VPN Through Browser for Neighbor?

[DLONG2]

I had set up my VPN in the UniFi USG, and now I can use my iPhone to VPN in and view the BI app, by making the server addresses both internal (thanks to fenderman's advice!). But now I need to figure out how a neighbor can view my BI through his browser? I turned off port forwarding, and don't understand how he will connect to the BI server without using a port number. Also if anyone can offer a suggested VPN client for my neighbor to use. Any pointers appreciated.

 

[fenderman]

I had set up my VPN in the UniFi USG, and now I can use my iPhone to VPN in and view the BI app, by making the server addresses both internal (thanks to fenderman's advice!). But now I need to figure out how a neighbor can view my BI through his browser? I turned off port forwarding, and don't understand how he will connect to the BI server without using a port number. Also if anyone can offer a suggested VPN client for my neighbor to use. Any pointers appreciated.

here is the problem..if you have a basic home router then if you give him vpn access, his computer is now on your network and has access to your entire network....if you have a business grade vpn device then you can segregate you BI machine onto its own lan and give him access to that only.

 

[PokerMunkee]

Why are you bothering with VPN? Use port forwarding. I use port forwarding for my web server, phone app, etc and works just great. Create him a basic login so you can audit his logins and set him up with the URL.

 

[fenderman]

Why are you bothering with VPN? Use port forwarding. I use port forwarding for my web server, phone app, etc and works just great. Create him a basic login so you can audit his logins and set him up with the URL.

Because port forwarding is never secure.

 

[PokerMunkee]

Sure it is. Enable SSL and it's just as secure as any website you login into, just like this site. Make sure everything on your BI server is up to snuff. Put it in a DMZ if you are paranoid. If my BI server gets compromised, I could care less!

 

[bp2008]

Any vulnerabilities in the web server are exposed to all the world if you use port forwarding. For an extremely crude example, imagine someone sends a whole bunch of HTTP POST requests saying they intend to upload 1000 MB of data in each connection. Maybe the web server will naively allocate 1000 MB of memory for each connection, instantly exhausting all available system memory and swap space and causing Blue Iris to crash (maybe crash other processes too!) Of course no web server worth its salt is going to fall for this most obvious of attacks, but there are countless other ways which a hacker may attempt to break in to a system.

However slight the risk may be, it is still greater than the risk if the only public-facing service on your network is a VPN.

 

[bp2008]

Sure it is. Enable SSL and it's just as secure as any website you login into, just like this site. Make sure everything on your BI server is up to snuff. Put it in a DMZ if you are paranoid. If my BI server gets compromised, I could care less!

SSL encrypts the connection, but does absolutely nothing to protect you from any vulnerabilities in Blue Iris's web server.

 

[PokerMunkee]

Put it behind a pfSense box with snort and it will auto block any suspect activity. I'd love to see how many people with BI have been hax0red. lol.

 

[fenderman]

Put it behind a pfSense box with snort and it will auto block any suspect activity. I'd love to see how many people with BI have been hax0red. lol.

You are completely missing the point and now advocating more gear...You are making assumptions about where the user has cameras - perhaps some are indoors with audio or pointing over his hot tub....a vulnerability in the webserver could expose that footage....

 

[PokerMunkee]

With this thinking, someone could potentially hax0r his router and then get into the BI server and see him in his hottub. So don't put the BI server on the Internet. There is risk no matter what and the risk is very low and not worth the hassle of a VPN. In fact, the VPN could be hax0red and the neighbor could give the username/password out to someone else or have it saved on his laptop that is hax0red. That's a bigger security issue since someone can now VPIN into his network and have a much easier time seeing/accessing every device on the network.

Have faith that BI is secure. We all have faith IIS, Apache, etc is secure when we open them out to the world for our end users/customers to use. If a flaw is discovered, it gets patched.

 

[fenderman]

With this thinking, someone could potentially hax0r his router and then get into the BI server and see him in his hottub. So don't put the BI server on the Internet. There is risk no matter what and the risk is very low and not worth the hassle of a VPN. In fact, the VPN could be hax0red and the neighbor could give the username/password out to someone else or have it saved on his laptop that is hax0red. That's a bigger security issue since someone can now VPIN into his network and have a much easier time seeing/accessing every device on the network.

Wrong again...vpn is several orders of magnitude more secure than port forwarding.....if you read my response you would see that I indicated that he should not provide vpn access unless he can segregate it..you do understand that you can sepcify vpn to a single lan.
a vulnerability in the webserver can provide access to the network as well if not segregated...
its almost as if you have not been reading the hack threads of the last few weeks....