Chat GPT says this is more secure than using a VPN for remote access

[Clucky]

ChatGPT

A conversational AI system that listens, learns, and challenges

chatgpt.com

In short, having Blue Iris on a separate user account that does not have network access to the LAN (other than the router), and using a reverse proxy with 2fa authentication is basically 10/10 bullet proof and should function just like using the port forward method once the device is authenticated.

Just having the LAN access restricted (either through making a new user account or putting a firewall/router in front of the server) should prevent further damage should the server become compromised. With the reverse proxy service you can add 2fa authentication so that you would need to verify by email to allow that device to have network access to the BI server.

 

[jmhmcse]

Is this a PSA, FYI, or something you intend to implement yourself? The description provided is somewhat vague and difficult (for me) to interpret as what you are trying to explain.

" having BI on a separate user account "

How would you implementing this? VLAN, 802.1X/Radius, Firewall rules, etc?​

" using a reverse proxy "

This requires a web server of some sort; dedicated, VM, container, etc. Also needs to be configured as a reverse proxy.​

" 2fa "

This too requires a client/server application to be available (installed, configured) on their respective devices.​

The net result of all this is nothing more than a "home grown" implementation of many VPN applications, such as OpenVPN. I'd rather implement a whole-solution from a single open-source package that is widely used, implemented, maintained, and updated by a very large community. It's a very SIMPLE solution to implement.

---

 

[Clucky]

But a VPN you would have to either keep running or disconnect it every time you are done with it. Not practical for mobile devices especially for end users that don't have the knowledge or want to have to do an additional step every time they want to check cameras.

Having blue iris behind a firewall on an isolated network (whether on a VM, non admin windows account, or installing an actual firewall) will prevent your network from being compromised in case the BI server got taken over. Even if they got remote access, they wouldn't be able to infect the rest of the machines on the network. This is more than enough for most people. The only downside is that devices in the LAN would have to access via the public IP, and have the bandwidth go over the internet.

With the reverse proxy set up (which it explains how to do it) it can allow for 2fa authentication which means every new device that tries to access the server will be prompted by the reverse proxy server to verify with email, google authenticator, etc. The reverse proxy can be installed on the server without a VM because the traffic would route to the local host using port 81. I think this is the best alternative to setting up a VPN or Zero Tier which is either subscription based on requires setting up your own server.

 

[elvisimprsntr]

+1 for Tailscale MESH VPN. Works automagically!

1. Clients for every OS on the planet.
2. Free tier for up to 3 users and 100 devices.
3. Automatic VPN on demand when off trusted WiFi.
4. Access your entire home network or configure ACLs to limit access. (NAS, cams, security system, lighting control, any IP based device, etc.)
5. Exit node selection when you want to route all traffic through your home network to overcome restrictions.
5. So simple, even a primate can set it up.

Tailscale · Best VPN Service for Secure Networks

Securely connect to anything on the internet with Tailscale. Deploy a WireGuard®-based VPN to achieve point-to-point connectivity that enforces least privilege.

tailscale.com

 

[samplenhold]

Zero Tier which is either subscription based on requires setting up your own server.

I use Zerotier and it is not subscription based and I did not have to do anything remotely as involved as setting up my own server. Very simple and works.

I used to use Tailscale but had random access issues. Still use it on occasion from a laptop.

 

[biggen]

+1 for Tailscale. Amazing how easy it is to work with.

 

[Clucky]

So question about tailscale. I want my phone's traffic to go through the normal cellular network and not route back to my house for normal use. I am worried that having zero tier always on will do that and will cause latency. I am looking into VPN options now because after less than a week of having my server exposed to the internet I have been getting a bunch of "remote access from remote" logs in my router, and I haven't even tried getting the app set up yet!

 

[samplenhold]

I see no latency with Zerotier. My phone traffic does not go through my home LAN. Same thing with Tailscale. The only phone traffic that goes back to your home is the ones you actually set up that way.

I have both set up on my phone and my laptop. From my laptop while we are in our RV well away from home, I can use UI3 for the BI server and my files sync with my NAS. But nothing else goes back to my home.

I do shut off Zerotier on my phone if I am not using the BI iPhone app since it does use a lot of battery.