Bypass port forwarding

K

kmax1940

Young grasshopper
Sep 27, 2016
42
3
Hello, anyone have any suggestions on how to bypass port forwarding?

Right now we ship a single camera to our clients and we have to remote into their system and get into their router and open ports.

Anyone have a solution for bypassing port forwarding?

Maybe some type of ssh tunnel appliance?

Thanks
 
Without knowing more about your operation, it is hard to give a recommendation. A VPN is a much more secure method of remote access. Many routers include a built-in VPN server. Or you could run your own VPN server on your premises and ship clients a raspberry pi that is preconfigured to connect to your VPN server to provide remote access. Or you could ship them a raspberry pi that is configured to be a VPN server, and you log in [somehow] to forward a port in their router to that VPN server.
 
  • Like
Reactions: looney2ns, aristobrat and mat200
If I use a VPN on my clients sites... the vpn device will be behind the clients router / nat.

In that case I would still have to do port forwarding on the clients router to the vpn device.

Anyone know of a good way to vpn without having to set up port forwarding on the client router?
 
kmax1940 said:
Anyone know of a good way to vpn without having to set up port forwarding on the client router?
Click to expand...

bp2008 said:
Or you could run your own VPN server on your premises and ship clients a raspberry pi that is preconfigured to connect to your VPN server to provide remote access.
Click to expand...
 
BP2008 - thanks

Yes, thats what I am thinking about now...

Heres the problem I am running into.

At the client locations where I put the raspberry pi with the vpn client... that raspberry pi would need to connect directly to the camera.
Otherwise the camera would be over on the clients network and not be accessible from my raspberry pi.

The vpn connection would be between the PI and my VPN server which is located offsite... so then my wifi camera would not be accessible...

Am I missing something?
 
kmax1940 said:
At the client locations where I put the raspberry pi with the vpn client...
Click to expand...
Wouldn't that be a VPN server? Assuming that you need to access the remote site to connect to the camera, using a VPN client.

kmax1940 said:
that raspberry pi would need to connect directly to the camera.
Click to expand...
The camera is using a WiFi connection, which is provisioned by an AP which presumably is on a LAN?
So the raspberry pi would connect to the LAN.

The VPN tunnel, once active, behaves simply as a remote direct connection to the LAN that the VPN server is connected to.
 
Once you have a raspberry pi on the client's network connected to your VPN, you can remote into that pi and use it to proxy whatever network traffic you want.
 
@alastairstevenson I was suggesting that he run the VPN client on the pi and connect it to a server that he controls, therefore avoiding the need to reconfigure the client's firewall. This solution also works if the client has a non-routable IP address (e.g. behind most cellular modems)
 
I should point out that if a traditional VPN like OpenVPN is too complex, there are services out there like Hamachi and NeoRouter which simplify the task of connecting multiple sites. There are drawbacks of course, as with anything.

Hamachi isn't free, but it is probably the easiest to work with, and the easiest to control access on, so you aren't accidentally allowing all your clients to access each others' LANs.
 
The unasked question is: would any of your customers object of having an "unmanaged" device on their private LAN, which might (or not) be sniffing internet packets, logging browsing histories etc - what would your answer be? You don't want to have a bus of advocates ringing your bell because your PI got infected with malware and a 10TB NAS with family pictures got cryptolocked.

My opinion: make sure your setup is safe and secure. I would preconfigure the devices with P2P (but that's not secure either) and work that way up. Or you have to provide something vlan ready and secure bottom-up.

Good luck!
CC
 
Thanks so much.

The problem with running the vpn client on the PI is that the clients router/modem is going to block it.

I need a device that I can put behind my clients router/modem which:
* does wifi - for the camera
* is a vpn client
* does nat traversal

Open VPN does not do nat traversal.

I looked at SoftEther which is like OpenVPN but it does nat traversal...
But I dont see a way to run that on a wifi router.

I can install dd-wrt on a router... but I only find directions for using that with OpenVPN.

Thanks for your time!

I will keep thinking and working and hopefully come up with a workable solution.

We are launching a "single camera" for home users type of package...
The idea is that we can just ship it to them and have an easy set up...
No port forwarding etc...

Then we just have to manually set their camera up in our cloud software... which is easy to do...

Thanks again
 
@kmax1940 You are mistaken. There is no reason for an OpenVPN client to be blocked by anyone's router/modem/firewall. You can even configure your VPN server to listen on port 443 and use the TCP protocol only, so as far as anyone's firewall is concerned, the VPN traffic looks exactly like normal web activity done over HTTPS.
 
  • Like
Reactions: catcamstar and alastairstevenson
I agree, that is one reason we are working towards a solution that gets us away from port forwarding.
 
bp2008 said:
@kmax1940 You are mistaken. There is no reason for an OpenVPN client to be blocked by anyone's router/modem/firewall. You can even configure your VPN server to listen on port 443 and use the TCP protocol only, so as far as anyone's firewall is concerned, the VPN traffic looks exactly like normal web activity done over HTTPS.
Click to expand...

Hummmm ok thanks... multiple video tutorials have showed that you still have to open ports if your vpn client is behind nat

Here is what I am thinking our setup will look like:

Customers home router / moden -->
Our VPN device -->
Our wifi camera

If I connect a PI /VPN Client to the customers modem... won't that put the customers entire LAN on our VPN?

I was trying to have only the camera on the vpn.

Thanks again!
 
bp2008 said:
I was suggesting that he run the VPN client on the pi and connect it to a server that he controls, therefore avoiding the need to reconfigure the client's firewall. This solution also works if the client has a non-routable IP address (e.g. behind most cellular modems)
Click to expand...
OK, understood, and makes sense.
 
kmax1940 said:
If I connect a PI /VPN Client to the customers modem... won't that put the customers entire LAN on our VPN?
Click to expand...

No, only if you were to bridge the networks.

I'm sure you could even figure out a way to use the pi's wifi interface to run a separate network just for the camera, so that literally all the client would need to do is plug in the camera to power, and plug in the pi to power and ethernet, within wifi range of the camera. Keeping in mind of course that the wifi antenna on a pi isn't likely to be spectacular.
 
bp2008 said:
No, only if you were to bridge the networks.

I'm sure you could even figure out a way to use the pi's wifi interface to run a separate network just for the camera, so that literally all the client would need to do is plug in the camera to power, and plug in the pi to power and ethernet, within wifi range of the camera. Keeping in mind of course that the wifi antenna on a pi isn't likely to be spectacular.
Click to expand...

Yes! That is exactly what I am trying to do!

The camera would have to connect to the PI though.
Either through ethernet or wifi.

How would the camera get an ip address because the PI does not do DHCP does it?
If the PI was a mini wifi router that would be perfect. :)
 
You must log in or register to reply here.
Top Bottom