Can't access cameras remotely when OpenVPN Client is active

[mrphil]

Running RT AC66U_B1 with Merlin 386.2_6. Only way to connect to my cameras via WAN is to have OpenVPN Client disconnected. Is there a way to have certain LAN IP's bypass the VPN connection?

 

[Jack Yaz]

Running RT AC66U_B1 with Merlin 386.2_6. Only way to connect to my cameras via WAN is to have OpenVPN Client disconnected. Is there a way to have certain LAN IP's bypass the VPN connection?

yes, set the vpn client to Policy Routing and configure which device(s) you want to use VPN and which should use WAN

 

[mrphil]

yes, set the vpn client to Policy Routing and configure which device(s) you want to use VPN and which should use WAN

Great. Thanks for the quick help!

 

[netware5]

Running RT AC66U_B1 with Merlin 386.2_6. Only way to connect to my cameras via WAN is to have OpenVPN Client disconnected. Is there a way to have certain LAN IP's bypass the VPN connection?

It is strongly advisable to not access your cameras remotely directly from WAN. Please consider using OpenVPN Server. The golden security rule is: No access to anything via WAN, the only open port on WAN should be the port OpenVPN Server is listening on.

 

[mrphil]

I'm not sure where you're coming from @netware5. If I had no VPN router, I'd configure my cameras and either use uPnP or manually forward the ports. Since my ddns server can't see my cameras behind the VPN, my cameras are using my ISP's WAN IP, rather than the VPN IP provided by my VPN provider. With the cameras port forwarding set and the ASUS VPN Client set to use policy rules, I'm not understanding what you're wanting me to do differently. Can you elaborate? As it stands now, all devices on my LAN, other than my Roku's, a workstation and an iPhone are bypassing the VPN.

 

[netware5]

I'm not sure where you're coming from @netware5. If I had no VPN router, I'd configure my cameras and either use uPnP or manually forward the ports. Since my ddns server can't see my cameras behind the VPN, my cameras are using my ISP's WAN IP, rather than the VPN IP provided by my VPN provider. With the cameras port forwarding set and the ASUS VPN Client set to use policy rules, I'm not understanding what you're wanting me to do differently. Can you elaborate? As it stands now, all devices on my LAN, other than my Roku's, a workstation and an iPhone are bypassing the VPN.

In order to access your cameras remotely (from WAN) you need to forward their ports. That means your cameras are directly accessed from outside. The security of any IP camera is not so high, so they are vulnerable to attacks. It is the same with any device within your LAN (NAS, IoT, etc.). The right way to organize remote access to your LAN devices is to run OpenVPN server on your router and then remotely access any LAN device through the VPN tunnel using OpenVPN client on your remote device (PC, mobile phone, etc.). This will be equivalent to accessing your cameras from within the LAN. You should not open your LAN devices for direct remote access. The only secure way for remote access is a VPN.

P.S. You misunderstand the difference between VPN client and VPN server. I am speaking about running VPN server on your router, not about using VPN client to connect to your VPN provider's server. If you don't want to follow this security advice you may just follow the @Jack Yaz advice above and everything will be fine but not secure .... And one last advice - disable uPnP - it is a major security risk.

 

[mrphil]

OK. Thanks

 

[Jack Yaz]

In order to access your cameras remotely (from WAN) you need to forward their ports. That means your cameras are directly accessed from outside. The security of any IP camera is not so high, so they are vulnerable to attacks. It is the same with any device within your LAN (NAS, IoT, etc.). The right way to organize remote access to your LAN devices is to run OpenVPN server on your router and then remotely access any LAN device through the VPN tunnel using OpenVPN client on your remote device (PC, mobile phone, etc.). This will be equivalent to accessing your cameras from within the LAN. You should not open your LAN devices for direct remote access.

I agree with this. I recommend using xca if you feel like managing your own PKI otherwise the built-in router stuff is fine.

The only secure way for remote access is a VPN.

Not strictly true.

And one last advice - disable uPnP - it is a major security risk.

it can be, but I have had it enabled on my router for years with no breaches. make sure you have secure mode upnp enabled at the very least!

 

[Clark Griswald]

@mrphil
You might find this RMerlin beta helpful VPN Director