That damned Foscam iOS App… (OpenVPN tun problem)
-
Hi,
I have a pfsense box with three interfaces:
WAN (VDSL2)
LAN 172.16.35.0/24
CAM 172.16.36.0/24the CAM network is dedicated to my surveillance system, a mix of Dahua IP cameras and Foscam IP cameras.
I don't like to use "port forward" (a.k.a. reverse NAT) to access my IP cameras from The Net, so I use an OpenVPN server (config follows) for this purpose; moreover, I don't like that IP cameras could go online and do something I can't control, so I deliberately restricted the CAM Net to local access only (see attached screenshots of firewall rules).
The OpenVPN server is configured as:
Remote Access SSL/TLS, UDP, tun, IPv4 Tunnel Network 10.0.9.0/24, IPv4 Local network(s) 172.16.36.0/24, Dynamic IP (flagged), Address Pool Topology subnet, Custom options route 10.0.8.0 255.255.255.0Now the fun part: if I'm connected from the Net via OpenVPN (iOS client, iPhone iOS 10.2) I can browse all the CAM network without any issue; I can access the IP cameras using LiveCams Pro (a very good iOS app), I can access my FTP server hosted by a machine with FreeNAS and so on. All seems to work perfectly.
But, but… I can't get Foscam iOS app to work from another network, neither from the Internet, nor from the LAN: it seems that this app can works only in the same net as its Foscam cameras: so, if I configure a wireless AP with an IP address in the 172.16.36.0/24 space, the App works perfectly; if I use the App from the wireless AP on the LAN (172.16.35.0/24) it can't connect; same strory if I use the Foscam App through the OpenVPN tunnel.
In the OpenVPN tab firewall rules, deactivating those two Block rules doesn't change any behavior.
Any help is very appreciated :)
 -
My guess is that the Foscam iOS app has not been designed to address anything outside its own subnet/ or that it's gateway setting might be wrong (if it has such a thing)
Is there a free/paid version option? Might be an option that only comes with the paid version ect..
Just some quick thoughts.
-
This is the only version; no paid alternative (from the original manufacturer) is available. The Foscam app is gorgeous at reading the microSD card memory, an area where other programs fail.
If I only could "setup" the OpenVPN tunnel to exit with a 172.16.36.0/24 address… I tried assigning an OPT interface to the OPenVPN server, then doing some NAT, without success (obviously my lack of knowledge...)
-
so your camera's don't have a gateway? Then just source nat your vpn connection to be the pfsense IP in that network.
On your outbound nat just create a nat using that interface.
-
so your camera's don't have a gateway? Then just source nat your vpn connection to be the pfsense IP in that network.
On your outbound nat just create a nat using that interface.
I didn't understand your answer; I assigned an OPT interface to the OpenVPN server, renamed it "CAMVPN", and didn't touch any other interface's parameters (so, I didn't assign any IP address and so on). I'm stuck here (yes, I did some NAT without any success).
How do I accomplish what you're suggesting? Thank you!
-
Again your stating that you have to be on the same network as your camera's for them to work.. So you mean on the Camera's they do not have a gateway off their local network? ie they don't point to pfsense as their gateway??
if your problem is your camera's do not have a gateway, then that can be solved by either giving them one or source natting your vpn connection..
-
I don't know how to do that: I need step-by-step instructions ::)
-
Sorry if I'm not on the same pgae with what you're trying to do here. Here's what I think you're trying to get:
You have some Foscams that have horrible security on one subnet which you want to block from everything but that subnet.
You want to be able to VPN into your network from your phone and view those cameras.I'm doing something very similiar.
I have a Foscam with horrible security on my LAN, I wrote two rules on LAN to block the Foscam's IP from everything but the LAN, also turned off or didn't conifgure everything on the Foscam itself that tries to access the internet.
