Security for dedicated IP cam system

[testing123]

VPN is definitely the preferred option. Enabling UPnP on your router could lead to a world of hurt if you run one of the many popular NAS boxes (search qlocker and deadbolt ransomware) or many other systems that exploit it.

With a VPN, you only have to have trust in the VPN software, and only have 1 thing to keep up to date. Much better than trusting other parties (blue iris), IMO.

Kinda funny you are worried about being secure, but running ancient operating systems. Yet another reason why a VPN would be a better option than port forwarding, and UPnP.

Not sure why I didn't think of the VPN in this case. As to the 'ancient' windows, in Win 11, does MS finally provide a way to turn off all data collection?

Is it better to run the vpn through the router or OK to run it on the machine itself? The latter would be simpler here.

 

[Threska49]

Not sure why I didn't think of the VPN in this case. As to the 'ancient' windows, in Win 11, does MS finally provide a way to turn off all data collection?

Is it better to run the vpn through the router or OK to run it on the machine itself? The latter would be simpler here.

You can. Blue Iris as noted previously may even have the feature built in. Plus some phones have a built-in VPN already.

 

[Threska49]

VPN is definitely the preferred option. Enabling UPnP on your router could lead to a world of hurt if you run one of the many popular NAS boxes (search qlocker and deadbolt ransomware) or many other systems that exploit it.

With a VPN, you only have to have trust in the VPN software, and only have 1 thing to keep up to date. Much better than trusting other parties (blue iris), IMO.

Kinda funny you are worried about being secure, but running ancient operating systems. Yet another reason why a VPN would be a better option than port forwarding, and UPnP.

Unless there's a good reason otherwise, "ancient operating systems" under a guest VM might be a better option especially if it's needed for certain software. Majority of the CPUs intel or amd have virtualization built in. The MB and bios needs to support it too.

 

[testing123]

You can. Blue Iris as noted previously may even have the feature built in. Plus some phones have a built-in VPN already.

You can use stunnel or ngrok with B.I., but at present, I'm looking at routers with vpn capability. I already have an acct with a reputable vpn, but have been using their app on the PCs I need to since I can disable it on demand, given that many sites reject vpn IPs. But I don't use the machine in question for anything but the IP cams, so I've been looking for a reasonably priced router with vpn capability..

I really appreciate the ideas submitted here. all are good suggestions. I think the vpn router and vpn on the devices are the first thing I'll set up, along with an obscure port number..

 

[Threska49]

You can use stunnel or ngrok with B.I., but at present, I'm looking at routers with vpn capability. I already have an acct with a reputable vpn, but have been using their app on the PCs I need to since I can disable it on demand, given that many sites reject vpn IPs. But I don't use the machine in question for anything but the IP cams, so I've been looking for a reasonably priced router with vpn capability..

I really appreciate the ideas submitted here. all are good suggestions. I think the vpn router and vpn on the devices are the first thing I'll set up, along with an obscure port number..

Biased naturally but the Asus RT-AX86U comes highly recommended. Especially with Merlin firmware.

 

[ColinTaylor]

Is it better to run the vpn through the router or OK to run it on the machine itself? The latter would be simpler here.

As this is a single use network and AFAICT there's nothing else on its "LAN" it doesn't make much difference. I would try running the VPN server on the PC. This is likely to be easier to setup and keep updated. It's also likely to have higher throughput compared to many router based solutions. It's also zero-cost so you can try it before spending money on a new router if you decide you want to do that instead.

 

[testing123]

Sorry for my delay...busy season.

I decided to pick up another router to accommodate vpn to cover the PC and IP cams. The router is an Asus RT-AX58U, but I'm having issues with BI connecting to the router when the vpn is active . I flashed the fw to the latest Merlin fw.

I also have problems with the BI Remote Access Wizard connecting to the router via both the vpn provider app and with the router set up as vpn (client). It's not my firewalls. Port forwarding is enabled.

I've been back and forth with the vpn company support, but am still working on it. I may post details here later if no luck.

