Network Advice Wireless Camera System

[Brenneke]

Currently I run a VPN client for all devices connected to router.
I would now like to set up an OpenVPN server to allow me to connect to the USB storage on my security camera hub.
My hope is to be able have have both running at same time.

 

[L&LD]

Both should be able to run concurrently.

 

[Brenneke]

Nice, thank you!

 

[Brenneke]

After first doing a long-overdue router factory reset and some network changes, I finally got around to installing this camera system - the Arlo smart hub must be ethernet connected to router - would feel better about this if I could somehow get it onto a guest network.
1) Should I be worried about this at all?
2) Is there any way to to move it to a guest network?

Thank you.

 

[Samir]

The guest network won't change its ability to 'phone home', just limit what access it could possibly have to your network. And that would also limit your access to it from your local network.

Answers:
1. Not really since the only winning move with these consumer cloud based systems is to not use them due to their inherit unsafe design.
2. You can, but then you would lose local network access to it.

 

[ColinTaylor]

2) Is there any way to to move it to a guest network?

If the cameras are only connected to the Arlo smart hub and the smart hub is connected by Ethernet to the router, then no, you can't move it a guest network. Guest networks only exist for devices connecting to the router's WiFi.

 

[Brenneke]

Looking for advice on getting access (from outside LAN) to local USB storage for the security camera hub connected to my router - not sure if I am understanding things correctly or if I am on the right track:

Camera hub is ethernet connected to Asus RT-AC68U.
Asus is connected to LAN 1 of ISP Actiontec modem in bridge mode, manual IP for Asus.
Asus router is running VPN client connected to Static IP server of VPN provider.

I am intending to use VPN port forwarding to forward the port(s) for my camera hub.
https://windscribe.com/support/article/22/setting-up-port-forwarding
For this to function I read that I would need to use iptables rules to route traffic from the TUN adapter to the LAN device (camera hub) listening.
Does this sound correct and is it advisable to do it this way?

Thank you.

 

[ColinTaylor]

I am intending to use VPN port forwarding to forward the port(s) for my camera hub.

Why? Assuming the VPN client is going to be enabled 24/7 on the router there is no difference security-wise between connecting via the VPN client or connecting directly to the router. Arguably, using a commercial VPN service makes you a more attractive target as well as providing a much slower link into your home network.

 

[Brenneke]

So best to run OpenVPN server on router and connect that way, is that what you mean by "connecting directly to the router"?

 

[ColinTaylor]

So best to run OpenVPN server on router and connect that way, is that what you mean by "connecting directly to the router"?

Yes that's what I mean. Unless there's something else that I'm unaware of that would prevent that.

Connecting via a VPN client exit node would be insecure because a) the connection from the PC to the node is not encrypted, and b) anyone on the internet could port scan the node and connect to the camera hub (depending on the hub's own security).

 

[Brenneke]

Yes that's what I mean. Unless there's something else that I'm unaware of that would prevent that.

OK, have OpenVPN server up and running.

Steps: (no cell service at home)

1. Android phone connected to main WiFi network, can access router GUI and camera hub local storage with Arlo app....good
2. Switched Android to my guest WiFi network, checked to confirm no access to router GUI....correct
3. Connected Android to OpenVPN server, confirmed internet access, (server set to Both) confirmed ability to connect to router GUI but cannot connect to camera hub local storage with Arlo app...hmm
4. Assume that I need to forward port in router to match port forward page in Arlo app
5. Turn on port forwarding in Asus, Apply, now disconnected from OpenVPN server on Android and cannot reconnect until port forwarding in router turned off and OpenVPN server in router cycled off and on (Apply between each step)

What could be the cause for not being able to access local storage in Arlo app when connected to OpenVPN server?
Why does turning port forwarding on in router prevent connection to OpenVPN server? (had same problem a few weeks back when attempting same steps above)

 

[ColinTaylor]

Do not forward the ports. This was discussed at length earlier in this thread (and even pointed out by yourself in post #7).

Test from outside your network. Connecting to the VPN server from inside your network is not a valid test as it can create routing or firewall conflicts.

When testing the connection via the VPN server turn off the router's VPN client. That will indicate whether or not you need to make a policy rule for the camera hub.

We don't know anything about how the app identifies or connects to the camera hub.

 

[Brenneke]

Do not forward the ports. This was discussed at length earlier in this thread (and even pointed out by yourself in post #7).

Yes, but am always cautious taking advice from people like myself!

Test from outside your network. Connecting to the VPN server from inside your network is not a valid test as it can create routing or firewall conflicts.

I tested from outside my network today as you advised, can reach my router GUI but still not the camera hub storage.

We don't know anything about how the app identifies or connects to the camera hub.

I have no expectation of support for my camera hub, simply asking knowledgeable network people for direction as to what I might research and consider next when:

a) I can reach my LAN and router GUI from outside my network
b) I cannot reach my camera hub using same device and app that work from inside my network

 

[ColinTaylor]

I have no expectation of support for my camera hub, simply asking knowledgeable network people for direction as to what I might research and consider next when:

a) I can reach my LAN and router GUI from outside my network
b) I cannot reach my camera hub using same device and app that work from inside my network

I wasn't suggesting that you were asking for camera hub support. I was pointing out that without knowing "how" the app locates the hub it's very difficult for us to begin troubleshooting the problem.

