in my network, by using a new/fresh router - is additional firewall configuration needed on this router?
Depends on what else you want to do as far as incoming/outgoing traffic. As above, by default most all will block all unsolicited traffic destined to your edge/public IP address. If the router/firewall doesn't automatically open a port for the VPN as part of its configuration, then you'd need to do that. If you want to block outgoing traffic from your cams by MAC address, you'd need to do that. If you want to open up traffic for some other purpose, you'd need to do that. Etc., etc.
- if my vpn server router has different lan segments (different subnetworks) - will all be accessable to the client vpn?
By default in most all cases, no. You'd need to set up some routing within your network to do that, or scope the address so that it's supernetted, or maybe could do with different VPN profiles assigning different client IPs to different subnets.
- Can an OpenVPN app (on Android) allow specific apps to use the VPN? - if so can the VPN tunnel live aside the public traffic at the same time without disconnected?
I don't use Android for that purpose much but believe that can be done in various ways. Will depend some on the VPN/client used. Yes, as above, you can split the traffic routing based on destination.
- Can I use No-IP account instead of a static IP - will it harm my network security?
Yes - No. The DNS just serves as a lookup table for your public IP address. No-IP and other DDNS
services just update DNS dynamically with your current IP address. What happens from there is on you. Kind of like a name listing in a phone/telephone book. The name is associated with a number which is returned to be used to make whatever connection.
- On the remote site - where the vpn server located - can I set an external (public) ntp server's address or it might create a security flaw in my vpn router? - do I need to do it, or PC sync for each device will do?
Will using an external ntp server required to do the same on each of my clients, in order they will be synchronized with the vpn server?
By default in most cases, traffic from your server to an external NTP server originates from within your network and is outgoing solicited traffic so will be passed through to whatever device requests it. Technically, there have been some potential vulnerabilities with NTP but practically nothing that you need to be concerned with. Better to use NTP vs PC synch. The former is updated on a periodic basis, the latter is not and will drift over time. Generally, what's best to do is to run a local NTP server which then permits you to isolate your cameras from getting outside and/or however you may have them restricted within. As explained above in the case of BI/VMS. the NTP server will have permission to contact an outside NTP server to get time. The cameras then will connect to the local NTP server (vs an outside source) to periodically pull the correct time. Since that traffic is internal, the cams can remain blocked from any connections outside of whatever other scope.
- on a Windoes PC, while using a vpn client - is it possible to restrict the VPN for a VMS app only? - don't want to use the low speed of the VPN server for my other web browsing.
I've not tried to do that but possibly so using the Windows firewall and permitting/restricting traffic by program along with defining how the tunneling is split for the VPN as explained earlier.
- Currently, I'm using DMSS app (Android) + P2P. any other suggested application?
I and lots of others here use BI and its app/UI3 but that's a whole 'nuther thing that you'll have a million questions about. ; )