Help securing IP cameras

Installing and Using OpenWrt Network and Wireless Configuration
21

I have a openVPN installed on the raspberry Pi - to be able to connect when i'm out of home.
After using the current setup I noticed a problem.
I have port forward in my main router (to forward traffic from the internet into the Raspberry Pi).
When I connect to the VPN and try to view the cameras, there is a major delay, before (using vlans) I got at least 1 frame per second, now I get 1 frame each 5 seconds.
Does it make sense?
VPN is connected to: 192.168.100.134 (but it uses other interface- 10.8.0.1)
In my IP camera app, I connect to: 192.168.100.5:554
Which is forwarded to: 192.168.101.108:554

rpi@ipr:~ $ ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.134  netmask 255.255.255.0  broadcast 192.168.100.255
        ether xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 10062146  bytes 9797851884 (9.1 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 8753935  bytes 8499455661 (7.9 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.134  netmask 255.255.255.0  broadcast 192.168.100.255
        ether xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 77  bytes 13260 (12.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0.4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.101.134  netmask 255.255.255.0  broadcast 192.168.101.255
        ether xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 6366121  bytes 8869419356 (8.2 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2429713  bytes 174371915 (166.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 33627  bytes 47150718 (44.9 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 33627  bytes 47150718 (44.9 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 12593  bytes 837806 (818.1 KiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 25065  bytes 33655353 (32.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
22

Yes... OpenVPN is quite inefficient. Try using Wireguard.

23

I will try that, but openVPN used to work well for me for a while.

24

I'd be happy to try to answer why you are experiencing lower performance now, but I'd need to understand the configuration you had previously in order to compare.

One thing you could try would be to connect directly to 192.168.101.108 from your Pi -- that assumes that your Pi has an address on that subnet (per your drawing, it would, but you obviously need to have set the Pi to work with that tagged network).

25

The configuration I had:

  1. Before having vlans, NVR was on same Vlan as the Raspberry Pi - good at least 1 FPS (but this is not a secure setup, I cannot have the NVR on my main network)
  2. Using two vlans and using socat that runs on the Raspbery Pi to allow me to forward traffic from the Pi to the NVR (this is inefficient, but easy for me to configure). Command used:
p=554
sudo socat "TCP-LISTEN:$p,fork" "TCP4:192.168.101.108:$p" &>/dev/null &

This gave good performance, at least 1 FPS (used the Raspberry Pi, to forward from Vlan 1 to Vlan.

  1. Using 2 Vlans with a forwarding rule from vlan1 to vlan 4 (uses TP-Link 1043 to do forward from Vlan1 to Vlan4).
    Getting 0.2 FPS sometimes a bit better.
26

Since your Pi has an address on the '101' subnet, you should be able to connect to the NVR without any other tricks... just simply point the remote browser/app to the NVR's native address (you may need to make sure that the right routes are setup within the context of OpenVPN, but it should 'just work' once configured).

27

Seems this is more of a openVPN problem than openWRT, so I don't have high hopes here.
Tried to connect using the 101 address, it didn't connect at all (while on VPN).
Tried to setup routes in openVPN, it didn't work (probably configured it wrong).
Added this to the openVPN client config:

route 192.168.101.0 255.255.255.0 192.168.101.1

will try later to do a fresh install of openVPN or wireGuard maybe will work, since when installing openVPN I only had 1 vlan.

28

This route won't do anything because the gateway is part of the target network. The problem is that your remote end doesn't know how to reach that network in general. If it knew how to reach 192.168.101.1, it would also know how to get to other hosts on that network.

In theory, if your OpenVPN server knows the route to that network, all you need to do is tell the client side that there is a route to that network via the OpenVPN tunnel. In my case, I've done this as a push from the server...

	list push 'route 192.168.101.0 255.255.255.0'
29

Tried adding

push 'route 192.168.101.0 255.255.255.0'

To:

/etc/openvpn/server.conf

Still cannot reach vlan 4 from the VPN (unless using the forwarding rules, which are slow on VPN).