BLOCK ANY IPV4 SOURCE:FOSCAM_IP ANY ANY ANY ANY
BLOCK ANY IPV4 ANY ANY DESTINATION:FOSCAM_IP ANY ANYI run an OpenVPN server on my pfsense box, on my phone when I'm away from the network I connect to my VPN, open up the Foscam app and it works. I wrote one rule on OpenVN server's interface to pass traffic from my OVPN Server subnet to my Foscam's IP.
PASS ANY IPV4 SOURCE:OVPN_SERVER ANY DESTINATION:FOSCAM_IP ANY ANYWould this work for what you're trying to achieve?
-
Sorry if I'm not on the same pgae with what you're trying to do here. Here's what I think you're trying to get:
You have some Foscams that have horrible security on one subnet which you want to block from everything but that subnet.
You want to be able to VPN into your network from your phone and view those cameras.I'm doing something very similiar.
I have a Foscam with horrible security on my LAN, I wrote two rules on LAN to block the Foscam's IP from everything but the LAN, also turned off or didn't conifgure everything on the Foscam itself that tries to access the internet.
BLOCK ANY IPV4 SOURCE:FOSCAM_IP ANY ANY ANY ANY
BLOCK ANY IPV4 ANY ANY DESTINATION:FOSCAM_IP ANY ANYI run an OpenVPN server on my pfsense box, on my phone when I'm away from the network I connect to my VPN, open up the Foscam app and it works. I wrote one rule on OpenVN server's interface to pass traffic from my OVPN Server subnet to my Foscam's IP.
PASS ANY IPV4 SOURCE:OVPN_SERVER ANY DESTINATION:FOSCAM_IP ANY ANYWould this work for what you're trying to achieve?
Yes, but my Foscam cameras are on a different and physically separated interface; the reason is: Foscam (and Dahua) "disable p2p" function on the GUI doesn't disable it at all, so I put them on a different network (different from my "trusted" LAN).
I can access this other LAN (called "CAM" in my screenshots) with other mobile iOS Apps via OPenVPN (like the very good LiveCams Pro), but not with the Foscam App, which behaves quite odd: when I input the parameters for an IP camera, the App works well. After closing and reopening it, Foscam App stops working.
So, when the App doesn't stop working (when re-opened)? The answer is: only if the iOS device and the camera are on the same network. I can't debug this!
-
"ther mobile iOS Apps via OPenVPN (like the very good LiveCams Pro), but not with the Foscam App, which behaves quite odd: when I input the parameters for an IP camera, the App works well. After closing and reopening it, Foscam App stops working."
Well this has nothing to do with device not having a gateway or not letting you access it via some non local network.. This sounds like some issue with your app and how it finds/connects to devices. Your saying it works if you put in the IP..
-
I put the IP and it works for the first time; then, if I exit the App, the next time I launch the app it doesn't work anymore.
The App doesn't work either when the iPhone is WiFi-connected with the AP on the LAN interface; if I move the iPhone to another AP connected on the CAM interface, the App works perfectly!
-
This is clearly a app issue..
Fix - don't use shitty app ;)
-
I can add another square to the puzzle: I have 2 Foscam cameras on a remote site, behind a Linksys WRT64GL router with Shibby-Tomato Firmware: the App works flawlessly reaching the two cameras behind the OpenVPN connection from my iPhone to the Tomato router!
-
And is your openvpn connect to this wrt54GL (no such thing as 64GL) is it tun or tap.. If the app uses some sort of broadcast to find the camera vs using the IP you put in the last time.. Then that would explain how it works on your other connection.
Doesn't mean its not a shitty app.. An app that has to be on the same L2 network to talk to an IP camera that clearly is meant to work while your away from your house is a shitty freaking app..
You say it works when you put in the IP.. So there you go pfsense isn't blocking anything, etc.. That you close the app and reopen and now it doesn't work = shitty app!! How exactly does the app try and find the camera? Mdns? Broadcast for name? Some broadcast for some port? It shouldn't have to find anything if you put in an IP of the camera.. It should just send a syn to that IP on whatever port it uses to talk on..
