VPN and multiple cameras at multiple sites

[jwadsley]

Need some help wrapping my head around this>

If I have three sites, and multiple cameras at each site, right now I've got ports forwarded in my router which I know isn't the safest thing (10+ years of IT knowledge here)

My family uses these cameras to "see what is out there" at our vacation home. I would like to drop my forwarding in favor of a VPN but have some concerns.

1. I assume I would need three individual VPN servers at each of the homes to make this work
2. I would need VPN client software for every device (computer, phone, tablet) that wants to view the cameras at each of the three locations.
3. I would need to VPN in every time I wanted to view the cameras at the other two locations, and then turn off VPN when not wanting to view
4. My parents are in their 70's and 80's and I just can't see them figuring out to use VPN to access the cameras. Right now the web interface is easy as they just click on the link and it takes them to the camera of their choice, at the home of their choice

Thoughts / suggestions / corrections in my thinking?

 

[user8963]

you need only one vpn server and have to add any device as user.. if the users can communicate with each other, it should be no problem to make it possible.

but...

you need good internet connection (upload) and hardware which can handle multiple vpn connections.. you also need to configure that only the needed internal traffic goes through the vpn, nothing more.


also you can just set it up that the vpn connection is connected anytime. on android you can pause the vpn connection if your screen is blank and auto restart on wake up to avoid battery fast draining. on windows you can also just let it connected. if only the internal traffic is transfered, there is no need for disconnect. it will eat a bit from cpu when running, but its acceptable.

 

[jwadsley]

Why would you not need 3 VPN servers, one at each location? How can a device at home A know you want to connect to it when you are at Home B using the VPN server at home C?

 

[SouthernYankee]

get three routers that support OpenVPN, like an ASUS router (there are others). The Routers are set up as VPN servers. You use the OpenVPN client software on all the phone, laptops and PC.

I have short cuts on the phone to open the appropriate VPN and have short cuts to open the appropriate BI computer. You can write scripts to do this in one short cut for each site. I use BI so I connect to one device at each site to view the current cameras there.

Note I am 72 and wife is 75. not a problem. My wife use the cameras to show people what the dogs are doing or what art project she is currently working on.


Another way to do this (I have not done it this way) is to have the three sites set up as one network, and use the permanent VPN between the three sites.

 

[user8963]

Another way to do this (I have not done it this way) is to have the three sites set up as one network, and use the permanent VPN between the three sites.

You just need ONE VPN Server and connect any device (laptop,mobile and also NVR/BI) as CLIENT to the server. Its possible that any device can communicate with each other in the private network. There is also a openvpn function that is called "client-to-client" which helps to reduce cpu usage (and/or bandwidth) of the vpn server. you just have to understand the vpn server as a router... then you will understand. i dont see the point of running 3 servers lol. if you want that some users only see 1 client (i.e. one particular nvr) than you can just drop all traffic to the other clients for this user in the firewall. no problem...

if you dont have good internet connection (50-100mbit upload) it might be a problem for the vpn server to handle the traffic... you can also rent a VPS and put the vpn server on ...

also asus routers (and others) get fast to their limit because they have only slow cpus and mostly no supported aes-ni cpu.

it might be a bit difficult if you set up it the first time because of all the firewall configuration for safety...


read:
OpenVPN client-to-client for basic understanding

and

How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN

This How TO guide provides step-by-step instructions for configuration and set up of OpenVPN 2.x client/server VPN.

openvpn.net

 

[looney2ns]

You just need ONE VPN Server and connect any device (laptop,mobile and also NVR/BI) as CLIENT to the server. Its possible that any device can communicate with each other in the private network. There is also a openvpn function that is called "client-to-client" which helps to reduce cpu usage (and/or bandwidth) of the vpn server. you just have to understand the vpn server as a router... then you will understand. i dont see the point of running 3 servers lol. if you want that some users only see 1 client (i.e. one particular nvr) than you can just drop all traffic to the other clients for this user in the firewall. no problem...

if you dont have good internet connection (50-100mbit upload) it might be a problem for the vpn server to handle the traffic... you can also rent a VPS and put the vpn server on ...

