Blocking camera from outside, but enabling with VPN? AX88U

[LaMpiR]

Hi good people!

I am trying to improve my home security and part of it would be to block the tapo cameras from internet, but would like to connect to vpn and then be able to access them.

I have tried the simplest method found, just using the block internet in the asus app, but I am not able to access it when using vpn to my router. Parental controls, adding there and blocking, the same. In the VPN settings, the option "Client will use VPN to access" is set to "both".

So, please help on how can I block the device from being exposed to internet (Tapo App or anything) and being able to use it only when connected through VPN or the local wifi?

I AX88U with the latest merlin firmware and skynet.

After this, upnp research and restricting plex access and such stuff, but that is to come.

Any help is appreciated.

 

[bbunge]

Hi good people!

I am trying to improve my home security and part of it would be to block the tapo cameras from internet, but would like to connect to vpn and then be able to access them.

I have tried the simplest method found, just using the block internet in the asus app, but I am not able to access it when using vpn to my router. Parental controls, adding there and blocking, the same. In the VPN settings, the option "Client will use VPN to access" is set to "both".

So, please help on how can I block the device from being exposed to internet (Tapo App or anything) and being able to use it only when connected through VPN or the local wifi?

I AX88U with the latest merlin firmware and skynet.

After this, upnp research and restricting plex access and such stuff, but that is to come.

Any help is appreciated.

Turn off UPnP if it is enabled. The firewall will block access from the outside unless ports are opened. Not a good idea to block the cam access to the internet unless you run the time server on your router. The cam and other clients need to have access to a time server.
My cams record to a Zoneminder server running on a Linux box. I access that server via a VPN when remote. There are many ways to access clients on your LAN. Find the method you are most comfortable with and that you feel is secure.

 

[LaMpiR]

Turn off UPnP if it is enabled. The firewall will block access from the outside unless ports are opened. Not a good idea to block the cam access to the internet unless you run the time server on your router. The cam and other clients need to have access to a time server.
My cams record to a Zoneminder server running on a Linux box. I access that server via a VPN when remote. There are many ways to access clients on your LAN. Find the method you are most comfortable with and that you feel is secure.

But which services are going to be affected by this?

I have vpn client, server, plex server, smart home devices, cameras and so on I have no idea who is using what. How to find that out?

So, disabled it. My cameras are perfectly working from outside of the network.

 

[Tech9]

Common VPN connection back to your LAN must be working for local device access unless your cameras require something else to function properly. Blank statement "turn off" or "block" whatever will cause only issues. Keep it simple and if you don't need/use any of the advanced Asuswrt-Merlin features switch back to stock Asuswrt firmware and try again. IP/DNS blockers on gateway level using community supported blocklists may cause hard to diagnose issues. False positives happen and you may end up with no Internet. Make sure you know what are you doing and don't run custom scripts just because someone else does. Good luck!

 

[LaMpiR]

Common VPN connection back to your LAN must be working for local device access unless your cameras require something else to function properly. Blank statement "turn off" or "block" whatever will cause only issues. Keep it simple and if you don't need/use any of the advanced Asuswrt-Merlin features switch back to stock Asuswrt firmware and try again. IP/DNS blockers on gateway level using community supported blocklists may cause hard to diagnose issues. False positives happen and you may end up with no Internet. Make sure you know what are you doing and don't run custom scripts just because someone else does. Good luck!

When I block the devices with above mentioned methods, I am unable to access it through vpn, even with using rtsp. Can't even ping it. The strange thing is that I can perfectly fine access the router.

Is your comment suppose to be a solution or offer anything in this regard? I strongly belive that if one can't bring anything positive to the table, one should not bring anything.

I am asking for help or pointers in the sense where I want the cameras to be accessed with more security, that is all.

I haven't done anything like that and that is the reason I am addressing the community.

 

[bennor]

... to block the tapo cameras from internet ...

Why? Many if not most IoT cameras require internet access for various reasons. Cutting off internet access may cause them to become inaccessible from the IoT device's mobile app and or not to function.

