Web Server & VPN

[p3ter]

I have been going round in circles trying to set up external access to my web server - I have cracked it now, but still not happy... The situation is this: I have cameras at 2 different locations, and I need a permanently connected VPN connection to access the 2nd location.

This means that the PC I am using for the BlueIris server has 2 IP addresses - the local IP address, and the VPN IP Address. Lets say for example: (faked IP's)

• Local IP = 192.168.1.99 - External IP 84.34.45.99
• VPN IP = 192.168.10.5 - External IP 45.56.46.66

The web server is bound to both (LAN and VPN) IP addresses, and I can access the server locally via the local IP just fine - but setting up External access via that network and it's External IP 84.34.45.99 does NOT work. I have set up port forwarding correctly, but just get 'Connection refused'.

After a lot of head scratching, I finally figured out that this is because I am using a basic PPTP tunnel (Windows 10, Control Panel, Network, VPN, Add a VPN Connection) - and this type of tunnel sends ALL outgoing communication to any external IP via the VPN IP address, regardless of where the connection originated from.

So even though there is a Blue Iris web server on 192.168.1.99, and even though there is a correctly set up port forwarding rule on that networks external IP (84.34.45.99), the incoming connection is attempted, but the web server will always reply to external web clients via 192.168.10.5 (the VPN IP)

So the workaround is - initiate all incoming connection to the web server via the remote sites external IP address (IP 45.56.46.66), and forward it to the local servers VPN-assigned IP address. It Works!

But now...

• all web server communication is wasting internal network bandwidth - bandwidth I wanted reserved for the camera streams.
• the "LAN IP" entry in my Blue Iris Android App is meaningless... I have two local LAN IP's, not one - depending my current location. if I am on the local network (the network with the server), the LAN IP needs to be 192.168.1.99, but if I am remote (the network with the cameras), the LAN IP needs to be 192.168.10.5
• I can't reserve a static IP for the VPN connection - there is a (small) risk that the VPN connection might get a different IP in future, then the port forward fails

Does anyone have a similar setup and a better solution?

 

[catcamstar]

You are making your life difficult

First of all, ditch PPTP, security wise it is like using unencrypted traffic anyway.
Secondly, install openVPN server at both locations, and search for Site2Site OpenVPN tutorials. Then you'll quickly find out how to reach both sites without having to send over all data on the "shared line".

Good luck!
CC

 

[p3ter]

Thanks CC, I have heard the words "split tunneling" and "openvpn" and it sounded like that was a whole new way to make my life difficult. Seems like I might need to take the plunge!

 

[catcamstar]

Thanks CC, I have heard the words "split tunneling" and "openvpn" and it sounded like that was a whole new way to make my life difficult. Seems like I might need to take the plunge!

There is no way back! Enjoy jumping! A whole new world will open up! And you will enjoy it!

 

[p3ter]

Just to follow up on this - it wasn't as hard as I expected, and working great - thanks! I didn't go the whole hog and set up site to site VPN (yet!), but might try that in future.

Steps (from memory, might have missed a couple)

• Install OpenVPN on the BlueIris server, make sure it starts with windows (settings, launch on windows startup)
• Set up OpenVPN on the remote location Asus RT-AC87U router
  • VPN -> OpenVPN -> Enable OpenVPN Server
  • VPN Details: 'General'
  • Client will use VPN to access 'Local network only'
  • Export Configuration File
• Take the exported .ovpn file, and on the BlueIris server, open OpenVPN GUI, and select 'Import File'
• Browse to the .ovpn file, then press 'Connect', enter the username and password.

The server is now reachable externally directly via the home network, and only connections to the remote network cameras from the BlueIris server travel over the VPN.

Now I just need to confirm the VPN reconnects automatically and auto starts successfully after Windows 10 reboot - if not, there seems to be some Task Scheduler possibilities for delayed auto start and restart.

Thanks for the pointers @catcamstar !