Newbie VPN question

toejam · Aug 18, 2022

I have an Asus RT-AC3100 router, which can be configured with VPN server. If I setup the VPN server on the router, do I need any external VPN service?

I have a subscription with PIA VPN and use a client VPN setup on my router to the PIA VPN servers, but, don't know the benefits/consequences of using the ASUS VPN server.

I have seen pointers to VPN guides, but, they seem to go down to the external VPN server route. Is there a guide on using my own VPN server built into my Asus router?

I apologize if this has been hashed to death already, please pardon my ignorance.

TonyR · Aug 18, 2022

toejam said:
I have an Asus RT-AC3100 router, which can be configured with VPN server. If I setup the VPN server on the router, do I need any external VPN service?

No, that only masks your IP and outgoing traffic.

toejam said:
Is there a guide on using my own VPN server built into my Asus router?

Try this ==>> OpenVPN on a Asus router

or this ==>> [VPN] How to set up a VPN server on ASUS router – OpenVPN

wittaj · Aug 18, 2022

The external HIDES your IP address for porno and illegal streaming.

OpenVPN puts you back onto YOUR IP address so it is just like you are in your home.

toejam · Aug 18, 2022

Thank you for the replies. If I have no need to access my LAN externally, is there any advantage to setting up my router as a VPN server? I guess I'm looking more for the why, advantages, disadvantages, pros, cons, etc, instead of how to setup a router VPN. I can follow the setup process, just don't know if I should. I'd be more interested in hearing how a VPN server on the router helps my network, especially if I only access my network from within the network.

OICU2 · Aug 18, 2022

If you have no need to access your network from any other place but home, there is no need for a VPN.

wittaj · Aug 18, 2022

If you want to access ypur system away from home, you set up the VPN back into your system so you don't get hacked.

If you port forward you will be hacked. Had a thread just this week where someone's BI showed a bunch of attempts.

toejam · Aug 18, 2022

wittaj said:
If you want to access ypur system away from home, you set up the VPN back into your system so you don't get hacked.

If you port forward you will be hacked. Had a thread just this week where someone's BI showed a bunch of attempts.

I saw that thread, which got me to wondering how a VPN server on the router protected my lan from being hacked. Which, of course, led to what other benefits are gained by setting up a router based vpn server.

whoami ™ · Aug 18, 2022

By using VPN to access your LAN from outside of your network you only have to have one inbound port exposed and you know its secure cause it's OpenVPN which continually goes through rigorous security audits. Other wise you would have one port open for BlueIris, one for Remote Desktop, one for the webserver to your home security system, one for your plex server, one for your NextCloud server, one for each of your devices you want to ssh into, ect ect...

Bots are continually choosing random IP addresses and scanning them looking for open ports. If you set up a honey pot on your network exposed to the out side you'd be surprised how many hits you'd get a day. If one of those bot happens to find a open port for something with a vulnerability it just happens to be looking for... you will have just been owned.

whoami ™ · Aug 18, 2022

Another reason you would want to run a VPN on your home network is to protect you when you connect to public WiFi. Who ever hosts the WiFi connection can see all your DNS requests or anything you do on connections that that don't use https like the password to your BlueIris server if you dont have a VPN or ssl set up. By connecting to your VPN you create a encrypted tunnel to send all your traffic back trough VPN server and back out to the internet through your home internet connection. Another reason might be if you wanted to change you geo location. Like say your friend wanted to share their YouTubeTV sub with you from another state. You can trick YouTube into thinking your located on your friends network. But usually things like tricking streaming services takes some skill in setting up the VPN in order to hide the fact that the traffic is being passed through vpn.

Mike A. · Aug 18, 2022

That's a good benefit. I run mine back through my network so I also have all of my tracking and ad blocking wherever I am.

spammenotinoz · Aug 19, 2022

whoami ™ said:
By using VPN to access your LAN from outside of your network you only have to have one inbound port exposed and you know its secure cause it's OpenVPN which continually goes through rigorous security audits. Other wise you would have one port open for BlueIris, one for Remote Desktop, one for the webserver to your home security system, one for your plex server, one for your NextCloud server, one for each of your devices you want to ssh into, ect ect...

