Help with vlan, vpn or whatever

J

JPmedia

Getting comfortable
Sep 11, 2024
744
637
Southeast
Ok, the more I research this stuff the more confused and frustrated I get. I want to set up my 2 NVRs so that I can access and view events from my mobile device remotely yet protect the NVRs from being hacked.

Is there a guide somewhere which walks one through this specific process? I'm sure it's been asked a bazillion times here, but I can't find anything specific to the process of doing so. I checked the VPN for noobies thread and while it explains why it should be used, it's merely an overview of the process, it really doesn't not outline the actual process of setting it up.

I will be using an ASUS RT-AX1800S router

I would be grateful to the person(s) who can untangle the process
 
There is a wizard for open VPN server on your Asus RT-AX1800S. A copy and paste here: (AI Overview).

To set up a VPN on an ASUS RT-AX1800S router, you'll generally need to log into your router's administration panel, navigate to the VPN settings, and then configure the desired VPN connection (e.g., OpenVPN). The exact steps can vary slightly depending on the VPN service you're using, but the core process remains similar.


Steps to configure a VPN on your ASUS RT-AX1800S:

Detailed Steps:
1. Access the Router's Web Interface:
Connect a device (laptop, phone) to the router's network (wired or Wi-Fi).
Open a web browser and enter the router's LAN IP address (usually or 192.168.1.1) in the address bar.
Log in using the router's username and password (default: admin/admin).

2. Enable OpenVPN Server:
Navigate to the "VPN" section, then "VPN Server".
Locate the OpenVPN button and enable it (it's typically off by default).
Some routers have a "Professional" tab within the VPN server settings where you can adjust options like username/password authentication, allowed clients, and client-specific options.

3. Configure OpenVPN Server Settings:
Server IP Address: Ensure the server IP address is set correctly. This is the IP address of your router's LAN network.
Port: The default OpenVPN port is usually 1194, but you can change it if needed.
Encryption: Configure the encryption settings as needed.
Allowed Clients: You can restrict OpenVPN access to specific devices or clients by setting up allowed client lists.

4. Create User Accounts (if using username/password authentication):
Create VPN Client Accounts: Add user accounts by clicking "ADD" and entering usernames and passwords.
Note: Once set, these usernames and passwords cannot be changed.

5. Configure OpenVPN Clients:
Download OpenVPN Software: Download and install the OpenVPN client software on the devices you want to connect.
Import Configuration Files: You'll need to either manually configure the OpenVPN client or import a configuration file with OpenVPN settings.
Configure Client Settings: Enter the router's IP address, the OpenVPN port, and your username/password (if applicable).
Connect to the VPN: Establish the OpenVPN connection on the clients.
 
Last edited:
Those look like instructions to set up the Asus router as a VPN client with a third party VPN service, which is not typically helpful for remote access. He needs his router to be a VPN server.

The reason you can't find a good guide for it is because the exact steps depend on way too many variables.

This should get you started:
It is possible your ISP does not allocate you a public IPv4 address in which case things will be a lot more complicated.
 
Apologies @bp2008. I was not paying attention.

I have set up one Asus Router with OpenVPN server and it was easy.

Wireguard is also easy nowadays. Here utilize PFSense (many many years now). I have set up PFSense as a VPN client to Oracle VPN server. Also worked well.

I do also use PIA (Private Internet Access) here for home clients which are mostly Linux these days. I use Windows but do not really like it much these days.

Note this doesn't have anything to do with the ISP.
 
Using AI...

A VPN (Virtual Private Network) service provider offers a service that creates a secure, encrypted tunnel between your device and a remote server. This tunnel encrypts your internet traffic, hides your IP address, and masks your location, offering privacy, security, and the ability to bypass geo-restrictions.


Been using PIA now for about 5-6 years.

Also utilize No IP dot com and

Utilize TOR...

The Tor Browser is the most recommended and widely used browser for accessing the dark web. It's specifically designed for privacy and anonymity by routing all internet traffic through the Tor network, a globally distributed network of servers that hides your IP address. This makes it more difficult to track your activity and identify your location.

Here's why Tor Browser is the best option:
  • Privacy and Anonymity:
    Tor Browser is built with the core functionality of the Tor network, which encrypts your internet traffic and routes it through multiple nodes before it reaches your destination, making it much harder to trace your online activities.

  • Preconfigured for Security:
    Tor Browser comes pre-configured with various security features like HTTPS-Only mode, NoScript, and other patches to enhance your privacy and security.

