VPN Primer for Noobs

[PSPCommOp]

@nayr, any suggestions/recommendations on Scripting for newbs. I'm trying to learn about scripts and mounting the jffs to prohibit outgoing traffic in Merlin, but there is just so much out there. As a novice I don't even really know where to begin. It's actually pretty discouraging.


Sent from my iPhone using Tapatalk

 

[cryptelli]

what is everyone here using on their Android?

OpenVPN for Android as it integrates with Tasker.

 

[Chase]

Is your network only at risk if you view from public wifi or a friends house (who may not have a secure network)

Or are you at risk no matter what even when on the cellular network

Just trying to understand.

 

[nayr]

thats not the issue really, yes it provides encryption when on a public or friends wifi for additional security.. but the primary reason is so the only thing exposed to the internet, that anyone and everyone can connect too, is your VPN Server; not your Video Surveillance system.

 

[rockendoublez]

@nayr curious to read your thoughts on using SSL to secure the open port for dvr traffic?

I use Sonicwall's VPN application to access my blue iris dvr when i'm outside of my network, but I've recently configured blue iris to use Stunnel's SSL encryption to allow the open port, just to see how well it worked. (e.g public open port 61443 > local stunnel port 8443 > blue iris https port 443)

Seems to work well, but haven't decided whether or not i prefer the convenience of launching BI app and automatically connecting to see my feeds ( i like the BI widget, it's very convenient ) via ssl is worth it. Or if connecting my vpn app everytime i want to view my feeds.

I'm sure you'd say err on the side of caution and use the vpn app, or just leave it on altogether. Still your opinion (and anyone else's) would be appreciated.

 

[nayr]

SSL just encrypts the traffic in transit; the problem still remains that your recorder is not suitable for direct exposure to the internet.. SSL or no SSL, a remote security issue will work just as easy over a SSL connection as a non-ssl connection.

The VPN Server acts like a gateway; its been designed for internet exposure and the code has been audited by security professionals.. Getting past it will be significantly harder than compromising your VMS system.

 

[DavidDavid]

Why bother disconnecting from the VPN when you are done viewing your cameras? Just leave the VPN permanently connected when you are away from home. Connect when you leave the house and disconnect when you get home.

You lock the door to your house then unlock it when you get home don't you? It's not really all that much more work than locking up the house.

 

[PSPCommOp]

Why bother disconnecting from the VPN when you are done viewing your cameras? Just leave the VPN permanently connected when you are away from home. Connect when you leave the house and disconnect when you get home.

I've been using the OpenVPN app for iOS for the last 8-9 months and find it won't stay connected (for obvious reasons) when moving between Wifi and cellular. I find myself having to open and close the app or the little spinning circle sits there.

Not sure if anyone else with iOS has this problem or if it's just me but that's why I don't leave the VPN connected all the time.

That being said, if the 5 seconds it takes for me to open the VPN app first, then switching to BI becomes an issue or inconvenient, I think I'd have to kick my own ass for being so lazy.


Sent from my iPhone using Tapatalk

 

[lovemyram4x4]

Why bother disconnecting from the VPN when you are done viewing your cameras? Just leave the VPN permanently connected when you are away from home. Connect when you leave the house and disconnect when you get home.

You lock the door to your house then unlock it when you get home don't you? It's not really all that much more work than locking up the house.

That doesn't work very well for me. While a 4g+ -100db signal actual works pretty well, with the VPN turned on it makes like I've got no data connection if it's anything less. I end up having to turn it so I just do it after I'm done viewing BI.

I'm actually thinking about turning on my MAC filters to block all except for my devices but leave the VPN in case I need access with something not on the list and for the wife's ipad.

Sent from my Pixel XL using Tapatalk

 

[rockendoublez]

I have the same problem with the sonicwall VPN client. I've even setup an Asus router on my second line to test OpenVPN, same thing its a PITA to reconnect when I want a quick refresh of the BI widget.

