VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    836

Kawboy12R

Known around here
Joined
Nov 18, 2014
Messages
1,771
Reaction score
609
There have also been attacks on NVRs that exposed the NVR's password and the email addresses inside used for notifications so if you used common passwords between devices or accounts that meant they had the keys to your kingdom as well as your NVR.
 

MrRalphMan

Getting the hang of it
Joined
Jan 20, 2016
Messages
309
Reaction score
72
Just to let people know that sometimes your NAS drive has a option to install a VPN server. I am running a Synology NAS and it has a VPN Server to install. This allows several VPN options, including openVPN (which I use) and IPSec.

This is being used by a mixture of Android and IoS devices.

By the way, nice article Nayr. :)
 

GH75

Young grasshopper
Joined
Mar 4, 2016
Messages
59
Reaction score
9
If the switch was installed after the comcast router would the comcast router still be able to run dhcp through the managed switch and vlan?

I am going to reach oit to some local companies in my network and partner with them so i have someone on call for help.

But i still like to know the basics so i can make customers aware during the sales process.

I have clients who dont even put UPS on their NVR so cost is a concern.

Sent from my SM-G900P using Tapatalk
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
a vlan wont protect anything without a vlan capable router/firewall to filter the traffic; this is a highly advanced configuration and way beyond the scope of this article.. buying a bunch of advanced networking gear without understanding how to configure and set things up is just far more likely to be less secure than if you just kept it simple.. adding complexity dont nessicary increase security; espcially if you dont know what your doing.

there are far better places on the internet to learn about advanced networking technology and how to deploy it than this forum.. use your google fu
 

randytsuch

Pulling my weight
Joined
Oct 1, 2016
Messages
495
Reaction score
176
OK, back to some more basic stuff.
I have OpenVPN running, but I have read there are some pretty simple tweaks to make it more secure.
One is not using the default server port, change it to some random port to make it harder to find.

The other is to change the encryption cipher from default, which I read is Blowfish.
Planning to try AES-256-CBC and make sure the performance is OK.

Randy
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
run it on 443 the same port as https traffic, if you pick some random high port your very likely to encounter a remote network (Public Wifi/Guest Wifi/etc) that blocks all but basic web-traffic.

obfuscating ports is pointless; every port can be scanned very quickly and your VPN Server will identify its self regardless the port its on.. your vpn server can handle the abuse of running on a common port without increasing your attack surfaces.

stronger crypto is always good if your hardware is capable of using it; but it can really destroy performance if its doing it all in software on weak hardware.. check your hardware support, if it has crypto acceleration support for your ciphers then your golden.
 

BLKMGK

Getting the hang of it
Joined
Jul 19, 2016
Messages
81
Reaction score
39
If you run a VPN the ports exposed to the internet are the VPN ports, NOT the NVR ports. If you run the VPN behind say a cable modem you'll have to forward VPN ports to the VPN server.

I agree VLAN is a bit complicated and it does require hardware that can handle it. I've just recently bought some VLAN capable switches and hope to learn about it more myself as I've never used them. Done right it's a network within a network is my understanding, how it works though is simply by tagging specific fields on packets so don't get a false sense of security when it's used...

Crypto - what's your threat? Are you REALLY worried that someone is sniffing the traffic and going to brute force the crypto keys out or do you simply want no one to be able to look at the traffic and grab credentials and whatnot? While good crypto is "better" you have to assess the threat. If it's not super duper secret data being protected from nation state intel services maybe you don't have to turn the dial up to eleven if it slows things? Run what makes sense! I used to run PPTP for a VPN, it was simple to setup and "easy" to break but my threat was joe average at the bar while I ate dinner so I didn't care. The more valuable the data the higher the security precautions but if taking precautions is simple or free do it. No security is a big problem because at that point the network resource itself is the prize, you need to make it hard enough they go elsewhere :)
 

GH75

Young grasshopper
Joined
Mar 4, 2016
Messages
59
Reaction score
9
If you run a VPN the ports exposed to the internet are the VPN ports, NOT the NVR ports. If you run the VPN behind say a cable modem you'll have to forward VPN ports to the VPN server.

I agree VLAN is a bit complicated and it does require hardware that can handle it. I've just recently bought some VLAN capable switches and hope to learn about it more myself as I've never used them. Done right it's a network within a network is my understanding, how it works though is simply by tagging specific fields on packets so don't get a false sense of security when it's used...

