What are you using/doing to make your camera more secure?

TL1096r

TL1096r

IPCT Contributor
Jan 28, 2017
1,211
470
There are a lot of great threads that talk about securing you camera but some of the step by step instructions that really help the noobs like myself are mixed around. I wanted to make a thread to share my experience with setting up stunnel so it is all in one place.

-----

Knowing why you should secure your camera really helps. Thank @nayr for creating the awareness:
VPN Primer for Noobs

-----

Quick second to thank a lot of great forum members here that create informative threads/posts or even helped me with questions through PM:
@fenderman, @Mike, @looney2ns, @Dasstrum, @Walrus, @TonyR, @bp2008 @SouthernYankee - I probably missed someone.

-----

I am currently using Stunnel to connect my BI computer to my BI app.

Download the Stunnel program here:
stunnel: Downloads

Most will need to download this file from the link above:
"stunnel-5.55b2-win64-installer.exe - 30th May 2019"
Or whatever is most updated file at the time for win64

This video by @Dasstrum will get you started and suggest watching it first:

*NOTE* in video disabling TLS 1.3 doesn't always allow you to connect to UI3 in Chrome.
@Walrus figured out that you can use zerossl website to create a self signed certificate (see setup below this video):



Website used for SSL:
Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL

See steps below to set this up:
Walrus said:
After hours of frustration, finally solved it. I used the website Free SSL Certificate Wizard and other SSL Tools @ ZeroSSL to create a new self signed certificate, and put my no-ip domain as the domain. This generates key.txt and crt.txt files. You then open the old stunnel.pem file, and replace everything in the file using both the key.txt contents then the crt.txt contents in that order.

This includes replacing the -----BEGIN PRIVATE KEY----- and -----END PRIVATE KEY----- parts, as the new key from zerossl uses -----BEGIN RSA PRIVATE KEY----- and -----END RSA PRIVATE KEY----- instead.

It now works with both the updated version of chrome on my android phone, and chrome on my work computer.
Click to expand...

Issues:
Sometimes GUI gives you issues on restart - @Walrus has some tips here to get it to work:

Walrus said:
The Stunnel program is a bit of a mess to get working. I find it works as follows:

If you have the service running, you can't run the GUI. If you do run the 'Stunnel GUI start' program with the service running, it will say the service is down.
If you stop the service , you can run the GUI. You can keep the GUI running, and stunnel will work.
To start the service again, you need to stop the GUI with the 'Stunnel GUI stop' program and run the 'Stunnel service start' program.

Upon a windows restart, whatever you had running (service or GUI) will run again.
Click to expand...

Pros:
-Do not have to open any other programs once this is setup
-No need for any other phone apps except for Blue Iris
-No need to setup anything on your router
-Easy setup with a few steps

Cons:
-Requires custom SSL to get UI3 to work with chrome
-GUI can be glitchy after computer restart for some
-You need to forward a port on your router

More info in this thread:
stunnel

Share what setup you are using. Please list what you did and used: website, app, programs, products, any issues you ran into and how you fixed it. Please credit any other Forum Member & threads that helped you with your setup.

PM me or post here if I should add/remove anything about setting up Stunnel and I will edit it in this post to have it all in one place.

Thanks
 
Last edited:
  • Like
Reactions: uniontownpc, tech101, gwong86 and 1 other person
Hi,
I started, like many others, with Asus with Rmerlin firmware. Very stable, and lots of features like the well praised OpenVPN service in the VPN Primer. My AC87U router provided everything I needed, however due to a dual-networking chipset, vlans were were partly doable. So basically a flat network (like many others) but will parental controls (to block internet-access) and decent firewalling.

So I ditched the Asus as "main" router for an Edgerouter from Ubiquity: bit of a learning curve (command line is not for everyone), but you can go all the way with vlans (all variants: ports, trunks, you name it), routing, firewalling, QoS. With such a setup, you can easily "privilege" any device (eg which mobile can see which cam), with all the perks of the Asus router too (eg. OpenVPN). The Asus is now demoted in one of the Edgerouter's vlans and still provided Wifi access.