 

[DavidDavid]

Hmm not sure what obvious reasons those are, but I haven't noticed anything like that on my Android. I have the seamless tunnel checked in the preferences, but right off the bat it's the only thing I could suggest to try turning on. Are there any "auto reconnect" options you can turn on?

My android has an "always on VPN" option but doesn't work with openvpn connect app.

Other than that I've got nothing.

 

[PSPCommOp]

It's a matter of switching connections between cellular and wifi. The VPN works fine but if there's no connection to a broadband source, it'll disconnect and doesn't seem to reconnect. So you need to go back into the app and close the connection and then reconnect.


Sent from my iPhone using Tapatalk

 

[rockendoublez]

It's only really an issue when i'm in the field. When I'm at the office its not a problem since my wifi connection is stable. It's only when I travel that my connection switches from 4g/LTE/Wifi, then my VPN drops and doesn't reconnect. I've tried some of the options in the mobile clients, but for the most part, once it loses its connection for more than a minute it stays disconnected.

 

[Arjun]

Ryan I had to forward the TUN mode - 12973 (for smartphone)
TAP mode – 12974 (for PC) ports on my Verizon Gateway to get the OpenVPN service working, is this expected / normal? Or should this not be the case?

Something still tells me these port numbers are open invitation, shouldn't they still be changed from their presets?

 

[nayr]

this is because your double NATing your router; can you put your FIOS modem into bridge mode and expose your own firewall?

if its just connecting to your VPN Server then its fine, thats the point.. your VPN Server is safer to expose to the public internet side than your cameras

 

[Arjun]

Thanks for clarifying that, the port forwarding is for between the FiOS modem and Netgear router. As all seems to be running the way it should now, I should avoid using proprietary apps at all cost, lol

this is because your double NATing your router; can you put your FIOS modem into bridge mode and expose your own firewall?

if its just connecting to your VPN Server then its fine, thats the point.. your VPN Server is safer to expose to the public internet side than your cameras

 

[DavidDavid]

OpenVPN for Android as it integrates with Tasker.

dude you ROCK! I had been wanting some sort of automation app on my phone for a while now, just never investigated anything other than IFTTT (which I found to suck btw) until I saw your comment. I just got it up and running and 1) Tasker is sweet and 2) The auto connect/disconnect from my VPN as soon as I leave home/get home is SO useful....makes my life easier + now my wife actually connects to the VPN because...well because she doesn't have to do anything since it will automatically do it for her.

I made a thread about this in the automation forum . . . Have Tasker automatically connect/disconnect your VPN connection

I'd suggest @nayr adds a blurb about this at the end of his first post here because setting this up should probably be the first thing you do after getting your VPN server working.

 

[cryptelli]

1) Tasker is sweet and 2) The auto connect/disconnect from my VPN as soon as I leave home/get home is SO useful

Sure is. My VPN profile is tied into my car since I wanted my mobile connection to kick in as soon as the phone connected via Bluetooth, and since the radio is populated full of ads I have it fire up Pandora, otherwise the car gets a bit temperamental if it's running in the background on first startup.

I have a number of other profiles, always looking for what else I can automate next .

I made a thread about this in the automation forum . . . Have Tasker automatically connect/disconnect your VPN connection

Great stuff!

 

[DavidDavid]

Where do I run my VPN Server? the best place is on your home router, since it will be required to be online and reachable for all remote connections anyhow its the best candidate. However if you have an always on PC-NVR it can also run it on there with great performance capabilities, or on a dedicated VPN appliance such as a Raspberry Pi

It helps to re-read any tutorials as many times as required until you fully understand them. He answered your question 4 months ago.

 

[Rockford622]

Why bother disconnecting from the VPN when you are done viewing your cameras? Just leave the VPN permanently connected when you are away from home. Connect when you leave the house and disconnect when you get home.

You lock the door to your house then unlock it when you get home don't you? It's not really all that much more work than locking up the house.

I don't understand why you would do this. So you want all of the traffic generated by your device to go through your home ISP all day long as you are out of the house? It's just going to be encrypted from your device to your router, decrypted by your server, and then go back out to the Internet in it's original form.