I have been using BI5 and running the BlueIris App and also UI3 on my android phone (Google Pixel 2). Currently I have this setup using port forwarding. I am about to change over to using a VPN.
I will download and install OpenVPN on the dedicated BlueIris PC and also on my Google Pixel 2 cell phone. I will remove the port forwarding for port 81.
I have a few questions:
1. My router is a Netgear Nighthawk X10 AD7200 / R9000 and it supports VPN. The default service is UDP but it can also be set for TCP. Which service should I use?
2. I saw in another post that I should still be able to send push notifications to my cell phone without the port forwarding. Is this correct (hopefully)? How does this work? Does the VPN have to be constantly open between the BlueIris PC and my cell phone for this to work?
3. I also saw in another post that I don't have to use a DDNS service (like No-IP) as long as I have a current BlueIris license. I think I remember entering my license info into the BlueIris App when I installed it. Does this also work for UI3 web server?
VPN Questions
Re: VPN Questions
I'm not using VPN myself but I think I can get you pretty close on these questions:
1. Either should be encrypting it and the "security" of the connection would be the same, depending on subsequent settings (phase1/phase2, hash strength, etc). UDP *may* give a slight speed enhancement (probably transparent to you in long run) but TCP might give a higher chance of working if on foreign wifi networks. If you have the ability to make your tunnel operate on tcp/443 (an SSL tunnel) you have the highest success chances. Traditional IPSEC tunnels use udp/500 and udp/4500 and you could certainly have connectivity issues on some networks.
2. I believe push notifications should be transparent to this. The server sends the notification to Google (does use a specific port - tcp/something in the 5000s)
3. You may need a DDNS service for the tunnel to be up or stay established but once you have a tunnel, you should be talking to the server from your device without needing a server external IP address (so no, you won't need it for the server.... but you might need for your VPN device)
That said, take a couple minutes looking at ZeroTier. I have never used it but someone else on here mentioned it once so I looked into it and I think - if I wasn't doing port forwarding with SSL decryption and a WAF, I would consider that. It looks simpler and faster to set up, potentially more reliable too.
1. Either should be encrypting it and the "security" of the connection would be the same, depending on subsequent settings (phase1/phase2, hash strength, etc). UDP *may* give a slight speed enhancement (probably transparent to you in long run) but TCP might give a higher chance of working if on foreign wifi networks. If you have the ability to make your tunnel operate on tcp/443 (an SSL tunnel) you have the highest success chances. Traditional IPSEC tunnels use udp/500 and udp/4500 and you could certainly have connectivity issues on some networks.
2. I believe push notifications should be transparent to this. The server sends the notification to Google (does use a specific port - tcp/something in the 5000s)
3. You may need a DDNS service for the tunnel to be up or stay established but once you have a tunnel, you should be talking to the server from your device without needing a server external IP address (so no, you won't need it for the server.... but you might need for your VPN device)
That said, take a couple minutes looking at ZeroTier. I have never used it but someone else on here mentioned it once so I looked into it and I think - if I wasn't doing port forwarding with SSL decryption and a WAF, I would consider that. It looks simpler and faster to set up, potentially more reliable too.
Blue Iris 5.9.9.x | Server 2025 VM | Xeon E5-2660 v3 @ 2.60GHz - 32 Cores | 48GB RAM | 8TB RAID | Sophos UTM WAF | Mostly various SV3C Cameras
Re: VPN Questions
ZeroTier looks interesting -- maybe something I'll try out later.
It would be good if anyone else has a more complete explanation of whether or not I need a DDNS for using the VPN. I expect that my WAN IP address will change at some point, although it has not happened in the last several weeks since I started using BI5.
I still have a number of other gaps in my knowledge of networking. One thing I don't fully understand is which ports are always open? I think I am understanding that port 80 is always open for HTTP and port 443 is always open for HTTPS . How is this not a security risk when I see so many warnings on this forum about not using port forwarding? Also, how can I check to see what ports are open in my router? I know how to get to the Port Forwarding menu in my router and it only shows port 81 being forwarded (for BI soon to be removed). Are there other ports forward that I am not seeing in this menu? Is there another menu I should check?
It would be good if anyone else has a more complete explanation of whether or not I need a DDNS for using the VPN. I expect that my WAN IP address will change at some point, although it has not happened in the last several weeks since I started using BI5.
I still have a number of other gaps in my knowledge of networking. One thing I don't fully understand is which ports are always open? I think I am understanding that port 80 is always open for HTTP and port 443 is always open for HTTPS . How is this not a security risk when I see so many warnings on this forum about not using port forwarding? Also, how can I check to see what ports are open in my router? I know how to get to the Port Forwarding menu in my router and it only shows port 81 being forwarded (for BI soon to be removed). Are there other ports forward that I am not seeing in this menu? Is there another menu I should check?
Re: VPN Questions
Needing DDNS or not is dependent on your ISP plan/package. I assume it's a standard residential consumer type package which would most likely be using DHCP at the modem (not a static IP address) so DDNS will be needed. Generally the lease is quite long but even then would only change if the router is power cycled or the connection is interrupted in some way. It's not uncommon for it to not change for months - but it will change. You would need to use DDNS to get traffic to your router/modem with or without a VPN. ZeroTier or similar appears to be an exception to this as there is a cloud intermediary that connects the dots for you.It would be good if anyone else has a more complete explanation of whether or not I need a DDNS for using the VPN. I expect that my WAN IP address will change at some point, although it has not happened in the last several weeks since I started using BI5.
So when you say what ports are open, are you referring to which ports your router is forwarding or what ports your server (and namely BlueIris) is listening on? By default, a router should port forward nothing. There is probably some exception to this but any inbound connections from the Internet hitting your router IP address should be denied or rejected (those are different terms but for the sake of discussion - not permitted). More on that later. BI is configurable as to what port(s) it listens to as an application and this can be tested/verified:I still have a number of other gaps in my knowledge of networking. One thing I don't fully understand is which ports are always open? I think I am understanding that port 80 is always open for HTTP and port 443 is always open for HTTPS . How is this not a security risk when I see so many warnings on this forum about not using port forwarding? Also, how can I check to see what ports are open in my router? I know how to get to the Port Forwarding menu in my router and it only shows port 81 being forwarded (for BI soon to be removed). Are there other ports forward that I am not seeing in this menu? Is there another menu I should check?
- 2021-01-05_12-49-52.png (52.3 KiB) Viewed 5119 times
- 2021-01-05_12-51-07.png (65.43 KiB) Viewed 5119 times
If you go the VPN route, and if that VPN terminates at your router, connections should go to your internal server address and port - no forwarding, nothing else. A solution like ZeroTrust is a client on your mobile device, a client on your BI server, and the connection is direct without any configuration on your router.
Blue Iris 5.9.9.x | Server 2025 VM | Xeon E5-2660 v3 @ 2.60GHz - 32 Cores | 48GB RAM | 8TB RAID | Sophos UTM WAF | Mostly various SV3C Cameras
Re: VPN Questions
Ok thanks Matts lots of good information there. I tried to setup VPN and was unable to get it to connect using my Android cell phone. I will start another thread to ask about that specific problem.