Setting up a VPN

Ok network gurus… I beseech thee for I am a humble network noob

Just went through the hassle of design a nice mount l
and buying 3x webcams (because the first 2 got lost and run around) to mount to my 3D printer to monitor and control remotely… not an unusual thing

A raspberry pi controls the show, and I log into it using a local IP

Only to find out they the remote connection tool, puts a paywall in front of remote camera access

Motherfucker

My understanding of how local IPs work with outside internet is fuzzy at best

I understand you can buy a static IP from an isp, but that’s probably more expensive than the original paywall

I’ve heard you can do port forwarding, but that it can be insecure?

I don’t really understand this if I’m being honest

The raspberry pi instance requires a login to be able to do anything… I could set a fairly secure login and password for it…. Is there anyway to set the port forwarding to ONLY 1 local IP? Thus making it secure?

Pretty much I’d like to be able to do whatever extra work ahead of time to set up a shortcut on my phone… click shortcut… connect to local ip… login… 3D printer UI

Thoughts? Suggestion? Ridicule?

Yes you can port forward just one IP on the local network. My suggestion however is to look and see if your router will let you setup a VPN. That way you can connect to your home network at any time and not have to worry as much about accidentally exposing anything else on yhe network.

2 Likes

I think it does

I use a paid vpn, but that feels like a different situation

You’re looking for something called a road warrior vpn. It’s similar to a site to site but one end can “roam”

ok yes… tp link AX1800 router supports
vpn client
vpn server
open vpn

so do I need to do a different vpn or can I use the vpn I already pay for? or are they totally different…

I understand how the paid vpn works… mostly … just not in this use case

@ThePolishedTurd if I do port forwarding and set it up… using a non standard port as I’ve seen suggested… and only specify the ip address of my rasp pi… does that still expose the rest of my network?

further network confusion…
if I don’t pay for a static IP, does my IP address regularly change? or is that just if I move or transfer or change services?

I’m leaning towards port forwarding as I can understand “more” of it lol

Probably, depends on how you configure things.

You can use a ddns service to solve this.

Can you explain like I’m… well… me?

If I set up port forwarding, and specify one specific internal ip… how is other stuff exposed?

Depends on the firewall and routing configuration of whatever runs the VPN server.

Port forwarding exposes specific ports of one box to the internet. But if you run a VPN server in your home network, you can configure it to allow you to access said network.

I’d be able to explain things a little better if I knew what you’re trying to do. Are you running a VPN server on your router? Do you have a Raspberry PI?

Couple posts up,
Raspberry pi - octoprint running on local network ip - want to access outside of local directly to avoid webcam paywall from plugin

Let’s focus on just port forwarding first, because everyone keeps adding variations and I don’t know up vs down for half of them

The pi IP address, requires a user and password to access any further… so if someone randomly accesses that IP I’m not worried or at least I don’t think I should be

I don’t want to expose the rest of my network however and I don’t understand why specific allowing access to only the raspberry pi IP address exposes everything else

Worst case if it’s too complicated I’ll just run Remote Desktop and control the web UI on my computer, but that seems a stupid and clunky solution

I have PIA vpn, but I don’t think I can tie it in in this instance… and I don’t want to have multiple vpns and hassle of switching around

It’s better to run a local VPN server on one of the higher ports. I don’t quite trust OctoPrint to be secure but I guess that you could have it available to the internet like you said but be advised that you might end up on shodan.

Ok can you pause and explain what a local vpn is?

I’m getting fairly frazzled

I understand the vpn I currently use, in a nut shell they are my actual connection to the “internet” and they encrypt my traffic between me and them so people like my ISP can’t snoop

How does a local vpn work and or play in to this?

I’m Imaging that if my phone is setup to use internet vpn 1… I won’t be able to simultaneously use other vpn 2 to connect to my pi

Should not be this fucking complicated to just log into my own device

I do the same thing with my 3d Printer.

I set up OpenVPN on my TP-Link router
Use the OpenVPN app on my phone to connect to the server on my router.
This makes it like I am connected to my home network even when I’m away so I can log into devices using the internal IP address.

My home internet service generally does not change the external IP, on the odd chance they do I can get the new address.