also asus routers (and others) get fast to their limit because they have only slow cpus and mostly no supported aes-ni cpu.

it might be a bit difficult if you set up it the first time because of all the firewall configuration for safety...


read:
OpenVPN client-to-client for basic understanding

and

How To Guide: Set Up & Configure OpenVPN Client/server VPN | OpenVPN

This How TO guide provides step-by-step instructions for configuration and set up of OpenVPN 2.x client/server VPN.

openvpn.net

On a smart phone, you can setup the app Tasker, to start the VPN when needed.
Even with out, you can setup shortcuts in OpenVPN client, to use to open the VPN, then start your viewing app.
Thats how my wife and I do it. Takes two seconds to establish, when needed.

That depends on what locations need to connect to the other locations. My Asus, AC1900 handles multiple VPN connections just fine.
It also depends on what method they are using to connect, phone, tablet, computer etc.
If they are only connecting from home then each location can have a router, with openvpn installed. Then create a full time VPN connection between each sight.
My OpenVPN worked just fine when I only had 2up and 10 down.
You just have to be mindful of how much resolution is good enough.
VPN Primer for Noobs | IP Cam Talk
Randy : OpenVPN on a Asus router
How to Secure Your Network (Don't Get Hacked!) | IP Cam Talk

 

[Holbs]

I have never dabbled with it myself... nor do I know of any security concerns, good or bad. But Ubiquiti does this with their routers, no? It's a cloud setup but so far I have not heard evil things about it such as hacking or being unstable. How do their routers talk to each other? Unknown. Is a security risk? Uknown.
I would always recommend VPN as the final easiest answer. But did want to toss out other possibilities.

 

[VorlonFrog]

FYI, FWIW, I just setup PiVPN on an older Pi3B for a small business client (this past weekend). PiVPN firmware for the Pi and OpenVPN GUI for WIndows have improved INCREDIBLY since a year or two ago. Total piece of cake to setup, unlike fighting with Asus's firmware implementations. I have RT-AC86U and other Asus routers and they've all been problematic where VPN was concerned.

 

[user8963]

You can use asus routers, for sure... some models have better cpus, so they can handle more speed. the "budget" models can handle about 20-30mbit max on openvpn in total (!).

i would suggest to use asus routers only as client and use a cheap AMD GX-415GA "thin client" as pfsense-vpn-server (needs at least 2 network interfaces). you only need a "client-bridge" device, if you are using an NVR (or silimiar). if you are using a windows server (Blueiris) you can just use OPENVPN client for windows on the blueiris machine !

so you have 1 server and connect any asus router as client to the server ... i dont see any problem.
you just have to enable one vpn connection to the server on any mobile,laptop etc. and you can reach all locations at the same time with one vpn connection.

[VPN] How to set up VPN Client in ASUS router (Web GUI)? | Official Support | ASUS Global

 

[jwadsley]

FYI, FWIW, I just setup PiVPN on an older Pi3B for a small business client (this past weekend). PiVPN firmware for the Pi and OpenVPN GUI for WIndows have improved INCREDIBLY since a year or two ago. Total piece of cake to setup, unlike fighting with Asus's firmware implementations. I have RT-AC86U and other Asus routers and they've all been problematic where VPN was concerned.

I think this would be the way I would go. If I only need one VPN client like everyone is telling me, then this seems easiest, I can just keep it at my home.

I would be interested in hearing more about how this was setup and what your use case was, etc...

 

[user8963]

@jwadsley

please make sure that you understand what a CLIENT and a SERVER is for.

MANY here just have one location (aka home) to which they connect. Thatswhy there are many tutorials for this situation.

you have 3 locations and want only one vpn connection of the access device (aka mobile phone). Its a different situation, there are no tutorials. you have to think yourself

 

[biggen]

There are lots of ways to skin a cat. I'd probably use site-to-site VPNs that are configured through the routers. That way, the routers maintains the connections between all sites and doesn't rely on the end user to do anything but be connected on one of the LANs either wired or wirelessly. If you then want to connect from offsite, then you would have to use anoter VPN (Wireguard, OpenVPN) That one server could be hosted anywhere in any of the sites. It could be as simple as a RPi, a physical computer, or even a VM. Depending on how configurable the VPN software is that is built into the routers you are using, perhaps even one of them could be used as the "call in" VPN router to handle that.

