socat lets me connect from off-site directly to stream rtsp PLUS defeat 5 min limit

[Kenneth Anderson]

If your newer model Hikvision camera won't let you connect from remote over the Internet into a Linux [homemade NVR] server, maybe because you've firewalled prober IP addresses, or for some other reason you restrict your camera's access to the Internet -

I added a fifth brand new Hikvision camera to four others that were about 5 years old. Unlike the four old cameras, this new one would only allow me to view the live stream locally (same 192.168.x.x subnet). Neither does it allow me to log into its web page when I'm off-site. This was NOT OK with me.

My server side solution to allow me remote connect for rtsp live stream is:

nohup socat -T300 TCP4-LISTEN:9554,fork,reuseaddr TCP:192.168.0.12:9554 2>/dev/null &

where you can see I've changed my rtsp ports to 9554 just to be a non-conformist, and my camera address is 192.168.0.12.


To allow me remote management via the camera-served web page, I run:

nohup socat -T300 TCP4-LISTEN:9080,fork,reuseaddr TCP:192.168.0.12:9080 2>/dev/null &

where I've changed my http ports to 9080 just to be a non-conformist, and my camera address is 192.168.0.12.

These lines are actually used instead of the iptables nat table DNAT rules, otherwise necessary for those ports. Note that the specific camera then cannot use "basic" authentication for the rtsp stream, and whatever rtsp player used on the client machine to view that camera's live stream will have to accommodate the same. rtsp authentication will have to be "digest" for newer cams or "none" for older ones.

In case you're wondering, I'm not seeing the "T300" do any good. It is supposed to be a timeout to remove the camera login after use.

EDIT: This technique also defeats that evil Hikvision 5 minute time limit viewing live streams off-site.

I hope someone else can be helped by this this.

 

[Securame]

That is news to me, I didn't know newer firmwares restrict access on RTSP/web interface only to local subnet. What camera model and firmware version?

Given your case and your tech knowledge, wouldn't it have been easier to just set up a VPN, so when away your IP is algo a local IP?

 

[Kenneth Anderson]

That is news to me, I didn't know newer firmwares restrict access on RTSP/web interface only to local subnet. What camera model and firmware version?

Given your case and your tech knowledge, wouldn't it have been easier to just set up a VPN, so when away your IP is algo a local IP?

I'm guessing that the only people affected are those who tightly firewall their systems and have no other reason to run a VPN. My newest camera is a HIKVISION 4MP DS-2CD2345FWD-I DARKFIGHTER.

(I know VPNs are all the rage, but I've never felt the need for one. [I emphasize the word "felt".] My internet traffic has never struck me as being interesting enough to protect beyond the layperson's level. I hope this won't turn into a discussion of how important VPNs are to everyone life, which I will grant you is very probably the case. I think I looked into the VPN thing and wasn't there a certificate you would have to get and maintain? And doesn't the switch/router have to be capable and configured? That made it not worth my while to learn any more, given my schedule competing frantically against the vandals of the property I'm protecting requiring very tight change control needs, and other things.)

That local address from socat (and a VPN likely?) also defeats the evil Hikvision 5 minute time limit on rtsp viewing of both my new and old cameras, so I'll edit my OP with that happy news.

 

[alastairstevenson]

My internet traffic has never struck me as being interesting enough to protect beyond the layperson's level.

It's more about the stuff on your LAN, devices and data, potentially accessible from a foothold within it.

 

[Kenneth Anderson]

It's more about the stuff on your LAN, devices and data, potentially accessible from a foothold within it.

It was the probing traffic that really got me riled up to make a tight firewall. I'm not a company that needs to be worried about sniffers. A "foothold" would have to be made by being able to receive traffic they initiate from my system, not just sniff it. Receiving initiated traffic from my system can't can't be done by non-whitelisted addresses, as far as I'm concerned. Believe me, I see probes trying to do it every minute of every day etc.