-
Now I notice that there are some differences in the two OpenVPN logs:
This is the log from the OpenVPN session with the WRT54GL and my iPhone (the "Add Routes" at the end of the log reports two Nets added:
«Add Routes:
172.16.6.0/24
10.8.0.1/32»2017-01-19 17:13:49 –--- OpenVPN Start -----
OpenVPN core 3.0.11 ios arm64 64-bit built on Apr 15 2016 14:13:50
2017-01-19 17:13:49 Frame=512/2048/512 mssfix-ctrl=1250
2017-01-19 17:13:49 UNUSED OPTIONS
4 [resolv-retry] [infinite]
5 [persist-key]
6 [persist-tun]
13 [verb] [3]
15 [tls-client]
16 [lport] [0]
17 [verify-x509-name] [***_] [name]2017-01-19 17:13:49 EVENT: RESOLVE
2017-01-19 17:13:49 Contacting :1194 via UDP
2017-01-19 17:13:49 EVENT: WAIT
2017-01-19 17:13:49 SetTunnelSocket returned 1
2017-01-19 17:13:49 Connecting to [.ddns.net]:1194 (**********) via UDPv4
2017-01-19 17:13:49 EVENT: CONNECTING
2017-01-19 17:13:49 Tunnel Options:V4,dev-type tun,link-mtu 1558,tun-mtu 1500,proto UDPv4,comp-lzo,keydir 1,cipher AES-128-CBC,auth SHA1,keysize 128,tls-auth,key-method 2,tls-client
2017-01-19 17:13:49 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199
IV_VER=3.0.11
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=2
IV_LZO=12017-01-19 17:13:50 NET WiFi:NotReachable/WR t–----
2017-01-19 17:13:50 NET Internet:ReachableViaWWAN/WR t------
2017-01-19 17:13:52 VERIFY OK: depth=1
cert. version : 3
serial number : **********
issuer name : C=, ST=, L=, O=OpenVPN, OU=changeme, CN=, ??=, emailAddress=
subject name : C=, ST=, L=, O=OpenVPN, OU=changeme, CN=, ??=**********, **********
issued on : **********
expires on : **********1
signed using : RSA with SHA1
RSA key size : 2048 bits
basic constraints : CA=true2017-01-19 17:13:52 VERIFY OK: depth=0
cert. version : 3
serial number : 02
issuer name : C=IT, ST=, L=, O=OpenVPN, OU=changeme, CN=, ??=,**********
subject name : C=IT, ST=, L=, O=OpenVPN, OU=changeme, CN=, ??=, **********
issued on : **********
expires on : **********
signed using : RSA with MD5
RSA key size : 2048 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication2017-01-19 17:13:54 SSL Handshake: TLSv1.0/TLS-DHE-RSA-WITH-3DES-EDE-CBC-SHA
2017-01-19 17:13:54 Session is ACTIVE
2017-01-19 17:13:54 EVENT: GET_CONFIG
2017-01-19 17:13:54 Sending PUSH_REQUEST to server...