    • User-Friendly:
      Despite its complex security measures, Tor Browser is designed to be relatively easy to use, even for those who are not technical experts.
    • Open Source and Free:
      The Tor Browser is free and open-source, meaning anyone can inspect its code and verify its security.
    • Optimized for Onion Links:
      The Tor Browser is specifically designed to access sites that use the .onion domain extension, which is the address format for websites on the Tor network.

www.torproject.org

The Tor Project | Privacy & Freedom Online

Defend yourself against tracking and surveillance. Circumvent censorship.
www.torproject.org www.torproject.org

Have a read here too:

DNS hijacking - Wikipedia

en.wikipedia.org en.wikipedia.org

It comes down to never open anything up at home to the Internet. Use VPN to access your home network. Next level would be put your IOT devices on separate VLANs (IE: Amazon / Google devices).
Separating IoT devices on a dedicated VLAN can enhance network security and performance. By isolating these devices, you reduce the risk of a potential compromise affecting other devices on your main network. Additionally, this separation can help prevent network congestion caused by the communication of IoT devices with their respective cloud servers.

Personally while I utilize PFSense

That said I also utilize OpenWRT....I have a micro router with OpenWRT on it inside of my alarm panel (Leviton OmniPro 2).

You can put OpenWRT on your Asus router:

 
Last edited:
Ok, how do I set VPN/VLAN up so that I can remotely access the cameras and view events seamlessly, as I do now using P2P?
 
Just enable OpenVPN server on your router. There is a wizard there that will create configurations for Android, WIndows, Linux et al.

Install OpenVPN on phone whatever OS it is using, or install it on your Windows or Linux laptop.

Then once open use the configuration file you saved from your Asus router.

Once VPN is running you can go to your NVRs like you are at home. Easy peasey.

Baby Steps....you do not want to do VLANs yet....

Read about VLANs here...you will need a managed switch for a home VLAN.

Mostly setting up a VLAN is the same on most managed switches. I came from a Cisco environment and now just use TP-Link switches. Never have had an issue with them.

AI Overview

Setting up a VLAN at home involves creating virtual networks on your physical network to segment traffic and enhance security. You can do this by configuring your router and assigning devices to different VLANs.
Steps for Setting up a VLAN at Home:

1. Plan Your VLANs:
Decide which devices will belong to which VLANs (e.g., IoT devices, guest network, work devices).

2. Configure VLANs on Your Router: (not sure that Asus does VLANs)
Log into your router's web interface.
Navigate to the network settings and look for VLAN configuration options.
Assign unique VLAN IDs to each of your VLANs.
Specify IP ranges, subnet masks, default gateways, and DNS servers for each VLAN.

3. Assign Devices to VLANs:
Access the network settings on each device and specify the VLAN ID it should belong to.
This might involve configuring the device's network settings or using a VLAN-aware switch.

4. Save Changes and Test:
Save the changes to your router's settings.
Restart your router.
Test the VLANs by ensuring devices within each sub-network can communicate as intended.

Benefits of Using VLANs:
Improved Security: Isolating traffic between VLANs can limit the impact of a security breach.
Simplified Network Management: You can more easily manage different groups of devices and their settings.
Enhanced Performance: Reducing broadcast traffic can improve network performance.
Future-Proofing: VLANs can help you prepare for future network expansion and changes.
 
I use P2P

My cameras are already on a vlan thanks to the Dahua NVR Poe ports/switch

I also run WireGuard AND OpenVPN on my firewall box, mostly for redundancy. sometimes the vpn is faster, sometimes P2P is faster.

WireGuard is 10x faster and more secure than OpenVPN if you feel you must run a vpn
 
  • Like
Reactions: pete_c
OK forget all that AI nonsense - it isn't applicable to what you are trying to do.

TOR is useless for what you are trying to do as you are not wanting to hide your IP address.

You do not want a paid VPN - that is to hide your IP address for porno and illegal streaming. You are looking for a VPN that puts you back on YOUR network.

It is easy to overthink a VPN. I was there once too. It is really simple.

In the router, you simply check the box to use it/turn it on. Then it will have you create DDNS, set a username and password and you export out the certificate to go onto your mobile device. It is literally that simple.

Then on your device, you log in to the VPN (OpenVPN or WireGuard) and then the DMSS app will work, as will logging into the NVR via a browser.

Keep in mind if you turn off P2P, then you need to find another way to get push notifications if that is important to you.
 