Is the app configured with the IP address of the hub? Does it use a DNS or DDNS name? Does it use broadcast packets? TCP, UDP? Without having some sort of clue as a starting point it could take a very long time to understand the cause of the problem.

An alternative approach might be to use a script like the one here. (See also this post)

EDIT: I've tried to find some information about this Arlo system. AFAICT the "direct storage" feature was only added at the end of last year and only for a couple of devices. Arlo recommends using a VPN rather than port forwarding but doesn't give any setup information. There is mention that you need to be "on the same network" to access the hub. If we take that statement literally that would mean that you have to a) use a script like the one I linked to above, or b) change your VPN server to use TAP instead of TUN. If you want to try using TAP you will need to export the config file again from the router and load it onto your phone.

 

[Brenneke]

I will give TAP a go thank you!
I am not sure if attached Wireshark screenshots provide any useful information, please have a look. (192.168.2.181 is Android phone with Arlo app)

 

[ColinTaylor]

I am not sure if attached Wireshark screenshots provide any useful information, please have a look. (192.168.2.181 is Android phone with Arlo app)

What is 192.168.3.1 ? I thought your local network was 192.168.2.x.

 

[Brenneke]

Yes, good question!

ISP modem is at 192.168.1.254 (bridge mode for LAN 1)
Asus is at 192.168.2.1 (connected to ISP LAN 1)
Arlo camera hub is on LAN 4 of Asus

VPN Client 1:
Main network & 5.0 guest network, confirmed devices on Asus LAN ports do get 192.168.2.xx
YazFi configured to give 5.0 guest 192.168.4.0

VPN Client 3:
2.4 guest network only
YazFi configured to give 2.4 guest 192.168.3.0

All networks are getting the correct VPN servers but: (?)
Asus client list is showing all devices getting a 192.168.2.xx address, even those that are connected to 2.4 guest and 5.0 networks

Perhaps a Policy Rules issue....advice?
Thank you.

 

[ColinTaylor]

Using multiple subnets for guest networks as well as multiple VPN clients just adds a whole load of potential areas of confusion in the debugging process.

Your Wireshark dumps are showing some MDNS activity so perhaps that is how the app detects the hub. That would make sense. AFAIK OpenVPN will not pass multicast traffic when using a TUN interface so you'll need to use TAP instead. That would mean that the VPN client would get an address of 192.168.2.x. You may need to add this address as an exception in the policy rules, but before assuming that do your testing with all of the router's VPN clients turned off.

 

[Brenneke]

I set up OpenVPN servers on Asus, both TAP, one TCP, the other UDP.
I successfully connected with each from outside my network on a friend's wifi, still no access to hub with either TCP or UDP servers.

Please disregard all that was said about my network, policy routing etc. I did confirm that all is correct devices connecting to correct subnets. I am not sure what and why we saw the 192.168.3.1 address in Wireshark.

I installed Nmap on my phone - here is what I am seeing for scanned ports on Arlo hub IP - does this info help at all?

I am going to play more with Nmap when connected to OpenVPN (TAP & TUN) servers when outside of my network.

Are there any useful Nmap testing (or any other testing/tools) tips you can suggest that may help in determining what is preventing access to Arlo USB storage from outside the network when using the same phone/app that works inside the network?

Unfortunately Arlo support is of no help, they know nothing about this statement written in their app:
"To securely access your recordings from outside the home network, we recommend configuring a VPN on your home router and mobile device."
When speaking with Arlo support (multiple calls) they know nothing about this primary recommendation and stress that their secondary recommendation of port-forwarding (below) must be set up and tried first before ticket can be escalated.
"Alternatively, port forwarding settings can be modified on your router to allow access to the SmartHub outside the home network."

I have also not found info anywhere online showing that anyone has made with work and how.

Thank you.

 

[ClockerXP]

I set up OpenVPN servers on Asus, both TAP, one TCP, the other UDP.
I successfully connected with each from outside my network on a friend's wifi, still no access to hub with either TCP or UDP servers.

Please disregard all that was said about my network, policy routing etc. I did confirm that all is correct devices connecting to correct subnets. I am not sure what and why we saw the 192.168.3.1 address in Wireshark.

I installed Nmap on my phone - here is what I am seeing for scanned ports on Arlo hub IP - does this info help at all?
View attachment 21980

I am going to play more with Nmap when connected to OpenVPN (TAP & TUN) servers when outside of my network.

Are there any useful Nmap testing (or any other testing/tools) tips you can suggest that may help in determining what is preventing access to Arlo USB storage from outside the network when using the same phone/app that works inside the network?

Unfortunately Arlo support is of no help, they know nothing about this statement written in their app:
"To securely access your recordings from outside the home network, we recommend configuring a VPN on your home router and mobile device."
When speaking with Arlo support (multiple calls) they know nothing about this primary recommendation and stress that their secondary recommendation of port-forwarding (below) must be set up and tried first before ticket can be escalated.
"Alternatively, port forwarding settings can be modified on your router to allow access to the SmartHub outside the home network."

I have also not found info anywhere online showing that anyone has made with work and how.

Thank you.

Were you ever able to remotely connect to your Arlo local storage via VPN?