 

[VorlonFrog]

I think this would be the way I would go. If I only need one VPN client like everyone is telling me, then this seems easiest, I can just keep it at my home.

I would be interested in hearing more about how this was setup and what your use case was, etc...

The client is a small business association with members distributed all throughout the state. Their board of directors also lives all throughout the state. VPN allows me (as their IT consultant) to dial into the office instead of driving two hours to the office. It also allows their board of directors to drop and review member files from their file server.

PiVPN was as easy as downloading the RaspberryPi OS (Raspbian) and writing it to an SD card for the Pi. Setting up the Pi on their network, I used PuTTY to login, 'sudo su -' to become the root user, and the curl command from PIVPN: Simplest way to setup a VPN to download, install, and configure the PiVPN software. Then it was using the 'pivpn add' command to create filename.ovpn files for each of their members who need to VPN into the office.

Because the office has a dynamically-assigned IP address, and it's bound to change at some point, I created a DuckDNS DNS node name for their office. It's a nonsense string of several upper and lower case characters, not prone to being guessed or associated with their association. Using this nodename during the 'pivpn add' commands embeds that DNS node name inside the .ovpn files.

 

[jwadsley]

The client is a small business association with members distributed all throughout the state. Their board of directors also lives all throughout the state. VPN allows me (as their IT consultant) to dial into the office instead of driving two hours to the office. It also allows their board of directors to drop and review member files from their file server.

PiVPN was as easy as downloading the RaspberryPi OS (Raspbian) and writing it to an SD card for the Pi. Setting up the Pi on their network, I used PuTTY to login, 'sudo su -' to become the root user, and the curl command from PIVPN: Simplest way to setup a VPN to download, install, and configure the PiVPN software. Then it was using the 'pivpn add' command to create filename.ovpn files for each of their members who need to VPN into the office.

Because the office has a dynamically-assigned IP address, and it's bound to change at some point, I created a DuckDNS DNS node name for their office. It's a nonsense string of several upper and lower case characters, not prone to being guessed or associated with their association. Using this nodename during the 'pivpn add' commands embeds that DNS node name inside the .ovpn files.

This seems to track with what I'm reading on other sites. Thank you.

Is this just for one office, or how do board members in other states connect to Office B?

In my case, I don't see how I wouldn't need a VPN server at each of my homes, as the web cameras are tied into three completely separate networks...

 

[jwadsley]

@jwadsley

please make sure that you understand what a CLIENT and a SERVER is for.

MANY here just have one location (aka home) to which they connect. Thatswhy there are many tutorials for this situation.

you have 3 locations and want only one vpn connection of the access device (aka mobile phone). Its a different situation, there are no tutorials. you have to think yourself

Your responses haven't been very clear or very helpful. I've explained several times now what my use case scenario is...this is why I'm thinking a VPN might not work the best for me for three different sites.....

 

[user8963]

Its hard to tell you, because i am speaking with a wall ... last time i will reply here, its to time consuming

I am talking about this:



everyone else is talking about this:





if anything wrong, correct me. nobody is perfect.

again: this is for private home cheap use. if you connect a whole network to a vpn server(aka using one client as gateway) and make some fancy static routes, there can be cases where you get in trouble because the vpn server/other gateways dont have all information in the routing table. no prob if only ONE device (NVR) is a client. there are many enterprise products for these scenarios which costs $$$$$$$$$$$$$$$$$$$$$.

 

[jwadsley]

Its hard to tell you, because i am speaking with a wall ... last time i will reply here, its to time consuming

I am talking about this:

View attachment 95143

everyone else is talking about this:

View attachment 95142



if anything wrong, correct me. nobody is perfect.

again: this is for private home cheap use. if you connect a whole network to a vpn server(aka using one client as gateway) and make some fancy static routes, there can be cases where you get in trouble because the vpn server/other gateways dont have all information in the routing table. no prob if only ONE device (NVR) is a client. there are many enterprise products for these scenarios which costs $$$$$$$$$$$$$$$$$$$$$.

