Secure remote access to a camera DVR with VPN and VLANs on an OpenWRT router

My condo building has a digital video recorder (DVR) hooked up to some cameras around the building sitting in a closet. To access it when something happens, the building facility manager has to go into the closet and review the recordings, which is a pain. It’d be better to allow certain individuals (building staff, security committee, HOA board, property manager) remote access so they can review things on demand from offsite. The board inducted me into the security committee (I’m the only one on it) to solve this problem. The solution I ended up using could be useful for other purposes too, I supposed.

There’s a nearby lobby with a wifi router in it, and someone ran a cable to this router from the closet at some point, though it was disconnected when I investigated. Great! I figured I could just replace the router with one capable of running OpenWRT and then setup a VPN to allow remote access and then put the security cameras on an isolated VLAN so the normal lobby users (i.e. every resident in the building) don’t have easy access to the DVR. Sure the DVR has accounts too but it can’t do HTTPS without having all users install root certificates and I don’t want people sniffing the quasi-public wifi for DVR passwords.

OpenWRT flash and setup

I got a Linksys WRT 1900AC router for this job, knowing that I’d want some good CPU for sending live video over the VPN. This one seemed pretty good and was supported by LEDE/OpenWRT (they’re re-merging) with open-source radios and everything. I got one and flashed it with no big troubles. I set up the wifi and added my ssh key so I could ssh in for advanced configuration.

VPN server setup

I’ve set OpenVPN up on lots of routers and am getting good at it. With LEDE/OpenVPN you basically just follow these instructions.  I also like to harden things a bit by limiting the ciphers to secure ones and using a pre-shared secret. Once your server is up, generate keys for each remote user.

VLAN setup

Setting up the VLAN was fairly easy once I figured it all out. First you go into the Switch configuration and add a new VLAN ID. The word “tagged” is defined in IEEE 802.1Q and just means “will communicate with other VLANs” so we set the eth0 one on the LAN and VLAN both to tagged so they can route to one another. In this example I have turned LAN port 1 into a totally new isolated VLAN. Exciting.

VLAN switch setupThen you go to Interfaces and make a new one for the VLAN, setting its physical setting to link to the new VLAN device created in the previous step: eth0.3.

Interfaces setup in LEDE for VLAN
The interfaces window in LEDE

Edit the interface and give it a static address on the new subnet you want to create (e.g. 10.1.0.1). Then turn on the DHCP server if you want it to dish out ip addresses to things plugged into it (they will become 10.1.0.2, etc.).

Now you just have to set up the firewall. Go to firewall and create a new zone for your VLAN. I called mine “cameras” and only allowed it to communicate with the VPN and the WAN. I could have just had it do VPN in my case, and your application may have different needs. Again I did this just so the LAN users chilling in the lobby couldn’t try to hack the DVR.

Firewall zone for VLAN in lede/openwrt
Firewall zone for VLAN in lede/openwrt

Client setup

With a linux client, it’s easy to connect using openvpn package and the network manager openvpn extension. Since my HOA board will probably mostly use Windows, I had to scrounge around to find a Windows PC to test on. It was fairly easy to install the openvpn client.  I just pasted the config file and keys into the config directory on that machine and then right-clicked openvpn in the tray and the connection showed up. I had to start openvpn client as admin by right-clicking it a few times before it actually worked.

Then to access the DVR, the manufacturer had a chrome extension that works in linux and windows so that was kind of nice.

Last steps

Back up your router config at this point in case someone resets your router.

Leave a Reply

Your email address will not be published. Required fields are marked *