 

[watchful_ip]

VPNs can use self signed certificates typically.

Additionally, I'm not aware of any 300sec timeout regarding streams, nor a local subnet restriction for web page login. It's likely the camera config or your network config preventing it (not necessarily a bad thing).

Socat will work, but I'd rather use SSH port forwarding to achieve the same thing in a secure and encrypted way especially if you already have a linux server. Works well when I (used to) go on holiday and like to check what's happening at home.

iptables on my linux router specifically blocks outgoing connections from my cameras, as well as them being configured with unreachable gateways.

 

[Kenneth Anderson]

VPNs can use self signed certificates typically.

Additionally, I'm not aware of any 300sec timeout regarding streams, nor a local subnet restriction for web page login. It's likely the camera config or your network config preventing it (not necessarily a bad thing).

Socat will work, but I'd rather use SSH port forwarding to achieve the same thing in a secure and encrypted way.

I have multiple users in the family, each needs flexibility to use the device best suited for the moment, and everyone but me has no patience for setup. Setup is done transparently by an Android app called Onvifer. It knocks ports on launch, and my system uses the knocking to whitelist their current gateway and home address.

That 300 seconds was to expire an unused login to the camera in case it has a user limit. I'm not seeing any success of it, but I don't know that any camera has reached a user limit, either.

 

[watchful_ip]

EDIT: This technique also defeats that evil Hikvision 5 minute time limit viewing live streams off-site.

That's the part I was referring to - I'm not aware this is something implemented by them.

If the other users are using Windows, it's easy enough to just put an icon om their desktop that logs in using keybased authentication and remotely forwards the ports. But I assume you're also talking IOS/Android and though it's possible more of a pain in the rear.

 

[Kenneth Anderson]

That's the part I was referring to - I'm not aware this is something implemented by them.

Do a google search on "hikvision 5 minute". It seems to be meant to pressure users into buying Hikvision NVR products.

 

[watchful_ip]

Yes that's Hik Connect an external streaming/management platform (which I wouldn't touch with a barge pole) - not the cameras themselves. Viewing the cameras directly locally or remotely has no timeout I know of.

 

[Kenneth Anderson]

Yes that's Hik Connect (which I wouldn't touch with a barge pole) - not the cameras themselves. Viewing the cameras directly locally or remotely has no timeout I know of.

Oh but they sure do with plain port forwarding or even DNAT, the old ones, at least. They've always timed out for me at 4:59, 5:00 or 5:01. Now I am so smiling to be free from that.

 

[watchful_ip]

I think the bigger benefit is that Hikvision no longer have access to your cameras and potentially your LAN via them.

I like Hikvision cameras, but I wouldn't trust them a tithe of that level of access.

 

[Kenneth Anderson]

I think the bigger benefit is that Hikvision no longer have access to your cameras and potentially your LAN via them.

I like Hikvision cameras, but I wouldn't trust them a tithe of that level of access.

Yes, you have the main point there!!!!!!!

 

[Securame]

That 300 seconds was to expire an unused login to the camera in case it has a user limit. I'm not seeing any success of it, but I don't know that any camera has reached a user limit, either.

I guess I didn't pay any attention to the "PLUS defeat 5 min limit" on the thread subject.

That 300 sec limitation you are talking about; I think you are referring to what happens when you are live viewing using P2P/Hik-connect, with no open ports. Since the traffic gets sent through Hikvision's network (AWS I think, or whatever it is, and they probably get billed for the traffic) it times out at 5 minutes.

With VPN, fixed IP/DDNS, open ports, and so on, there is no 5 minutes limitations, you can be watching feeds forever..

 

[Kenneth Anderson]

That 300 sec limitation you are talking about; I think you are referring to what happens when you are live viewing using P2P/Hik-connect, with no open ports. Since the traffic gets sent through Hikvision's network (AWS I think, or whatever it is, and they probably get billed for the traffic) it times out at 5 minutes.