You don't have to be a jerk about it...a lot of people on this forum are nice. some seem high strung. Sorry my questions are so time consuming, maybe you should let someone else take a shot at it.

Your top diagram is along the lines of what I want, however I will not be using an NVR, I will be using individual cameras at each of the three locations...

 

[looney2ns]

Still, an Asus Router with Asus-wrt-Merlin installed on it, in place of the stock firmware, is the easiest for those that aren't familiar with a VPN.

 

[The Automation Guy]

I agree with Biggen and user8963 about the use of "site to site" VPN tunnels.

There are two steps that you need to do to make this as easy as possible for your users. First, establish "site to site" VPN tunnels from your house (VPN server running on a router/firewall) to the other locations you have cameras at (VPN client running on a router/firewall at each site). This will allow you from your house to "see" any device connected at any of the sites (home or remote sites). These tunnels will be operational 24/7. Once they are set up, there is nothing that needs to be logged into or changed or maintained. As long as you have internet at the sites, the sites will be connected. If you lose internet at either end, the connection will automatically come back online whenever the internet service is restored. I've done this between my parents house and my house and it works great. (We use it to be able to backup important data "offsite" by sending the backups to the other location through the tunnel. The "offsite" storage locations simply appear as networked drives available on both networks).

Second, you need to set up another VPN server at you home that will be used for people to connect to while away from the house to view devices on the network, Keep in mind that devices at the remote sites will appear as regular devices on the home network because of the site to site tunnels, so you will be able to view everything at the remote site as if it was a device on the home network. This is how you can get away with using just one VPN setup for people to be able to log into your home network and view devices at all the remote sites too.

The only potential downside to this setup is that it requires internet to be working at all the locations. If the internet is working at the remote sites, but not at your home, you will loose the ability to view the remote sites. You might want to create "backup" VPN connections (ie have the remote site will run a VPN server on the router in addition to the VPN client) that you can use to connect directly to each remote site while away from home in case this happens. You don't need to let everyone have access to these backup connections (just to cut down on the confusion factor), but you'll know they are there and be able to access them in a situation where the home internet goes down.

Hopefully that makes sense.

 

[crw030]

I have multiple sites, and a persistent site-to-site VPN combined with on-demand VPN (for use while traveling on random wifi hotspots to boost security).

Before we go that route:

• do you need to monitor the multiple sites all the time or only occasionally (i.e. "check on them" like before and after a major storm)?
• do you have adequate remote site upload speed to handle streaming camera video (I only get about 2FPS on 3 cameras over 3Mb upload), figure out the upload speed for each remote site. (download doesn't matter for this use case, the cameras video streams will be going "up" via this internet connection).
• do you have adequate download speed to handle receiving the streams from all sites without drastically degrading your local performance for Netflix etc. (i.e. if 3 remote sites are streaming 10 Mb each, can you absorb the constant consumption of 30 Mb on your download pipe at the "local" or "central" location)?
• can you put equipment at each site (I recommend each remote site is an OpenVPN server, and your central site "connects" to them as a client). I use an ASUS router, and it's been up for two years even through multiple storms and power outages it has recovered. I haven't tried PiVPN so unsure how reliable it would be, which is paramount concern for me as the site is 1000 miles from my "local" location.
• do you have some system at the local site that can act as OpenVPN client and make the persistent connection.

For upload speed you might have to do a speed test from the site, as some providers have gotten clever about hiding this detail from subscribers (like Comcast offers "1200 Speed Internet", which only tells you the max download speed, and probably has something pathetic like 30-50Mb upload).

If you had "25/5 cable internet", you have an asymmetrical 25 Mbit download and 5Mbit upload (5Mb would be the important number). Almost 100% of the time the smaller number is the upload bandwidth. If you happen to have a symmetrical 10Mb, 100Mb, or 1000Mb connection then you have the same speed in both directions (theoretically). I have had both asymmetrical fiber (10/3 & 50/30) and symmetrical fiber (1000/1000).