There are various ways to block a LAN client device from the internet using either built in router GUI options (Network map client dialog screen, or Parental Controls > Time Scheduling), using YazFi (guest networks), or using IPTables/Etables scripting. But again, doing so may cause the IoT device to not function or not be reachable via their associated mobile app. Example of Network Map client dialog screen with it's Block Internet Access option attached.

 

[LaMpiR]

Why? Many if not most IoT cameras require internet access for various reasons. Cutting off internet access may cause them to become inaccessible from the IoT device's mobile app and or not to function.

There are various ways to block a device from the internet using either built in router GUI options (Network map client dialog screen, or Parental Controls > Time Scheduling), using YazFi (guest networks), or using IPTables scripting. But again, doing so may cause the IoT device to not function or not be reachable via their associated mobile app. Example of Network Map client dialog screen with it's Block Internet Access option attached.

No, that what I did. Parental controls. Ip tables I haven't used so far. Network map I used as well.

The reason to block them is to hopefully have higher security. You think that leaving them open with the tapo app is perfectly fine?

 

[Tech9]

I strongly belive that if one can't bring anything positive to the table, one should not bring anything.

I strongly believe users unable to diagnose issues themselves have to stay away from 3rd party firmware and custom configurations. Your router is in unknown state and you are the local sysadmin responsible for it. Keep it simple is a good solution in this case.

 

[LaMpiR]

I strongly believe users unable to diagnose issues themselves have to stay away from 3rd party firmware and custom configurations. Your router is in unknown state and you are the local sysadmin responsible for it. Keep it simple is a good solution in this case.

Thank you once again for providing your opinion on the matter.

 

[bennor]

You think that leaving them open with the tapo app is perfectly fine?

I put all my wireless IoT devices (WiFi cameras, smart plugs, smart bulbs, Echo devices) on their own Guest WiFi Network and then block main LAN access to/from those IoT devices. My mobile devices all access those IoT devices via the internet. All of my IoT apps are generally designed to access their respective devices from the internet so blocking internet access in turn blocks access to the IoT device.

This way if a IoT device is compromised, it's isolated from the main network and isolated from the main network clients.

 

[LaMpiR]

I put all my wireless IoT devices (WiFi cameras, smart plugs, smart bulbs, Echo devices) on their own Guest WiFi Network and then block main LAN access to/from those IoT devices. My mobile devices all access those IoT devices via the internet. All of my IoT apps are generally designed to access their respective devices from the internet so blocking internet access in turn blocks access to the IoT device.

This way if a IoT device is compromised, it's isolated from the main network and isolated from the main network clients.

That is actually a very good way and I have that for all of my IoT devices (10+ devices). Guest wifi network with a mac-only-allowed list and a bandwidth limiter.

I just have two cameras which I want local, simply due to using rtsp and showing it on the TV in the living room. Fire Stick with Onvier app and it works like a charm. It's used as a baby monitor tbh and it works perfectly. Would prefer to have additional layer of protection for them, especially as they are used as baby monitors.

 

[Tech9]

and a bandwidth limiter

If you apply Bandwidth Limiter on this Guest Network it will disable NAT acceleration (incompatible) and your WAN-LAN throughput will drop to about 300Mbps for all the devices behind the router including ones on your Main Network. Enable Guest Network for 2.4GHz band only with AX disabled instead and this will effectively limit the devices connecting there to about 45Mbps (1-stream, N) or 90Mbps (2-stream, N). This setting is more IoT friendly as well. Fixed 20MHz channel, WPA2 only. More about IoT compatibility here:

[Wireless Router] How to improve compatibility of IoT device with ASUS WiFi 6(802.11 ax) router? | Official Support | ASUS Global

 

[bennor]

I just have two cameras which I want local, simply due to using rtsp and showing it on the TV in the living room. Fire Stick with Onvier app and it works like a charm. It's used as a baby monitor tbh and it works perfectly. Would prefer to have additional layer of protection for them, especially as they are used as baby monitors.

If the router GUI method of blocking internet access to a LAN client doesn't work then you likely will have to use an IPtables (and or etables) script to configure the router's firewall to block internet access to the cameras but allow local network/VPN access to them. If you search the Asus subforums here you will find a number of past discussions on IPTables (and etables) scripting for accomplishing various tasks.