Bots are continually choosing random IP addresses and scanning them looking for open ports. If you set up a honey pot on your network exposed to the out side you'd be surprised how many hits you'd get a day. If one of those bot happens to find a open port for something with a vulnerability it just happens to be looking for... you will have just been owned.

I don't think there is a correct answer for this, it depends on someones risk appetite. The risks with TCP port-forwarding are often overstated.

Always assume any device on your network is compromised, each device needs to be secure.
If you forward a TCP port for BlueIris the key risks are;

BruteForceAttack (really low risk, as BI blocks IP after n failed attempts, for n minutes, you can change this)
Hacker\Bot finds an exploit in BlueIris code (then they own your BI Server). Risks of this are extremely low, if your passwords are unique then their access is limited.
BI just isn't currently a popular target, much easier low hanging fruit. Conversely there hasn't been a lot of security testing against BI so we don't know how secure it is.
Mitigate the risk, use an account with lower access for remote access and monitor logs.
Do you require remote access , mitigate risk by turning on port-forwarding only when you plan to be away (eg: holidays)
I get daily email summaries, and emailed a still and video when people\vehicles are detected (so I don't need to check BI itself)

VPN;

Most VPN will use UDP for performance, by-nature UDP is not secure and frowned upon, so use TCP where possible and take the performance hit.
You need to maintain and patch your VPN server\service. Many exploits with OpenVPN so you need to update it regularly. Only use on a router when the vendor allows regular updates (you need to update both the client and vpn server as security fixes come out)
Configure VPN to use both certificate and username\password (ideally MFA)

-The tradeoff with VPN is the inconvenience , rich alerts won't work and an extra step to access BI remotely.

There is an alternative;
Use a Firewall\WebProtection. Can be an appliance or VM, but basically a security device that can block known bots, identify and block malicious traffic, like SQL injections, limit access to specific countries.
Not perfect, but far better than nothing, it's about reducing risks to an acceptable level. Firewall\WebProtection can host an SSL certificate to ensure the traffic is encrypted.

If you are recording anything sensitive then quite frankly your NVR system should be completely isolated and not have any inbound access. Outbound would be through a controlled web proxy\firewall only.

toejam · Aug 20, 2022

whoami ™ said:
Another reason you would want to run a VPN on your home network is to protect you when you connect to public WiFi. Who ever hosts the WiFi connection can see all your DNS requests or anything you do on connections that that don't use https like the password to your BlueIris server if you dont have a VPN or ssl set up. By connecting to your VPN you create a encrypted tunnel to send all your traffic back trough VPN server and back out to the internet through your home internet connection. Another reason might be if you wanted to change you geo location. Like say your friend wanted to share their YouTubeTV sub with you from another state. You can trick YouTube into thinking your located on your friends network. But usually things like tricking streaming services takes some skill in setting up the VPN in order to hide the fact that the traffic is being passed through vpn.

That sounds like a valid reason, I definitely give it high consideration.

So, if I setup server vpn on my router, all equipment that needs to access my network from outside my lan would need to connect via vpn client. Is this possible with security cameras - they don't establish the internet connection at their location? The main outside equipment that needs access to my lan are security cameras that I setup for several businesses. They download their video/photo files to my nas, via ftp to the nas. Off the top of my head, I assume they can continue to use ddns to connect to my ftp nas.

Search

Newbie VPN question

toejam

Young grasshopper

TonyR

wittaj

toejam

Young grasshopper

OICU2

BIT Beta Team

wittaj

toejam

Young grasshopper

whoami ™

Pulling my weight

whoami ™

Pulling my weight

Mike A.

Known around here

spammenotinoz

Getting comfortable

toejam

Young grasshopper