Setting up Blue Iris in multiple offices

[zebrock]

I have a client who I've installed a BI box at his main office that is running solid. Client now has added 3 satellite offices that he wants cameras installed, and all of them accessible on his BI app. VPN's are setup on the individual computers at each satellite office, not the routers. I know a point to point VPN tunnel at the router level would be ideal (and most cost effective) here, but he does not want the offices connected full time. That's a whole other story.

Is the best way to do this to just have a BI box at each location and have him toggle between the locations on the app? Or is there a way to have all of the cameras brought in to one single location on the app without p2p VPN setup?

 

[The Automation Guy]

Given the limitations that the client has raised, I think your suggestion is the best option. While they will have to VPN into each site separately to see the appropriate camera feeds, it sounds like the best solution given their hesitation to use a full time VPN.

That being said, here are my thoughts on the issue. First, I absolutely would want a separate BI set up at each location regardless of the method used to access the feeds. Having a local system archiving the footage is the best solution. Having to rely on an internet connection to provide a link between a BI server and remote cameras is going to result in outages that are out of your control. Having local storage is really the only robust option IMHO, so plan on running a BI system at each of the four locations anyway.

Personally I think having a full time VPN connection is the best way to have footage available on a single interface. That being said, most firewalls can handle data routing through VPN connections, so while the VPN connection might be on full time, it is very easy to set it up so only certain camera feeds actually use the VPN. It's also easy to limit users who connect via a VPN connection to only certain devices/network segments. So if your client is worried about leaving a VPN open full time that allows access to the entire network, that isn't how it has to be set up. Personally I would set up a full time VPN with only the satellite cameras using the tunnel to the main BI system for display purposes only. I wouldn't even worry about recording the saterllite cameras on the main BI system because that should be handled by the systems set up in their local network (BI and local SD cards for example). Although if you wanted to add recording of remote cameras for yet another "backup" that would be located at the main site, it would not be wrong to do so.

The advantages of setting it up this way is that all of the camera feeds would show up on the main BI system/app. Users would not have to VPN into remote sites to see those camera feeds. The downside is that you are going to need decent internet speeds (especially upload speeds at the satellite locations) to get a stable system.

I actually have this type of system set up myself. I have a remote camera set up over a full time VPN connection that I display on my local BI. I don't record the remote camera on the local BI system, but it makes it very easy to view all of my cameras at one time using one connection method. Even if I am offsite, I can remote into my main system (using another VPN connection) and see all of my camera feeds at the same time - regardless of whether they are local or remote cameras.

 

[zebrock]

Given the limitations that the client has raised, I think your suggestion is the best option. While they will have to VPN into each site separately to see the appropriate camera feeds, it sounds like the best solution given their hesitation to use a full time VPN.

That being said, here are my thoughts on the issue. First, I absolutely would want a separate BI set up at each location regardless of the method used to access the feeds. Having a local system archiving the footage is the best solution. Having to rely on an internet connection to provide a link between a BI server and remote cameras is going to result in outages that are out of your control. Having local storage is really the only robust option IMHO, so plan on running a BI system at each of the four locations anyway.

Personally I think having a full time VPN connection is the best way to have footage available on a single interface. That being said, most firewalls can handle data routing through VPN connections, so while the VPN connection might be on full time, it is very easy to set it up so only certain camera feeds actually use the VPN. It's also easy to limit users who connect via a VPN connection to only certain devices/network segments. So if your client is worried about leaving a VPN open full time that allows access to the entire network, that isn't how it has to be set up. Personally I would set up a full time VPN with only the satellite cameras using the tunnel to the main BI system for display purposes only. I wouldn't even worry about recording the saterllite cameras on the main BI system because that should be handled by the systems set up in their local network (BI and local SD cards for example). Although if you wanted to add recording of remote cameras for yet another "backup" that would be located at the main site, it would not be wrong to do so.

The advantages of setting it up this way is that all of the camera feeds would show up on the main BI system/app. Users would not have to VPN into remote sites to see those camera feeds. The downside is that you are going to need decent internet speeds (especially upload speeds at the satellite locations) to get a stable system.

I actually have this type of system set up myself. I have a remote camera set up over a full time VPN connection that I display on my local BI. I don't record the remote camera on the local BI system, but it makes it very easy to view all of my cameras at one time using one connection method. Even if I am offsite, I can remote into my main system (using another VPN connection) and see all of my camera feeds at the same time - regardless of whether they are local or remote cameras.

Thank you for your in depth reply, that is extremely helpful! I didn't even consider the bandwidth that would be used up to send recordings back to the main office.

Do you have the VPN tunnel setup in Windows on your BI box at each satellite office, or did you set it up in the router?

 

[The Automation Guy]

Do you have the VPN tunnel setup in Windows on your BI box at each satellite office, or did you set it up in the router?

I set mine up in the firewall/router devices at each location. The VPN runs firewall to firewall and the firewall handles all aspects of the VPN connection (encryption, login/security checks, routing, etc). IMHO, this is the best solution if your network device can handle it - and by that I mean not just supporting the basic VPN service functionality, but also being powerful enough to provide the desired number of VPNs at usable speeds. The more VPN connections you desire and the more data you expect to push through these connections, the more powerful your network device needs to be able to handle the loads. That being said, what you are suggesting is not super complicated or demanding, so I don't think you are going to need "powerful" equipment to handle this. It's not like you are a large business with hundreds of remote workers using VPNs to access the company's network.

I also think setting up the firewall/router to handle the VPN connection is the easiest and most secure way to set it up. If you want a local computer to host the VPN service, you have to let all incoming VPN traffic through to that computer prior to the actual security/log-in process (in other words, you are letting unchecked outside traffic onto your local network). If set up correctly, this should be just as secure as hosting the VPN service on the firewall/router. However, this type of setup is more complicated and it creates a lot more opportunities to mess up the installation and make it less secure than it should be. By running it on the firewall/router, it is much less complicated to set up correctly because it's hosted on the gateway to your local network. This means you don't have to create any special routing and all security/login checks are done before ANY traffic is allowed onto your local network.

I run pfSense (but I'm also testing out an OPNsense solution right now and hope to change to that soon) as my firewall OS which is more robust than your typical residential network device. But as I mentioned in the first post, just about any modern "residential" grade routers should support some sort of self hosted VPN service now.