Crypto - what's your threat? Are you REALLY worried that someone is sniffing the traffic and going to brute force the crypto keys out or do you simply want no one to be able to look at the traffic and grab credentials and whatnot? While good crypto is "better" you have to assess the threat. If it's not super duper secret data being protected from nation state intel services maybe you don't have to turn the dial up to eleven if it slows things? Run what makes sense! I used to run PPTP for a VPN, it was simple to setup and "easy" to break but my threat was joe average at the bar while I ate dinner so I didn't care. The more valuable the data the higher the security precautions but if taking precautions is simple or free do it. No security is a big problem because at that point the network resource itself is the prize, you need to make it hard enough they go elsewhere :)
Lol kind of like most reports state surveillance systems dont lower crime in an area, it just displaces it. I dont need to stop hacking, i just need them to find someone else...

And you are right, i am not guarding national secrets. I really do not plan on utilizing vlans, i just like to know how they come into play. Because 10% of our clients are enterprise running Cisco etc but they have their own IT department

And I am not trying to redesign the clients network. We do alot of apartment complexes and most leasing offices have a comcast device with default password, and a cheap tp link switch after it to expand ports.

I think a decent router with vpn that allows sufficient bandwidth is all we need. Keep all traffic we generate limited to the nvr and make that connection fairly secure.

Thanks for answering about the ports.

Sent from my SM-G900P using Tapatalk
 

Roman

Getting the hang of it
Joined
Aug 31, 2014
Messages
184
Reaction score
29
run it on 443 the same port as https traffic, if you pick some random high port your very likely to encounter a remote network (Public Wifi/Guest Wifi/etc) that blocks all but basic web-traffic.
Just wanted to comment that this is an excellent suggestion by nayr and not only public wif / guest wifi environments but also in the business world. For example, your work may block port 5080 but they sure as hell are not going to block 443 (typically) due to https sites.

This used to work for me so I could stream my sling box at work and watch tv on port 443 instead of the default:)
 

randytsuch

Pulling my weight
Joined
Oct 1, 2016
Messages
495
Reaction score
176
If you run a VPN the ports exposed to the internet are the VPN ports, NOT the NVR ports. If you run the VPN behind say a cable modem you'll have to forward VPN ports to the VPN server.

I agree VLAN is a bit complicated and it does require hardware that can handle it. I've just recently bought some VLAN capable switches and hope to learn about it more myself as I've never used them. Done right it's a network within a network is my understanding, how it works though is simply by tagging specific fields on packets so don't get a false sense of security when it's used...

Crypto - what's your threat? Are you REALLY worried that someone is sniffing the traffic and going to brute force the crypto keys out or do you simply want no one to be able to look at the traffic and grab credentials and whatnot? While good crypto is "better" you have to assess the threat. If it's not super duper secret data being protected from nation state intel services maybe you don't have to turn the dial up to eleven if it slows things? Run what makes sense! I used to run PPTP for a VPN, it was simple to setup and "easy" to break but my threat was joe average at the bar while I ate dinner so I didn't care. The more valuable the data the higher the security precautions but if taking precautions is simple or free do it. No security is a big problem because at that point the network resource itself is the prize, you need to make it hard enough they go elsewhere :)
On my asus router, its very easy changing the encryption cipher from default (Blowfish) to AES-256-CBC, or some other cipher if you want.
For AES, you can choose 128, 192 or 256. Thought it was interesting they added 192, I guess if you are worried 128 bit is not enough, and 256 is too slow.

I found this post
OpenVPN - estimate performance via OpenVPN

where someone measured the speeds for aes 128 and 256. Around a 7% difference, which I can live with.
It's a overclocked ac68, so speeds are 20% faster than my stock 68p, but for this I'm more concerned about the relative difference.

I changed to aes256 this morning, works fine, and for domoticz, which is very low data anyway, no difference in speeds.
The most work in changing was implementing my new, random password lol

BTW, for just video and cams, I don't think security is a big concern.
I'm more concerned with keeping bad guys out of my network in general, and as I implement more in Domiticz and IOT, I want that part secure.

Randy
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
@randytsuch, check out my x509 wiki article for Domoticz.. I also put a Nginx proxy server exposed to the internet that only accepts client x509 certs from my CA.. this proxy's all my web appliances to the internet and bypasses my VPN, domoticz, opensprinkler, sonarr, transmission, nzbget, etc are all proxied and they use the same certs I install on all my devices for wifi and vpn access, and vpn dont have to be connected either.

im so confident in its abilities to keep my shit secure, this is my IoT Portal: Access Denied
 

randytsuch

Pulling my weight
Joined
Oct 1, 2016
Messages
495
Reaction score
176
Nayr
I think I looked at your wiki a while ago, of course at the time I didn't know it was yours lol

In the Install the CA on Client Devices, you say
Mobile Devices are a little harder and you may consider getting your cert signed by a 3rd party authority.