On all my devices, I have the OpenVPN app in "always-on" and "killswitch" mode, ideal for being on the road with (unsafe) wifi hotspots, but my cams (including intercom) are always one fingerclick away. No need of any other tunnels, SSLs, certificates. Works on Android ànd iOS.

Combined with physical switch "security", black-hole vlan, isolated guest wifi access, I tried to make any intruder's life difficult. But I am not a financial institution nor Fort Knox, but I like to have my stuff well arranged :p

Happy with this setup for one year, had only 3 router downtimes due to firmware updates.

Bye!
CC
 
  • Like
Reactions: TL1096r
I keep it simple.

I have two nic cards in my BI PC, one connects to my main home network. The other nic card connects to a seperate switch, which coneccts to POE switches, which connect to my cameras. All cameras are hardwired, no wifi. This physical isolates the cameras from my home network and the internet.

I use openVPN on an ASUS router to access my BI pc.
 
  • Like
Reactions: mraidas, dabflyboy, OICU2 and 3 others
Thanks for sharing everyone. 2 NIC Cards sounds like a great idea.

Stunnel has seemed to updated it software to address some issues with the GUI.
 
I am not sure if anyone else with stunnel has seen this but I am able to still use http vs https to connect to UI3 after setting up stunnel. And I know https is working as only way to connect to camera when away from computer on phone is https (not connected to wifi).
 
Okay, So Turns out in the new iOS 13.4 they have dropped the support for TLS 1.0 and 1.1 .. With that said BlueIris iOS app is not working with stunnel... Any work around does anyone know off ?
 
catcamstar said:
What about running OpenVPN server and client on your iOS device?
Click to expand...
I have double NAT in my setup..

Basically Modem--->FW---->Router (Mesh but to maintain mesh. Google cannot be on a bridge mode) (So this is where double nat kicks in place).

So that is the reason cannot get the VPN to work.. Any other thoughts ideas ?
 
tech101 said:
I have double NAT in my setup..

Basically Modem--->FW---->Router (Mesh but to maintain mesh. Google cannot be on a bridge mode) (So this is where double nat kicks in place).

So that is the reason cannot get the VPN to work.. Any other thoughts ideas ?
Click to expand...

Sure, what you could do is setup a device in each network with the VPN tunnel between them (like a raspberry pi), but you would still need to configure a route on each device to point at the device for it to work.
 
  • Like
Reactions: tech101
When I leave the old .pem key config loads fine.. when I generated a key using the zero ssl.. and change that keys..


2020.03.27 10:44:18 LOG5[main]: Reading configuration from file stunnel.conf
2020.03.27 10:44:18 LOG5[main]: UTF-8 byte order mark detected
2020.03.27 10:44:18 LOG3[main]: error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:pEM lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/pem/pem_pkey.c:88: error:0907B00D:pEM routines:pEM_read_bio_PrivateKey:ASN1 lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
2020.03.27 10:44:18 LOG3[main]: Wrong passphrase: retrying
2020.03.27 10:44:18 LOG3[main]: error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:pEM lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/pem/pem_pkey.c:88: error:0907B00D:pEM routines:pEM_read_bio_PrivateKey:ASN1 lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
2020.03.27 10:44:18 LOG3[main]: Wrong passphrase: retrying
2020.03.27 10:44:18 LOG3[main]: error queue: ssl/ssl_rsa.c:556: error:140B0009:SSL routines:SSL_CTX_use_PrivateKey_file:pEM lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/pem/pem_pkey.c:88: error:0907B00D:pEM routines:pEM_read_bio_PrivateKey:ASN1 lib
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:627: error:0D08303A:asn1 encoding routines:asn1_template_noexp_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: error queue: crypto/asn1/tasn_dec.c:290: error:0D07803A:asn1 encoding routines:asn1_item_embed_d2i:nested asn1 error
2020.03.27 10:44:18 LOG3[main]: SSL_CTX_use_PrivateKey_file: crypto/asn1/tasn_dec.c:1130: error:0D0680A8:asn1 encoding routines:asn1_check_tlen:wrong tag
2020.03.27 10:44:18 LOG3[main]: Service [blueiris]: Failed to initialize TLS context
2020.03.27 10:44:18 LOG3[main]: Failed to reload the configuration file