Over-simplified, but I get the difficulty of understanding of VPN to hide my rear or appear in another country, vs being able to connect to my home network from wherever.

1 Like

Do you run into any issues running a “for the internet” vpn on the same phone?

I have not tried that. I don’t generally run one

Maybe it’s a dumb question but have you double checked that you can actually talk to your cameras in the way that you are thinking you can? Do your camera support RTSP protocol? Or are you using some kind of proprietary streaming with the client on your phone to the cameras? If it’s proprietary then it might not work how you think It will. I use EUFY cameras and they’re a little funky. I can enable RTSP protocol on them and that works, but not with the native client. There are just some odd things to go over before planning your network implementation.

1 Like

Please excuse the wall of text, I can get carried away when talking about network stuff, it’s kinda my thing. :sweat_smile:

TL;DR

Option 1: DDNS + OpenVPN; more secure, easy to manage
Option 2: Port Forwarding; less secure, harder to lock down
Other:
Reverse Proxy + CloudFlare WAF; much more advanced, not free, but more flexible
Remote access software (TeamViewer, LogMeIn); free, dead-simple to setup, secure, no port forwarding needed

Option 1

Like @ThePolishedTurd suggested, set up a client-server VPN. I too have a TP-Link router. It couldn’t be simpler to set up and if set up properly, very secure.

First, to avoid the issue of having a dynamic IP address, you can set up DDNS on a TP-Link router as well. Log into your router on a web browser and go to Advanced → Network → Dynamic DNS. You can use NO-IP or DynDNS if you already have an account, but I find that the TP-Link service works just fine. You’ll have to create a TP-Link account or log in if you already have one. Click (+) Register to register a new DDNS address of your choice. Then click on bind and your router will update the DNS record whenever your IP address changes.

Now to set up the OpenVPN sever. Go to Advanced → VPN Server → OpenVPN. Check the enable box to turn on the service. You can leave the service port as the default, or if you want to add a little mroe obscurity, you ca select a different port. Enter a subnet and mask that clients that connect to the VPN will be placed in. For example, if you use the default 192.168.1.0/24 subnet for your home network, you could use 192.168.100.0/24 for VPN clients. It could be anything else that you like as well, this is just an example. Make sure Client Access is set to “Internet and Home Network”, otherwise you wont be able to connect from outside your home network. Click on “GENERATE” to generate a certificate for the VPN. This is what your client will use to authenticate itself to your VPN server. Finally, click on “EXPORT” to download the config file. This will give you an .ovpn file that you import on your client to make connecting easier.

Now we need to edit the config file to use your DDNS instead of your IP address. Open the .ovpn file in a text editor and replace the ip address in the line remote x.x.x.x 1194 with your ddns address e.g. remote foo.tplinkdns.com 1194. Save the file.

Now you just need to import this config file into the client of your choice, I know android has a client. There are desktop clients as well. I think you can figure that part out. :wink:

Option 2

You can use PAT/port forwarding to allow connections from your public ip address/DDNS to a client on your local network. This is indeed less secure than the VPN route, because by default, anyone on the internet will be able to use the PAT rule. I would strongly recommend using firewall rules to lock this down to known IP addresses, however if you’re using a mobile connection to connect, this can be very difficult, as you’ll never know what IP address you’ll have.

Other

If the cameras have a web interface, and you own a domain, you could set up an WAF on Cloudflare for free and then host a reverse web proxy on your local network. This is what I do, but it’s more advanced and I won’t get into it here.

Also, maybe just look into another remote access software like TeamViewer or LogMeIn? There are lots of great free options out there, that are as simple as installing a program on a host machine, no port forwarding necessary.

Thank you for coming to my TED Talk.

8 Likes

This is an excellent write up. I also recommend option 1 as that’s how I have my own home network setup for remote management

1 Like

need a bit more help here… google is failing me

Are you having trouble with the subnets? Can you be more specific on where you’re getting stuck?

I’m staring at the subnet and netmask box…
unsure what to enter… pretty lost

my local network consists of 192.168.0.xxx
my octoprint is 192.168.0.132 (this is larger than 24?)

beyond that I don’t know what I’m doing

1 Like