VPN Primer for Noobs

What VPN Solution are you using?


  • Total voters
    859
I did see that but sadly it looks like raspberry pis arent readily available to purchase right now. I could buy another dell box for like $100 i guess but if i can run my cams and vpn on the same box it would be more convenient and be less of a power draw.

For the record the dell i got is the i7-6700 @ 3.4GHZ w 16gb ddr4 memory. So not sure if that will be enough fire power or not. At max im prob looking at 6-8 cameras.
dell seems to be specd well with that processor, and ram. make sure u write direct to disk, and turn on quick sync

not really sure about the raspi situation, and i have open vpn on my synology router
 
My router only offers L2TP or PPTP for VPN (no open VPN). I cant simply buy one of the Asus routers with OpenVPN because it wont provide sufficient wifi coverage for my house like my Mesh network so for now im stuck with my current router.

I also recently bought a dedicated Dell Optiplex running Win 10 pro that i will be putting BI on. I saw in the VPN sticky that you can run VPN service from a dedicated NVR. I might have missed it but how do you set up the VPN on the dedicated NVR windows box? Ive found many references to PiVPN but thats for linux not windows. Am i supposed to run a VM on the dedicated NVR thats running linux to set up the vpn? Am i better to try and get L2TP set up on my router or getting vpn running on my NVR box?

My router doesnt have a built in firewall so i assume id still need dual nics since i cant write firewall rules to block the cams from getting out to the net. Is that true? I tried to look around for a dedicated firewall box but they are expensive and feels like it may be overkill.

I hope my questions make sense, i have some networking experience but im rusty since its been about a decade since i worked in the field. Thanks.
You can connect mesh wifi up behind a different router or device / computer functioning as a router that has a VPN server.
You can expose a VPN or proxy server within your network (much more complicated, and if need instructions this isn't for you)

The simplest option would be to setup ZeroTier – Global Area Networking on your Blue Iris server.
 
  • Like
Reactions: TonyR
You can connect mesh wifi up behind a different router or device / computer functioning as a router that has a VPN server.
You can expose a VPN or proxy server within your network (much more complicated, and if need instructions this isn't for you)

The simplest option would be to setup ZeroTier – Global Area Networking on your Blue Iris server.

Thanks i will look into ZeroTier. Looks like its free too for basic use which is great. If i go this route, how would my physical cabling need to be set up?

Right now i have modem -> mesh router -> unmanaged switch -> devices.

If my Dell NVR starts hosting VPN will it still just connect off my switch like any other device or does it need moved upstream? Might be a dumb question but im used to seeing the VPN built into the router so im not sure how the physical wiring needs to be. Same question on physical wiring if i go the Raspberry Pi VPN route..
 
Last edited:
+1 to @tangent 's statement: if you get an Asus router for OpenVPN and it has wireless you don't have to use the wireless....turn off the wireless but let it continue to perform the routing function.....continue to use your existing mesh wireless (possibly with minor changes so they are AP's and not trying to route also) .
 
I recently converted to FIOS, and Frontier gave me a couple of Eero's routers. The Eero's have better coverage than my Asus, so I use them both.
Here is a discussion in reddit how I setup.
Reddit Setup Story
Please read the entire thread, I made changes as described at the bottom.
I have wifi on both routers enabled, but you can turn off the Asus wifi if you prefer. OpenVPN works fine.
 
  • Like
Reactions: TonyR
+1 to @tangent 's statement: if you get an Asus router for OpenVPN and it has wireless you don't have to use the wireless....turn off the wireless but let it continue to perform the routing function.....continue to use your existing mesh wireless (possibly with minor changes so they are AP's and not trying to route also) .

I just wanted to pop back in and thank you guys for the info. I was able to get WW-DRT installed on my old Netgear router. The router claims to support speeds up to 1750Mbps so it shouldn't be any kind of a bottle neck for me. I was able to disable Wifi on it and OpenVPN seems simple enough to set up.

I'm sure I'll be back with more questions eventually but wanted to take a minute to say thank you for all the help so far.
 
Alright so I am about ready to put this WW-DRT Netgear in my network. Since I currently have a mesh network I need to put the Netgear/OpenVPN in front of my topology.

Current:
Modem -> Main Mesh Router/AP -> Switch -> Additional Mesh Routers/APs

New:
Modem -> Netgear/OpenVPN -> Mesh Router/AP -> Switch -> Additional Mesh Routers/APs

Do I need to put the Netgear into bridge mode?
 
Do you have a link for this suggestion ?
My knowledge is, the stream doesn´t goes over the manufacturers server (or p2p server), its only used for opening the connection, the stream goes directly to the client.
How does P2P IP camera work? | Technology News
What Is A P2P IP Camera And How Does It Work - Enterprise dynamics - News - Quanzhou Karassn Security Protection Electronics Co., Ltd
http://www.karassnsecurity.com/news-178733
But thats only from manufacturer. I found a much deeper artikel and discussion here: This is Why People Fear the ‘Internet of Things’ — Krebs on Security
I need to read more and search, but here is the same problem, who is trustworthy? What shall we believe?
The links which you provided here seems to be harmful, you better delete them.
 
The links which you provided here seems to be harmful, you better delete them.
You do realize that this post was from 2017, right? This user has not even been on here since September 2020.
 
I realise this might have been covered here, but I'm too lazy to find it in these 76 pages.

I'm using OpenVPN on a TP-link Omada controller, works fine.
Except I'm also using Sharptools to view a dashboard, which can display my camera's. It works fine when I add my credentials in the link, but I hoped, since using the VPN, I would no longer need to login and simply use the no authentification on LAN setting.
But, Blue Iris seems to see the VPN IP instead of my phone's IP assigned to it. Is there any way around this? So I can delete my credentials from the links in Sharptools.

