Need Clarification--How Does A VPN Protect Your Surveillance System from the Outside World?

Joined
Feb 26, 2017
Messages
4,576
Reaction score
3,105
Location
USA
Need Clarification--How Does A VPN Protect Your Surveillance System from the Outside World?
Need a detailed explanation.

I just configured VPN on my Netgear Router, and the only benefit I'm seeing is being able to view the NVR securely from any device from any where in the world.

But how does it really protect a 24/7 running NVR when I can access the NVR the Dahua mobile device apps without VPN?

And also, how is a VPN an extra layer of security when the physical IP addresses still exist?
 
Joined
Feb 26, 2017
Messages
4,576
Reaction score
3,105
Location
USA
I read the VPN Primer carefully, but one aspect remains unanswered, generally speaking, when I am connected to my VPN within the same network, shouldn't the physical IP address be masked and replaced with the VPN IP when I check my IP at whatsmyip.org?
Read carefully: VPN Primer for Noobs

If you can still access your cameras remotely w/out the VPN, then you failed.
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,340
Reaction score
5,295
Location
Denver, CO
there is absolutely no need to use VPN when on the same network; its used for remote access.. its doing nothing but slowing you down when you use it locally.
 
Joined
Feb 26, 2017
Messages
4,576
Reaction score
3,105
Location
USA
Lol, then I see what you mean by a security standpoint
I think I was overanalyzing the purpose of VPN here

Then again, can't we still remotely access the cameras using the Dahua iOS / Android apps from anywhere in the world? Doesn't that still make it a vulnerability?
How can we address that?
Read carefully: VPN Primer for Noobs

If you can still access your cameras remotely w/out the VPN, then you failed.
there is absolutely no need to use VPN when on the same network; its used for remote access
 

hmjgriffon

Known around here
Joined
Mar 30, 2014
Messages
3,403
Reaction score
979
Location
North Florida
Lol, then I see what you mean by a security standpoint
I think I was overanalyzing the purpose of VPN here

Then again, can't we still remotely access the cameras using the Dahua iOS / Android apps from anywhere in the world? Doesn't that still make it a vulnerability?
How can we address that?
Stop using their ddns crap
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,340
Reaction score
5,295
Location
Denver, CO
No you cant; when setup correctly there will be no way to make a connection to your cameras without a VPN Tunnel established.. disable uPNP on firewall, and PNP/EzViz on Cameras and add some extra firewall rules that prevent cameras from talking to anything not local
 
Joined
Feb 26, 2017
Messages
4,576
Reaction score
3,105
Location
USA
Unless you have their proprietary apps installed, right? How was I able to view my Amcrest cameras using their app from the other part of the country via LTE then?

No you cant; when setup correctly there will be no way to make a connection to your cameras without a VPN Tunnel established..
 

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,340
Reaction score
5,295
Location
Denver, CO
disable uPNP on firewall, and PNP/EzViz on Cameras and add some extra firewall rules that prevent cameras from talking to anything not local..

Most consumer routers let anything forward ports to them selves with this horrible technology called uPNP
 

hmjgriffon

Known around here
Joined
Mar 30, 2014
Messages
3,403
Reaction score
979
Location
North Florida
Unless you have their proprietary apps installed, right? How was I able to view my Amcrest cameras using their app from the other part of the country via LTE then?
Because they provide a service where the cameras connect to their server and the app connects to their server, turn that crap off in the cameras.
 
Joined
Feb 26, 2017
Messages
4,576
Reaction score
3,105
Location
USA
I disabled uPNP but still am able to view the cams even on WiFi and LTE, what's the common port and protocols these companies (Amcrest, Swann, etc) are using?

disable uPNP on firewall, and PNP/EzViz on Cameras and add some extra firewall rules that prevent cameras from talking to anything not local..

Most consumer routers let anything forward ports to them selves with this horrible technology called uPNP
 
Last edited:

nayr

IPCT Contributor
Joined
Jul 16, 2014
Messages
9,340
Reaction score
5,295
Location
Denver, CO
create firewall rules to block the camera from all communications with the internet, network security has to be enforced externally.. cant trust the devices themselves.
 
Joined
Feb 26, 2017
Messages
4,576
Reaction score
3,105
Location
USA
These consumer routers are half-baked. Besides shouldn't I block the ports on the gateway, but keep them opened on the router? How else would I be able to access the cameras? Alternative ports?

create firewall rules to block the camera from all communications with the internet, network security has to be enforced externally.. cant trust the devices themselves.
 

misterfredsr

Getting the hang of it
Joined
Mar 19, 2016
Messages
70
Reaction score
30
Location
PA
I used my netgear router for that. I reserver an address for my cam then I blocked it from the internet. There has been no logs for the cam except for motion detection.
 
Joined
Feb 26, 2017
Messages
4,576
Reaction score
3,105
Location
USA
Ryan, so what are you using to remotely view your cameras when those ports are blocked? Are you creating your own open ports?
What happens when someone on the other side of the world injects a code to scan for open ports on your network and go from there? :D
create firewall rules to block the camera from all communications with the internet, network security has to be enforced externally.. cant trust the devices themselves.
 

Chuckv

n3wb
Joined
Feb 9, 2017
Messages
13
Reaction score
7
Hi Arjun,

My first post. New to cameras but not to routers. Ports are only open based on 3 things. You have a rule set up for a service? You forward a port from your wan to your Lan. Or you can access any part of your Lan from the wan side of your firewall. The fact that you can remote into your network using an app means you have at least one if not more ports open. Usually port 80 that allows web sites to send you their content. Apps can use this port pretty safely. Ask your vendor what port they use as no one here can answer than easily. Look at your rules list and your port forwarding list. Anything that allows tcp or udp traffic should be deleted. Still can get in remotely. Ask your app vendor how. You don't like their port being open. Block traffic on it. It's better to configure a router all blocked, open as needed. If you have a consumer based router that has stuff open by default then you are not serious about security. Time to hire a proffessional.
 
Top