30

Is OpenVPN running on the Pi? If so, let's see the server and client configs.

31

Yes, the openVPN is running on the Pi.
ifconfig of the openVPN server:

$ ifconfig 
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.134  netmask 255.255.255.0  broadcast 192.168.100.255
        ether xx:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 11383813  bytes 11228728306 (10.4 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 9725280  bytes 9106050938 (8.4 GiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.100.134  netmask 255.255.255.0  broadcast 192.168.100.255
        ether xx:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 77  bytes 13260 (12.9 KiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0.4: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 192.168.101.134  netmask 255.255.255.0  broadcast 192.168.101.255
        ether x:xx:xx:xx:xx:xx  txqueuelen 1000  (Ethernet)
        RX packets 7017855  bytes 9689568380 (9.0 GiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2772267  bytes 198973673 (189.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 46764  bytes 73616489 (70.2 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 46764  bytes 73616489 (70.2 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

tun0: flags=4305<UP,POINTOPOINT,RUNNING,NOARP,MULTICAST>  mtu 1500
        inet 10.8.0.1  netmask 255.255.255.0  destination 10.8.0.1
        unspec 00-00-00-00-00-00-00-00-00-00-00-00-00-00-00-00  txqueuelen 100  (UNSPEC)
        RX packets 141230  bytes 8436671 (8.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 279082  bytes 376217067 (358.7 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

OpenVPN server config:

$ cat /etc/openvpn/server.conf
dev tun
proto udp
port 1194
ca /etc/openvpn/easy-rsa/pki/ca.crt
cert /etc/openvpn/easy-rsa/pki/issued/pi_6fbc7844-cb90-4e3c-8fa1-6bc03c2c59d5.crt
key /etc/openvpn/easy-rsa/pki/private/pi_6fbc7844-cb90-4e3c-8fa1-6bc03c2c59d5.key
dh none
ecdh-curve prime256v1
topology subnet
server 10.8.0.0 255.255.255.0
# Set your primary domain name server address for clients
push "dhcp-option DNS 1.1.1.1"
push "dhcp-option DNS 1.0.0.1"
# Prevent DNS leaks on Windows
push "block-outside-dns"
# Override the Client default gateway by using 0.0.0.0/1 and
# 128.0.0.0/1 rather than 0.0.0.0/0. This has the benefit of
# overriding but not wiping out the original default gateway.
push "redirect-gateway def1"
client-to-client
client-config-dir /etc/openvpn/ccd
#keepalive 15 120
remote-cert-tls client
tls-version-min 1.2
tls-crypt /etc/openvpn/easy-rsa/pki/ta.key
cipher AES-256-CBC
auth SHA256
user openvpn
group openvpn
persist-key
persist-tun
crl-verify /etc/openvpn/crl.pem
status /var/log/openvpn-status.log 20
status-version 3
syslog
verb 3
#DuplicateCNs allow access control on a less-granular, per user basis.
#Remove # if you will manage access by user instead of device. 
#duplicate-cn
# Generated for use by PiVPN.io

openVPN client config:

$ cat PC.ovpn
client
dev tun
proto udp
remote my-host-name.no-ip.biz 62520
resolv-retry infinite
nobind
remote-cert-tls server
tls-version-min 1.2
verify-x509-name pi_6fbc7844-cb90-4e3c-8fa1-6bc03c2c59d5 name
cipher AES-256-CBC
auth SHA256
auth-nocache
verb 3
# cert & keys omitted from this line until EOF
32

I'm not seeing anything terribly interesting there (except for the lack of the push directive)... but there is one curiosity -- it looks like eth0 and eth0.1 both have the same address. I wouldn't think that would work properly. You might want to look into that.

Is this Pi running OpenWrt, too? or is it something else (like Raspberry Pi OS)?

33

About eth0 and eth0.1. You are right, I will fix that, probably my vlan configuration on the Pi needs some adjustments.
I removed the push directive from the openVPN server config (since it didn't make a difference).
The Pi is running Raspberry Pi OS (Raspberian 10).

34

This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.