What are you using/doing to make your camera more secure?

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,108
Reaction score
353
There are a lot of great threads that talk about securing you camera but some of the step by step instructions that really help the noobs like myself are mixed around. I wanted to make a thread to share my experience with setting up stunnel so it is all in one place.

-----

Knowing why you should secure your camera really helps. Thank @nayr for creating the awareness:
VPN Primer for Noobs

-----

Quick second to thank a lot of great forum members here that create informative threads/posts or even helped me with questions through PM:
@fenderman, @Mike, @looney2ns, @Dasstrum, @Walrus, @TonyR, @bp2008 @SouthernYankee - I probably missed someone.

-----

I am currently using Stunnel to connect my BI computer to my BI app.

Download the Stunnel program here:
stunnel: Downloads

Most will need to download this file from the link above:
"stunnel-5.55b2-win64-installer.exe - 30th May 2019"
Or whatever is most updated file at the time for win64


This video by @Dasstrum will get you started and suggest watching it first:

*NOTE* in video disabling TLS 1.3 doesn't always allow you to connect to UI3 in Chrome.
@Walrus figured out that you can use zerossl website to create a self signed certificate (see setup below this video):


Website used for SSL:
Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL

See steps below to set this up:
After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.

This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.

It now works with both the updated version of chrome on my android phone, and chrome on my work computer.
Issues:
Sometimes GUI gives you issues on restart - @Walrus has some tips here to get it to work:

The Stunnel program is a bit of a mess to get working. I find it works as follows:

If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.

Upon a windows restart, whatever you had running (service or GUI) will run again.
Pros:
-Do not have to open any other programs once this is setup
-No need for any other phone apps except for Blue Iris
-No need to setup anything on your router
-Easy setup with a few steps

Cons:
-Requires custom SSL to get UI3 to work with chrome
-GUI can be glitchy after computer restart for some
-You need to forward a port on your router

More info in this thread:
stunnel

Share what setup you are using. Please list what you did and used: website, app, programs, products, any issues you ran into and how you fixed it. Please credit any other Forum Member & threads that helped you with your setup.

PM me or post here if I should add/remove anything about setting up Stunnel and I will edit it in this post to have it all in one place.

Thanks
 
Last edited:

catcamstar

Known around here
Joined
Jan 28, 2018
Messages
1,137
Reaction score
722
Hi,
I started, like many others, with Asus with Rmerlin firmware. Very stable, and lots of features like the well praised OpenVPN service in the VPN Primer. My AC87U router provided everything I needed, however due to a dual-networking chipset, vlans were were partly doable. So basically a flat network (like many others) but will parental controls (to block internet-access) and decent firewalling.

So I ditched the Asus as "main" router for an Edgerouter from Ubiquity: bit of a learning curve (command line is not for everyone), but you can go all the way with vlans (all variants: ports, trunks, you name it), routing, firewalling, QoS. With such a setup, you can easily "privilege" any device (eg which mobile can see which cam), with all the perks of the Asus router too (eg. OpenVPN). The Asus is now demoted in one of the Edgerouter's vlans and still provided Wifi access.

On all my devices, I have the OpenVPN app in "always-on" and "killswitch" mode, ideal for being on the road with (unsafe) wifi hotspots, but my cams (including intercom) are always one fingerclick away. No need of any other tunnels, SSLs, certificates. Works on Android ànd iOS.

Combined with physical switch "security", black-hole vlan, isolated guest wifi access, I tried to make any intruder's life difficult. But I am not a financial institution nor Fort Knox, but I like to have my stuff well arranged :p

Happy with this setup for one year, had only 3 router downtimes due to firmware updates.

Bye!
CC
 

SouthernYankee

IPCT Contributor
Joined
Feb 15, 2018
Messages
2,951
Reaction score
1,904
Location
Houston Tx
I keep it simple.

I have two nic cards in my BI PC, one connects to my main home network. The other nic card connects to a seperate switch, which coneccts to POE switches, which connect to my cameras. All cameras are hardwired, no wifi. This physical isolates the cameras from my home network and the internet.

I use openVPN on an ASUS router to access my BI pc.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,108
Reaction score
353
Thanks for sharing everyone. 2 NIC Cards sounds like a great idea.

Stunnel has seemed to updated it software to address some issues with the GUI.
 

TL1096r

IPCT Contributor
Joined
Jan 28, 2017
Messages
1,108
Reaction score
353
I am not sure if anyone else with stunnel has seen this but I am able to still use http vs https to connect to UI3 after setting up stunnel. And I know https is working as only way to connect to camera when away from computer on phone is https (not connected to wifi).
 
Top