1585331352240.png
 
At my last house, I was running Tomato firmware on an asus router with 2 VLANS, 1 for IoT/cameras/things I don't trust, and one for home network. I had a couple Foscam cameras and an Annke NVR (all Hikvision devices I believe?) firewalled with no outbound traffic, and monitored their RTSP streams with a raspberry pi running Shinobi for motion detection, which would then push motion events to Discord. It worked OK, but Shinobi's motion clip capture buffer left a lot to be desired. Now that I've moved, I had to upgrade to a Google WiFi mesh network (which I kind of regret now due to lack of features like VLAN separation) because the aging Asus router couldn't penetrate walls.

As a software developer, I really would like to work on an open source firmware for these devices to strip out all the phone-home-to-china crap, and upgrade the web interfaces to something that didn't require freaking activex plugins. I've tried a lot of open source monitoring solutions for RTSP monitoring and motion detection, and the best I found was Shinobi, and even that's pretty dreadful. I'd be interested in hearing from anyone whose played around with hacking the hardware on these devices on the viability of such a project.
 
ancapn8 said:
At my last house, I was running Tomato firmware on an asus router with 2 VLANS, 1 for IoT/cameras/things I don't trust, and one for home network. I had a couple Foscam cameras and an Annke NVR (all Hikvision devices I believe?) firewalled with no outbound traffic, and monitored their RTSP streams with a raspberry pi running Shinobi for motion detection, which would then push motion events to Discord. It worked OK, but Shinobi's motion clip capture buffer left a lot to be desired. Now that I've moved, I had to upgrade to a Google WiFi mesh network (which I kind of regret now due to lack of features like VLAN separation) because the aging Asus router couldn't penetrate walls.

As a software developer, I really would like to work on an open source firmware for these devices to strip out all the phone-home-to-china crap, and upgrade the web interfaces to something that didn't require freaking activex plugins. I've tried a lot of open source monitoring solutions for RTSP monitoring and motion detection, and the best I found was Shinobi, and even that's pretty dreadful. I'd be interested in hearing from anyone whose played around with hacking the hardware on these devices on the viability of such a project.
Click to expand...
Most modern firmware on the hik/dahua cams does not require activex plugings.
There is a movement for opensource firmware, search bosch sast
 
SouthernYankee said:
I keep it simple.

I have two nic cards in my BI PC, one connects to my main home network. The other nic card connects to a seperate switch, which coneccts to POE switches, which connect to my cameras. All cameras are hardwired, no wifi. This physical isolates the cameras from my home network and the internet.

I use openVPN on an ASUS router to access my BI pc.
Click to expand...
Great setup :)
 
fenderman said:
Most modern firmware on the hik/dahua cams does not require activex plugings.
Click to expand...
You'll get an image without the plugins but a lot of functionality only works with the plugin on the cam. Like analytic boxes for example. But the move is in the right direction.

There is a movement for opensource firmware, search bosch sast
Click to expand...
A lot of companies OEMing CCTV products are finally starting to realise they should be writing their own software and just OEMing the hardware.
When you cant see the source code you dont know whats really inside. Bosch is quite aware of that.
Also part of the reason why in the past few years there have suddenly been so many cyber security problems with Chinese manufacturers.
Its' been the OEM's discovering a lot of the problems because they have forced a CS process upon them, along with independent researchers.

The "problems" were around for a long time, the world changed.
In the CCTV world a decade ago, no one saw a problem with telnet, ftp, http all being unsecure out of the box. The industry wasn't full of morons putting kit straight on the internet.
But the pricing race to the bottom means any idiot now knows CCTV.
 
You must log in or register to reply here.
Top Bottom