  • Like
Reactions: pete_c and bigredfish
Your ASUS RT-AX1800S also does wireguard (here also run Wireguard and OpenVPN server on PFSense). It is similiar to setting up OpenVPN server.

I used AI to search for the configuration of the ASUS SOHO router. I have not used a SOHO router in 20 years except for modification / updating OS to OpenWRT (which is levels better than the Asus firmware).

Personally like to bounce all over the internet so yes I use a paid VPN for that. I do not watch TV much but do have XFinity, Direct TV and Dish Network and typically just watch movies.

I use KODI to stream TV from around the world. Its very interesting what is out there.

I've used TOR as long as its been around and it doesn't really have anything to do with your CCTV stuff.

I am in to time and sync everything to my NTP server on PFSense that uses a GPS with PPS. So cameras are in sync here.

I am thinking that you can so an Asus DDNS but typically our home internet IP will not change much.

Baby steps; it is as easy as stated above.
 
Last edited:
  • Like
Reactions: bigredfish
Maybe I’m overthinking this or maybe just paranoid. Ever since the camera issue with the exposure ups and downs and not being able to access the GUI, I thought that maybe it could be coming from the internet side of things.

I decided to “unplug” the NVR from the internet for a day to see if my suspicion was valid. The exposure issue did happen once, but after unplugging the camera and plugging it back in, it was ok. Now I did do a power reset of the NVR before I disconnected it from the net, so I could have been that too – I don’t know.

Either way, when I reconnected the net this morning, I was able to access Web5 GUIs again. I couldn’t access any of the cameras that used the version 5 GUI using any browser prior to disconnecting the net – Pale Moon, Chrome or Edge in Explorer mode.

I need push notifications - I’m having withdrawals since net disconnect. So, I need the convenience of P2P. I guess I’m wondering if there is a way to make it more difficult to find and access the NVR/cameras from the net?
 
If you e been hacked

1- it was due to having port forwarding in place on your router OR if using P2P you exposed your QR code or serial number here in public. If the latter, turn off P2P as you’ve given away the keys

2- if things change as you say on a camera, the first thing to do is login and look at the settings to see what changed

3- I think you had AI-SSA turned on OR Self Adaptive with AI codec or some combination

You need to manual reset the camera, start from scratch and take screen shots of every setting page. (Again do not make settings on the NVR )
 
  • Like
Reactions: looney2ns
bigredfish said:
1- it was due to having port forwarding in place on your router OR if using P2P you exposed your QR code or serial number here in public. If the latter, turn off P2P as you’ve given away the keys
Click to expand...
I have not posted the QR code for the NVR here nor anywhere. I did use the QR code way back in 2020 when I first installed the system but have never posted it anywhere. As far as QR codes for cameras, there was one instance where I mistakenly posted the label of one of the used cameras and edited the photo afterwards, but I no longer have that camera
bigredfish said:
2- if things change as you say on a camera, the first thing to do is login and look at the settings to see what changed
Click to expand...
Every time I logged into the camera when something was happening, no settings were changed. Even if you tried to make a setting change, the camera would not respond.
bigredfish said:
3- I think you had AI-SSA turned on OR Self Adaptive with AI codec or some combination
Click to expand...
I checked all those. AI-SSA is off and general codec H.264H is selected.
bigredfish said:
You need to manual reset the camera, start from scratch and take screen shots of every setting page. (Again do not make settings on the NVR )
Click to expand...
I have learned to make all settings from the camera GUI. I will need to de-install the camera to reset it. In the same token, I believe it best to be tested for a while on the bench after resetting it, in case the issue returns. Don't want to have to go back up and do it all over again.
 
  • Like
Reactions: bigredfish
Your next step would be to swap out that likely compromised Lorex for the Dahua NVR you have sitting around (I think you said you bought one and looking for time to set it up).
 
wittaj said:
Your next step would be to swap out that likely compromised Lorex for the Dahua NVR you have sitting around (I think you said you bought one and looking for time to set it up).
Click to expand...
Yes, I have a Dahua NVR. I've been procrastinating on doing the switchover. Another thing that I am overthinking.

Can I just swap the cameras from the Lorex to the Dahua with their assigned IPs from the Lorex NVR or do I need to reset all cameras?
 
Yep another thing you are overthinking.

My neighbor had an older Lorex NVR and in the last few months switched to Andy's NVR and the cameras were all found in the NVR by simply plugging them in and no resets were necessary.

The key is to plug them in one at a time - wait until the image shows up before plugging in the next camera.
 
  • Like
Reactions: JPmedia
You must log in or register to reply here.
Top Bottom