That said, I was attempting to set up the (router) client vpn. Support says, for my purposes, I need to use the (router) server vpn.

My purposes:

1. VPN Protection for the computer and IP cams inside the network

2. The ability for devices outside (and inside) the network to connect and have vpn connection

As this is a single use network and AFAICT there's nothing else on its "LAN" it doesn't make much difference. I would try running the VPN server on the PC. This is likely to be easier to setup and keep updated. It's also likely to have higher throughput compared to many router based solutions. It's also zero-cost so you can try it before spending money on a new router if you decide you want to do that instead.

But will the vpn app also protect the IP cams?

Biased naturally but the Asus RT-AX86U comes highly recommended. Especially with Merlin firmware.

Yes, I agree. I have the 86U on my main NW. Great router. I bought the 56U because of reviews and $100 savings.

You mentioned earlier in post #17:

Basically: phone--->VPN aka secure tunnel (set up on the phone)--->router running VPN software (usually openVPN)--->computer running blue iris. The only port visible to the outside world is the VPN port.

Is your router vpn set up as server or client? Also, did you use the Asus .ovpn file or get one from your vpn provider?

 

[ColinTaylor]

That said, I was attempting to set up the (router) client vpn. Support says, for my purposes, I need to use the (router) server vpn.

Exactly this. You need a server.

1. VPN Protection for the computer and IP cams inside the network

A VPN client doesn't offer "protection" (despite what VPN providers claim), just anonymity from your ISP.

2. The ability for devices outside (and inside) the network to connect and have vpn connection

You need to setup a VPN server, not a client. That's why I said it's "zero-cost" because you don't have to pay for a VPN client service from someone like NordVPN.

 

[testing123]

Exactly this. You need a server.


A VPN client doesn't offer "protection" (despite what VPN providers claim), just anonymity from your ISP.


You need to setup a VPN server, not a client. That's why I said it's "zero-cost" because you don't have to pay for a VPN client service from someone like NordVPN.

Just got re-confirmation of that from support. He also said:

"If you set up the VPN server it would allow you to access your whole local network securely from devices outside of your home. I don't think that is necessary if you can just use an app or web server for Blue iris to connect securely. "

But I'd feel 'safer' having the router vpn regardless. I'll attempt to set up the server later and see if I still have problems connecting through BI. If so, I'll probably try a previous fw version.

Regarding the vpn service, I've been using mullvad for a few years now. I don't mind paying (it's one of the more reasonable vpn prices. I run it always on my ipad/phone and use it on various PCs behind my main (86U) router.

One of the reasons I use mullvad is that they don't log traffic, and their servers (through the app, anyway) keep up with my bandwidth plan.

 

[Threska49]

Sorry for my delay...busy season.

I decided to pick up another router to accommodate vpn to cover the PC and IP cams. The router is an Asus RT-AX58U, but I'm having issues with BI connecting to the router when the vpn is active . I flashed the fw to the latest Merlin fw.

I also have problems with the BI Remote Access Wizard connecting to the router via both the vpn provider app and with the router set up as vpn (client). It's not my firewalls. Port forwarding is enabled.

I've been back and forth with the vpn company support, but am still working on it. I may post details here later if no luck.

That said, I was attempting to set up the (router) client vpn. Support says, for my purposes, I need to use the (router) server vpn.

My purposes:

1. VPN Protection for the computer and IP cams inside the network

2. The ability for devices outside (and inside) the network to connect and have vpn connection



But will the vpn app also protect the IP cams?



Yes, I agree. I have the 86U on my main NW. Great router. I bought the 56U because of reviews and $100 savings.

You mentioned earlier in post #17:



Is your router vpn set up as server or client? Also, did you use the Asus .ovpn file or get one from your vpn provider?

Server since I'm providing a service to the phone. I used the Asus .ovpn when using OpenVPN.* The hardest part was getting that file to the phone ( https://www.asus.com/support/FAQ/1004466 ) Note this was on a N66U. The newer router make VPN setup a little easier and also offer IPSec which some phones provide built-in (OpenVPN is an app for some).

