Switching from VPN to Port Forwarding.

nuraman00 · Mar 23, 2024

I had a VPN set up for my cameras since 2018. However, recently OpenVPN has recently complained that the HMAC Authentication wasn't secure enough. I tried changing it from SHA1 to SHA256, but same error, after exporting the new .opvn file.

Next, I tried configuring port forwarding.

I did it for ports 80 and 37777.

However when I go to my gdmss app and switch to mobile data on my phone, it won't connect.

Any suggestions?

How can I remotely view my cameras again, either via a correct VPN configuration, or port forwarding?

My router is an Asus RT-AC86U.

bigredfish · Mar 23, 2024

Not that you should be using port forwarding, but... you know when using port forwarding outside of your home network (mobile data, no wifi) you will need to use the external WAN IP address of your home to reach the NVR, NOT 192.168.50.X which you can't reach from outside your Wifi...

bp2008 · Mar 23, 2024

I'd suggest using wireguard instead of OpenVPN then. Asus routers support it basically the same, though you may need to update the router's firmware.

Since you are using a hardware NVR appliance, port forwarding to it is very risky.

nuraman00 · Mar 23, 2024

bp2008 said:
I'd suggest using wireguard instead of OpenVPN then. Asus routers support it basically the same, though you may need to update the router's firmware.

Since you are using a hardware NVR appliance, port forwarding to it is very risky.

I can't update my router's firmware. If I tell it to check for updates, it says it can't connect to the Asus server.

If I manually download the firmware and try uploading it from the manual firm upgrade screen, it says the update is unsuccessful.

Do I need to change any VPN settings on my router from what I already have? Or can I install Wireguard and upload the .ovpn file?

These are the settings I have:

I was also able to remotely connect in gdmss using P2P setup. I turned off port forwarding after that worked.

bp2008 · Mar 23, 2024

I really don't know what settings change it would take to get rid of the warning you have now.

Funny that the firmware update won't work. Maybe you got a firmware file for a different hardware revision.

This thread may have a solution to make openvpn work again: Asus OpenVPN Insecure Hash.

I'd also probably want to use 2048 bit encryption and change the encryption cipher to something with "256" in the name but then you'd need to generate new certificates and basically set up from scratch and I doubt it would help your current issue. Just something I'd change if it was me.

nuraman00 · Mar 23, 2024

bp2008 said:
I really don't know what settings change it would take to get rid of the warning you have now.

Funny that the firmware update won't work. Maybe you got a firmware file for a different hardware revision.

This thread may have a solution to make openvpn work again: Asus OpenVPN Insecure Hash.

I'd also probably want to use 2048 bit encryption and change the encryption cipher to something with "256" in the name but then you'd need to generate new certificates and basically set up from scratch and I doubt it would help your current issue. Just something I'd change if it was me.

How do I generate a new certificate? I don't remember how I did it in 2018.

I also saw this on how to update new firmware. I might try it if it looks like it's not going to need a factory reset of the router.

[Troubleshooting] Firmware upgrade failed | Official Support | ASUS Global

www.asus.com

But I'm not sure updating the firmware will help, if the problem is that I need to generate a new certificate.

Also, does it look like my router currently supports Wireguard? Could I use the settings I showed you?

bp2008 · Mar 23, 2024

It is unclear to me if updating firmware will help. Asus's website says:

WireGuard® is only supported on the firmware version later than 3.0.0.4.388.xxxxx

That is higher than anything available for RT-AC86U so you can't use wireguard on it even if you update.

Whether an update would help with the OpenVPN situation or not, I have no idea. Maybe that would give you a new HMAC Authentication open, maybe it wouldn't. You can probably just turn off the warning as mentioned in that thread I linked, and undo your port forwarding and P2P access, and call it a day.

nuraman00 · Mar 23, 2024

bp2008 said:
It is unclear to me if updating firmware will help. Asus's website says:

That is higher than anything available for RT-AC86U so you can't use wireguard on it even if you update.

Whether an update would help with the OpenVPN situation or not, I have no idea. Maybe that would give you a new HMAC Authentication open, maybe it wouldn't. You can probably just turn off the warning as mentioned in that thread I linked, and undo your port forwarding and P2P access, and call it a day.

Upon checking again, you are correct about the latest firmware version for the RT-AC86U.

I re-checked which firmware I had downloaded yesterday. It was the RT-AX86 Series_3.0.0.4_388_24231.

Just now, I went here:

RT-AC86U｜WiFi Routers｜ASUS USA

ASUS has a range of wireless routers suitable for every purpose. Whether it's for your home, for business trips, or for any other need or environment, there's an ASUS router for you.

www.asus.com

This firmware has RT-AC86U_3.0.0.4_386_51915 as the latest. I must have downloaded the firmware for the wrong model, yesterday.

I tried this one now.

I was able to update the firmware.

As soon as I did, and I logged back into the admin console for the router, it said my certificate was renewed.

This firmware even has button to renew certificate! (But it already did it when I logged back into the router, after the firmware upgrade).

Ok, I was able to import this profile into OpenVPN and connect on my tablet. I will try on my phone later today, need to leave soon.

I turned off port forwarding.

Question: What is more preferable, OpenVPN using "legacy" security (which is medium level), or P2P?

What about using OpenVPN using the lowest security, or P2P (in case I had to make a choice between these two?)

bp2008 · Mar 23, 2024

nuraman00 said:
Question: What is more preferable, OpenVPN using "legacy" security (which is medium level), or P2P?

What about using OpenVPN using the lowest security, or P2P (in case I had to make a choice between these two?)

Good question. Nothing is perfect, but I'd still trust OpenVPN with weak configuration far more than I'd trust the P2P option.

With the P2P route, you are letting your NVR connect to someone else's servers and you can't know what kind of risks that opens you up to. There could be vulnerabilities in the P2P service that a hacker can exploit with little effort to access your system (along with those of many other people). Or the manufacturer could access your system through backdoors they put into it.

Search

Switching from VPN to Port Forwarding.

nuraman00

Getting the hang of it

bigredfish

Known around here

bp2008

nuraman00

Getting the hang of it

bp2008

nuraman00

Getting the hang of it

[Troubleshooting] Firmware upgrade failed | Official Support | ASUS Global

bp2008

nuraman00

Getting the hang of it

RT-AC86U｜WiFi Routers｜ASUS USA

bp2008