With VPN, fixed IP/DDNS, open ports, and so on, there is no 300 seconds limitations, you can be watching feeds forever..

The 300 in the socat command was arbitrarily chosen by me. I see now that it lends itself to getting confused with the evil 5 minute Hikvision rtsp stream time limit. My bad for the confusion.

 

[Securame]

The 300 in the socat command was arbitrarily chosen by me. I see now that it lends itself to getting confused with the evil 5 minute Hikvision rtsp stream time limit. My bad for the confusion.

That's what I was saying on my previous post; there is no "evil 5 minute Hikvision rtsp stream time limit". At least having used hundreds of Hikvision IPCs and NVRs I have never seen it, I have only heard of that when using P2P.

 

[Kenneth Anderson]

The way you see this is:

• DON'T allow your cameras to contact momma,
• request an rtsp connection DIRECTLY between it and an external IP address.

When the camera realizes it is being asked to stream to an external address but can't communicate with COMMUNIST MOMMA COMPANY, it enforces the EVIL 5 minute time limit.

OH. I thought P2P was some kind of product. Now I see it simply means peer-to-peer, like I describe above. My bad. I would call that "P2P mode"

 

[Securame]

When the camera realizes it is being asked to stream to an external address but can't communicate with COMMUNIST MOMMA COMPANY, it enforces the EVIL 5 minute time limit.

I am not sure I follow you. But there is no 5 minute time limit when streaming to an external IP address. I can stream perfectly from remote Hikvision devices, be it on the web interface, or with VLC over the RTSP port.

Never had a problem with IP and open ports; only seen that 5 minute time out you are referring to when streaming over P2P (no configuring needed at all, no known IP, no open ports, etc).

 

[Kenneth Anderson]

I am not sure I follow you. But there is no 5 minute time limit when streaming to an external IP address. I can stream perfectly from remote Hikvision devices, be it on the web interface, or with VLC over the RTSP port.

Never had a problem with IP and open ports; only seen that 5 minute time out you are referring to when streaming over P2P (no configuring needed at all, no known IP, no open ports, etc).

I'm learning from you. Let's compare our setups. Mine is a headless (CLI) Linux re-purposed server with one of the interfaces connected to the Internet - a ISP-owned cable modem that puts an external IP address on the server. The other interface is intranet centered around a simple re-purposed switch (not capable of VPN, to my knowledge). A re-purposed PoE switch besides this connects all my re-purposed cams to the simple switch. One camera was bought new (not re-purposed) while I await a lens glass to fix another being dropped.

Installed on the CLI server is free Linux, free iptables for firewalling and forwarding and a bunch of self-written bash scripting acting as NVR. Each camera's high res stream gets recorded 24x7 by ffmpeg daemons, one per cam. The cams also write event files to their home directories, all monitored by a single inotifywait daemon which analyzes the ftp'd files for their quality to justify sending out email notices. Email notices go to one of three recipients lists depending.... The cams support additional logins for users who want to see their streams. Users USED TO log in to the cams via a single DNAT translation & forwarding rule in iptables raw table, but that type of connection would always be time limited to 5 mins. Now that I use socat, I removed the iptables DNAT rules and the cams think they are intranet-connected.

I assume you use fewer re-purposed components in your system or otherwise buy some of them, like NVR software? Maybe even an NVR box? If so, we would obviously have different experiences.

 

[watchful_ip]

That sounds pretty resource intensive given the cameras have motion and intrusion detection, and can easily be interfaced for alerts over protocols like ONVIF. But of course whatever you think works best for you.

I suspect the connection limitation is not caused by the Hikvision cameras in this case. The non local subnet detection and corresponding forced connection drop out by the cameras themselves I think is a red herring. As many have said, streaming from the cameras for hours or days to a public IP is common place.

FYI I myself use Linux as a router between public WAN and private LAN using iptables, NAT etc.

You might want to check the below command on your linux router

sysctl -a 2>/dev/null | grep -e "net.* 300$"