*VPN provider would be client on the router end since you're connecting to a server.

 

[testing123]

I just got back in the office and attempted to set up the vpn server, but when I enter username/pw and hit apply, it's rejected with the message, which states : ff:f...(IPv6 address) is not a valid IP. This is strange because I entered no address. It matches the default address in the Advanced settings of the vpn server. The support rep I got wasn't much help other than to say he could pass it along to a higher tier, who would 'call' me in the next week.

I was able to get past the password segment by switching to server 2. Odd problem, since early in the process I reset the router to factory settings, so I have to assume that the default ipv6 address for server 1 is in error.

Any ideas?

Also, the default port setting is 1194. Can I use the port number I chose...above 10,000?

 

[Threska49]

Did you follow this?

https://www.asus.com/support/FAQ/1008713 (graphics might be broken but text is clear).

 

[testing123]

Did you follow this?

https://www.asus.com/support/FAQ/1008713 (graphics might be broken but text is clear).

Yes, I switched to server 2, entered the username and password and hit apply and it created the server. Then I switched to advanced and entered the port number I want it to use. That's where I am at present. I'm reading some material now about BI use with openvpn.

Thanks for the link and the help.

 

[ColinTaylor]

I just got back in the office and attempted to set up the vpn server, but when I enter username/pw and hit apply, it's rejected with the message, which states : ff:f...(IPv6 address) is not a valid IP. This is strange because I entered no address. It matches the default address in the Advanced settings of the vpn server. The support rep I got wasn't much help other than to say he could pass it along to a higher tier, who would 'call' me in the next week.

I was able to get past the password segment by switching to server 2. Odd problem, since early in the process I reset the router to factory settings, so I have to assume that the default ipv6 address for server 1 is in error.

It sounds like this problem where the IPv6 address got mangled for some reason, probably a bug.

 

[testing123]

Could be a bug. At present, I'm attempting to open the file in the openvpn app on my iphone. I placed the file on my phone, went to the openvpn app, and am in the 'Import Profile', but there's no apparent way to import it. No buttons, and the 2 options aren't links. See screenshot.

 

[testing123]

It sounds like this problem where the IPv6 address got mangled for some reason, probably a bug.

Just saw the post. Makes sense. I doubt I'll use another vpn server on this machine, but good to know for future reference.

 

[Threska49]

How to Set Up A OpenVPN VPN on iPad / iPhone

Setup a VPN on iPad / iPhone using OpenVPN protocol with our step-by-step guide. Just follow the simple steps and setup a VPN connection in less than 2 minutes.

hide.me

Note for testing turn off the wifi so that the connection is going through cellular.

 

[testing123]

How to Set Up A OpenVPN VPN on iPad / iPhone

Setup a VPN on iPad / iPhone using OpenVPN protocol with our step-by-step guide. Just follow the simple steps and setup a VPN connection in less than 2 minutes.

hide.me

Progress report. opvn file added and my router shows the ipad is connected to the vpn server. Now I'm working on getting BI on the device to work via the server.

 

[testing123]

Oddly, I can connect to the BI web interface via a browser, but:

• I had to add the openvpn virtual address as an exception in Windows Firewall.
• 
  
• Under the VPN Server tab, I had to change the option under 'Client will use VPN to access' from 'Lan Only' to 'Both' (interent access and LAN).

I still haven't been able to get the BI app to connect. I'll have some time at my desk tomorrow morn, so I'll continue my efforts then.

I'll continue to post updates to help anyone who might be searching on how to make this work.

I appreciate all the help y'all have provided.

 

[ColinTaylor]

Oddly, I can connect to the BI web interface via a browser, but I had to add the openvpn virtual address as an exception in Windows Firewall.

Not odd at all. Windows Firewall for most situations will block incoming non-local traffic. Your VPN's IP address is not local therefore an exception needs to be made.