Since I'm pretty much only using mobile devices when outside my network to view this stuff, this makes it a no go for me.

Also, wondering what the advantage is for x509 versus vpn?
As long as VPN is secure, won't it work just as well?
I guess there is VPN overhead, which you don't have with x509.
Connecting my vpn only takes a few pushes, so I don't mind having to do that.

Randy
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
you can install your own CA on your devices, you only get a signed 3rd party one if you want other people's devices to work w/out installing it.

automation is a bit harder if you have to ensure VPN is open, for example I have a RFID token in my car that triggers my garage door to open/close via Domoticz.. if I come home and my phone is a bit slow getting on the wifi I dont have to fire up a VPN to connect to domoticz and execute the commands.
 

randytsuch

Pulling my weight
Joined
Oct 1, 2016
Messages
495
Reaction score
176
you can install your own CA on your devices, you only get a signed 3rd party one if you want other people's devices to work w/out installing it.

automation is a bit harder if you have to ensure VPN is open, for example I have a RFID token in my car that triggers my garage door to open/close via Domoticz.. if I come home and my phone is a bit slow getting on the wifi I dont have to fire up a VPN to connect to domoticz and execute the commands.
OK, thanks.
RFID in car sounds cool, I have seen people talking about geofencing to do things like that but RFID would be a better way to do it.
For now, I'll stick with openVPN, but will keep this in mind if VPN becomes an issue with Domoticz. I'm not using Domoticz much yet, really just to turn the light on for the dog when we get home after dark lol.
 

BLKMGK

Getting the hang of it
Joined
Jul 19, 2016
Messages
81
Reaction score
39
As NAYR pointed out above YES security IS an issue for cams and NVR. While they may not be able to steal secrets from them they CAN be hacked and turned into bots used to attack other networks or jumping off points for your internal network if the device can see other hosts. These devices tend to be pretty insecure, if you've locked all of your doors there's no sense leaving a window wide open.
 

fooey

n3wb
Joined
Jan 9, 2016
Messages
26
Reaction score
2
you can install your own CA on your devices, you only get a signed 3rd party one if you want other people's devices to work w/out installing it.

automation is a bit harder if you have to ensure VPN is open, for example I have a RFID token in my car that triggers my garage door to open/close via Domoticz.. if I come home and my phone is a bit slow getting on the wifi I dont have to fire up a VPN to connect to domoticz and execute the commands.
Hi nayr

I understand using the certificates in place of wifi password authentication but how does it work for apps connecting over a public wifi network in the place of connecting via VPN?

For example using a VPN, you would need to establish it before any phone/tablet apps could then access whatever as if it was local to the network.

This couldn't be done without VPN and just using Certs?
 

JohnCena

n3wb
Joined
Sep 23, 2016
Messages
7
Reaction score
0
Nice article. I've read a bit about setting up a VLAN but I've decided against it mostly because I'm pretty dumb when it comes to setting network stuff up, setting up OpenVPN on my router was difficult enough. Should have went for an Asus one!

If I set up a VPN and then on my DD-WRT router set up a rule that blocks all traffic on Access Restrictions/add the camera's IP and MAC address to the list of clients I should be pretty decent at least, right? I know that a VLAN would be the most secure option but I'm hoping that using VPN + blocking the cameras from the internet should be pretty decent, even if they're plugged into the router.
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,329
Reaction score
5,325
Location
Denver, CO
yeah block your ipcameras from talking to the internet and run a local NTP Server to give em time.. or allow em to only talk 123/udp and nothing else.

rule order is important, so put the block all at the top.. and if you allow NTP put that above the block all.
 

BLKMGK

Getting the hang of it
Joined
Jul 19, 2016
Messages
81
Reaction score
39
You might also be able to run an NTP server for your local network on your firewall\router\VPN\gateway device - I pretty certain my PFSense box can do it. So PFSense would go out and get time ten be the time server for the rest of the network so only one device ever goes out for it. I don't think I have this setup but will look. I *think* you might even be able to setup the DHCP server to set the NTP server along with the DNS for your clients.

Do NVR have NTP servers on them? Since they tend to put cameras on their own subnet I would think so and act pretty much as I described above. So NVR gets NTP from firewall thingy and sends time to cameras. Also, with a good flexible firewall type device or router you can allow your devices to do DHCP dynamic addressing but always get the same address from the DHCP server by assigning the same address each time using the MAC address of the device. I do this extensively for my servers, switches, and my camera. Still working on the VPN part but I like the idea of using X509 certs and a proxy!
 
Top