The VPN is working correct, I can visit my camera's on their 192. IP's, no problem. Only Blue Iris requires a login, even when I'm on my home wifi. When I turn the VPN off, it no longer asks credentials.
 
Seriously, that's how you want to ask for help?
I'll add I searched and googled and only found other people with the same issue, but in the end they either had a different situation or other people started talking about a lot of things I don't understand and concluded it wasn't a solution.

Thanks for the help anyway.
 
  • Like
Reactions: samplenhold
I'll add I searched and googled and only found other people with the same issue, but in the end they either had a different situation or other people started talking about a lot of things I don't understand and concluded it wasn't a solution.

Thanks for the help anyway.
Do not despair. While I do not have the knowledge to help solve your problem, hopefully someone will be along that can help you.
 
  • Like
Reactions: sgt-flippy
I would no longer need to login and simply use the no authentification on LAN setting.

In BI settings/Web server/Advanced..., I think you may need to uncheck "Use secure session keys and login page". As long as your VPN is setup properly, your LAN is otherwise secured, and you aren't port forwarding, it is OK to run this way.
 

Attachments

  • Untitled.jpg
    Untitled.jpg
    218.7 KB · Views: 10
Last edited:
  • Like
Reactions: sgt-flippy
In BI settings/Web server/Advanced..., I think you may need to uncheck "Use secure session keys and login page". As long as your VPN is setup properly, your LAN is otherwise secured, and you aren't port forwarding, it is OK to run this way.
I guess it's setup okay. I'm using a TP-link ER605 with OpenVPN. Not much setting up to do.
Will try this tonight, thanks!
 
In BI settings/Web server/Advanced..., I think you may need to uncheck "Use secure session keys and login page". As long as your VPN is setup properly, your LAN is otherwise secured, and you aren't port forwarding, it is OK to run this way.
I checked and that option was already unchecked.

But on the same reasoning, is it okay to run it with no login request on any connection? And then only allow connection from set IP's as an extra safety? So it's only working on LAN and specific IP's from the LAN and VPN.

This confuses me slightly, because in my head anyone with the same IP would then be able to connect to it, but that's not true, because they need the VPN details to connect to it, right?
 
Last edited:
I checked and that option was already unchecked.

But on the same reasoning, is it okay to run it with no login request on any connection? And then only allow connection from set IP's as an extra safety? So it's only working on LAN and specific IP's from the LAN and VPN.

This confuses me slightly, because in my head anyone with the same IP would then be able to connect to it, but that's not true, because they need the VPN details to connect to it, right?

Running a vpn on a router doesn't have anything to do with other perhaps more important security items, like open ports. Like even if your vpn server and client use a secured connection, you could still be hacked hacked if there is an open port on the router. I presume if you didn't mess with things, your router defaults won't have port forwards enabled.

WRT using an IP list for security... yeah you are correct. On most ovpn servers found on routers you setup an IP specific to a client (or a range for multiple clients). This OVPN ip address (or range) is usually setup on a different subnet (so no chance to access lan without being connected through ovpn). So configuring BI to allow non-auth access from the ovpn ip (or range) is fairly secure. As you can see, I have 2 ip ranges that are allowed access in BI, one for ovpn clients and one for lan. To fill in more on this subject... windows behaves similarly, and may need firewall rules added to let vpn clients connect (for example if windows gets 192... from dhcp, it needs to be told connections from 10... are OK).

OTOH, you probably also need BI to allow LAN ip's access as well. So you have to also be sure all lan clients can be trusted... or setup some static ip's on your router and limit BI to only those devices (rather than like the whole lan dhcp range).
 
Running a vpn on a router doesn't have anything to do with other perhaps more important security items, like open ports. Like even if your vpn server and client use a secured connection, you could still be hacked hacked if there is an open port on the router. I presume if you didn't mess with things, your router defaults won't have port forwards enabled.

WRT using an IP list for security... yeah you are correct. On most ovpn servers found on routers you setup an IP specific to a client (or a range for multiple clients). This OVPN ip address (or range) is usually setup on a different subnet (so no chance to access lan without being connected through ovpn). So configuring BI to allow non-auth access from the ovpn ip (or range) is fairly secure. As you can see, I have 2 ip ranges that are allowed access in BI, one for ovpn clients and one for lan. To fill in more on this subject... windows behaves similarly, and may need firewall rules added to let vpn clients connect (for example if windows gets 192... from dhcp, it needs to be told connections from 10... are OK).

OTOH, you probably also need BI to allow LAN ip's access as well. So you have to also be sure all lan clients can be trusted... or setup some static ip's on your router and limit BI to only those devices (rather than like the whole lan dhcp range).
That's perfect and seems to work. I used to have ports open, but I closed it for the VPN. I'm also running the router behind a NAT, that has ports forwarded to let a VPN run, but I'll try if it still works without them, since that was for a different approach than OpenVPN.

I already have static IP's for all devices that need access to BI and already listed them. They work as well.

So this solves things. Thanks!

PS: removed the VPN ports from my NAT and OpenVPN still works. No more forwards!
 
Last edited:
Hi, i would like to but a router which works on DSL and has a built-in vpn server (no need of wifi).
I wonder how can i be sure that this router has a vpn?
If the router has a vpn option in its menu - does it mean that it has a vpn server?
My main goal is to be able to connect via a pc-nvr to my remoted cameras and nvr (also to record their stream).
I saw some devices like Tp-link vr400 and vr600 or Asus DSL-N16, but i'm not sure.
Any compatible devices which someone can recommend on?
(I need a basic device, wifi is not important - I'm more interested in its modem functionality and the vpn ofcourse. also it can be of a relatively low bitrate 100bps-300bps is okay).
Thanks.
 
Last edited: