Simple And Cheap VPN Setups Against Hacking

Today I had some home networking chores to do, my old router's wifi had broken so I had to reconfigure a new one (well, another old one actually).

While working on that I thought that since I had some tiny gear around, I'd try to whip up a bare-bones, but effective example of a super cheap (and super simple) VPN that could be used for administration and connecting to DVRs etc.

This is an absolutely minimal PoC just to discuss about these things, but still (if correctly configured) much more secure than exposing the devices directly with port forwards.

I wanted it to be as compact and tidy as possible, so I used a Raspberry Pi Zero W, which cost about $10, has built-in wireless and just needs a phone charger to operate. It can also handle this task just fine. Any other RPi or an old PC works just as well, so money isn't really an issue here. Here's a picture of it all in operation (excl. router):

So, you just take any computer you trust and set it up. In the case of the RPi I had to:

  • Install Raspbian: just copy image to SD card and configure the system (network, language etc.)
  • Install PiVPN: run installer and mostly just press enter, add clients and get config files (*.ovpn)
  • Configure port forward: someport -> pivpn:1194 (tweaked also VPN config to only route some nets)
  • Import config files to clients (Android required just a bit of tweaking with regard to key format)

Done!

After that, the configured clients could access a camera subnet where I had an old Axis (that only supports 8-char passwords...), securely over the VPN. I tested it with Ubuntu and Android over 4G.

That's it, basically. Initially there's of course some settings to set, but even if it takes an hour in a simple case, the nice thing is that the SD card is simple to backup and copy for redundancy after the most important configuration is in place.

The biggest hurdle I see here is a lack of consistent manufacturer support for this stuff so that in a typical scenario you could just expect to press at most one button to mean "do it, give me the key", with no extra cost. At home a simple DIY thing like this might be just fine though if you can get along with Linux or want to learn.

I noticed that in the Dahua wiki there's also some instructions how to set up VPNs with DD-WRT routers, that's kind of nice.

Edit: Quick start guides should maybe be something like this:

Mock-up

Login to read this IPVM discussion.
Why do I need to log in?
IPVM conducts unique testing and research funded by member's payments enabling us to offer the most independent, accurate and in-depth information.

** * ********** **** *****, *** ** ** ****** ** a *** ******, ********* * *** ****** ** *** ****** that ** ****** **? **** * ******, *** ******* ** the **'* *** *******, ***** **** ***** *** ****** ** the ****** *******?

***, **'* **** * *** ******. ** **** ****: ******** -> ******:******** -> *****:**** -> ******/***. ***** **'* *** **** device ******* *** *** ******, ******* ***** ** ***** ******* first (**, *** ******) ****** **** *** ** *** ******.

** ** * **** ****. *** **** *** **** ********** the ** **** *** *******?

* *****'* ****** ***** ***, *** ****************** ***** ****** ****** ******/* ** ***********.

*** ****** ***** ***** ***** **** ********* * ******, ~**** idle.

*** *** *** ********** **** ** **** ** ******** ******* knowledge / **** ** ***? * ******* *** ******* ********** are *********** *** *** ******* ***** ** *** *************** ** errors *** ** ************* **** ******* **** **. ********?

** ** ****, ** ***** ********* ******* **** * ****, durable **** *** * ****-******** ***** ********* *** **** ****** be **. **** *** **** ****** **** ******** ** **** along "*** ***** ******" **** ****'** ********** *********, *** **** it ** ********* ****** **** ***** *** ****. *** ****** could **** * ****** ****** **** **** ******* **'* ******* or ***. *** *******, ** ** *** ******* **** *** wrong **** ** ***** ****** *** **** **** *** ********** is *** *******.

** ******, *** ******* ** **** **** *** **** ****** much **** *******, *** ********* **'* * **** **** ** have ******* ************* *** ** *** **. **** *** **** an ******* ** ********* **** ***** **** ** * "**-*******" solution *** ***** ***** **** **** * ******* ****** ** default ********. **** *** *** ********* ***** **** ** ** is *** ** * **** ******* (***** **** ** ** actual ***** ******** ** *** ****...?).

* ****** ******* ******* ****** ********* ******* ** ********* * semi-configured *****, ** *** ***'* **** ** ** ** **** the *****, ***** ** **, **** ** **** *** **** in **** **** *** **** ***** ***** ** *****, ****** you **** ** ****** **** ** **** ** ** ** some ***** ********. *** * ****'* ** **** *** ***, since *'** *** *** **** ** ** ******, *** *** would ***** **** ****** **** ** ** ******* ****** ;) Some ******* ****** ***** **** ***** ******** ********* **** *******.

* ***** *** ***** **** * *** *** ** *********** 2 *** ******** ********, *** ** ****** (** ****** *******) the ***** ** ******.

** **** * ***** ************* ******* ** ****** *** **-**, so ** **** **** **** *** *** ******** ******* ***** be ******.

****, ** ****** ******** ** ******** **** ****, *** **** to *********** ****, ****** ** ****** ** **.

**********/**********:

* ** ** *** ** ****** ******* ******* ** ** routers * *** ******** ********* ** ******** **** *** ********** would ** ******. ****** * ** ***** * ****** ***** picturing **** ******* **** **** *** *********, * ******* *** could *** ** ***** ** **********?

** **** **** ** **** ****** ******** ** *****. **** a *********** *** *** ***** **** ******* *** ******* ***** + ***** (** **** * ********* ***). *** *** ******* **** ** ***** *** ******, ********* only ** ****** ** *** *** ******. *** ****** ** turn ****** ******** ** ****** ****** **** (***** ***) *** the *******, ** **'* ********** ** ** ****. *** ****-******* VPN ************* **** ***** ** ******** ** ******* *****, *** what * ******* ** ** * ******* ***** ************, *****'* no **** **********.

** ** ****, ***** * *** **** ******* ** **** with ****, * **** ** ****** ** **** *** ****** an ** **** ******* *****, **** **** ***** ** ***** that ******* ***. **** ****'* *********, *** * **** ****** to ****** ** ***** ** * ********.

***** *****! ** *** *** **** **** ** *** *******?

******* *********** ***** ** *** ****** ************ (***, *** **** etc..) *** *******, ************* ***... ****** **** * "**** **** Own" ******, ********** ***...

****, **'* **** ******* **** ***** * *** ** **, maybe *'** **** ** *** ** * **** ** ***** charger *** ********* **** :) ***** ********** **** *** ***, I *** ** ****** ******* *** *** ** *** ***** server ** **, *** ** **** ** *** *** *** do ******** **** *****, **'* ***** *********.

****** *** ******'* **** **** ** ********* ******* *** ****, and ******* **** *** * **** *** ***** ** ******* the ****. ***** * *** *** *** ****** ******, *** tunneling **** ****** *** ******* ***'* ** **********, ***-****.

** ******** ** *** ** ******, ** ******** ***** **** remote ****** ** ******* *****, ****** *** *** *** ***'* and *** ***** ** ****** ****** *** ************* ** **** subnet **** ***** *****/***** ***** ** **.

*** *** ** ** **, ***** **** ********* ** ******: install "**************" *** "********" ******** ** *** ***, **** *** to ** ***** *** *** *********. *** *** *** *** the *** ****** **** *** *** *******, *** *** *** server **** ******* **** **** ******* ** *** *** ************ from *** **** ***., (******) ******* **** *** ********** ******.

*** ********, **** *** ********* ******** ***'* **** ** **** on ***, *** (*** **'* *** ********** *** **** ******** of ****** ** *** ***, * *****). ***** *****'* **** to ** **** *********, ***** ***** ******** ****** **** ****, preferably ******* ******** *********. ** *****'* * ****** ** ** the *** **** ****** ****, *********** ** *** ****** ****** work.

*****'* ********** ** ***-****** **** * *****, *** **'* "*********".

* *** * **** **** * *** *** ******* *** streaming ***** **** **-**** ***** *******. * *** ******* **** the ******** ** ******** ** *** ***'* **** ********* *** RPI3 ** ***** **** * ****. *** ******-***, ***** ***** the *****, ** *** ****** ****** *** **** *******. *** stable **** ********** *** ****** * *** *** **** *** open ****** **** *** ******** *** **** * $*.** *** month ******* ******* ****** **** **** **** *** **** **** a ****/**** ******* *** ***** ************ ******* ****** **** ********* networks. **** ** ********* ** **** **** ******* *******. ** can *** ** ***'* , ***** ********, *******, ******* *** Mac ******* ********* ******. ******* ** ** ******* ** ************* more ******* *** ******** * ****** *****.