2017-01-19 17:13:54 OPTIONS:
0 [route] [172.16.6.0] [255.255.255.0]
1 [route] [10.8.0.1]
2 [topology] [net30]
3 [ping] [15]
4 [ping-restart] [60]
5 [ifconfig] [10.8.0.6] [10.8.0.5]2017-01-19 17:13:54 PROTOCOL OPTIONS:
cipher: AES-128-CBC
digest: SHA1
compress: LZO
peer ID: -1
2017-01-19 17:13:54 EVENT: ASSIGN_IP
2017-01-19 17:13:54 TunPersist: saving tun context:
Session Name: **********.ddns.net
Layer: OSI_LAYER_3
Remote Address: ***********
Tunnel Addresses:
10.8.0.6/30 -> 10.8.0.5 [net30]
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
172.16.6.0/24
10.8.0.1/32
Exclude Routes:
DNS Servers:
Search Domains:2017-01-19 17:13:54 Connected via tun
2017-01-19 17:13:54 EVENT: CONNECTED @:1194 () via /UDPv4 on tun/10.8.0.6/
2017-01-19 17:13:54 LZO-ASYM init swap=0 asym=0
2017-01-19 17:13:54 SetStatus Connected–
This is the log of a session with pfSense and my iPhone (the "connection" that doesn't work; it added
«Add Routes:
172.16.36.0/24»):2017-01-19 17:11:00 –--- OpenVPN Start -----
OpenVPN core 3.0.11 ios arm64 64-bit built on Apr 15 2016 14:13:50
2017-01-19 17:11:00 Frame=512/2048/512 mssfix-ctrl=1250
2017-01-19 17:11:00 UNUSED OPTIONS
1 [persist-tun]
2 [persist-key]
5 [tls-client]
7 [resolv-retry] [infinite]
9 [lport] [0]
10 [verify-x509-name] [**********] [name]2017-01-19 17:11:00 EVENT: RESOLVE
2017-01-19 17:11:00 Contacting :1194 via UDP
2017-01-19 17:11:00 EVENT: WAIT
2017-01-19 17:11:00 SetTunnelSocket returned 1
2017-01-19 17:11:00 Connecting to [.ddns.net]:1194 (**********) via UDPv4
2017-01-19 17:11:00 EVENT: CONNECTING
2017-01-19 17:11:00 Tunnel Options:V4,dev-type tun,link-mtu 1569,tun-mtu 1500,proto UDPv4,keydir 1,cipher AES-128-CBC,auth SHA256,keysize 128,tls-auth,key-method 2,tls-client
2017-01-19 17:11:00 Peer Info:
IV_GUI_VER=net.openvpn.connect.ios 1.0.7-199
IV_VER=3.0.11
IV_PLAT=ios
IV_NCP=2
IV_TCPNL=1
IV_PROTO=22017-01-19 17:11:00 VERIFY OK: depth=1
cert. version : 3
serial number : 00
issuer name : C=IT, ST=, L=, O=MyHomeNet, emailAddress=, CN=internal-ca
subject name : C=IT, ST=, L=, O=MyHomeNet, emailAddress=, CN=internal-ca
issued on : **********
expires on : **********
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=true
key usage : Key Cert Sign, CRL Sign2017-01-19 17:11:00 VERIFY OK: depth=0
cert. version : 3
serial number : 01
issuer name : C=IT, ST=, L=, O=, emailAddress=, CN=internal-ca
subject name : C=IT, ST=, L=, O=, emailAddress=, CN=********************
issued on : **********
expires on : **********
signed using : RSA with SHA-256
RSA key size : 2048 bits
basic constraints : CA=false
cert. type : SSL Server
key usage : Digital Signature, Key Encipherment
ext key usage : TLS Web Server Authentication, ? ? ?2017-01-19 17:11:00 SSL Handshake: TLSv1.2/TLS-DHE-RSA-WITH-AES-256-GCM-SHA384
2017-01-19 17:11:00 Session is ACTIVE
2017-01-19 17:11:00 EVENT: GET_CONFIG
2017-01-19 17:11:00 Sending PUSH_REQUEST to server…
2017-01-19 17:11:00 OPTIONS:
0 [route] [172.16.36.0] [255.255.255.0]
1 [route-gateway] [10.0.9.1]
2 [topology] [subnet]
3 [ping] [10]
4 [ping-restart] [60]
5 [ifconfig] [10.0.9.2] [255.255.255.0]2017-01-19 17:11:00 PROTOCOL OPTIONS:
cipher: AES-128-CBC
digest: SHA256
compress: NONE
peer ID: -1
2017-01-19 17:11:00 EVENT: ASSIGN_IP
2017-01-19 17:11:00 TunPersist: saving tun context:
Session Name: **********.ddns.net
Layer: OSI_LAYER_3
Remote Address: **********
Tunnel Addresses:
10.0.9.2/24 -> 10.0.9.1
Reroute Gateway: IPv4=0 IPv6=0 flags=[ IPv4 ]
Block IPv6: no
Add Routes:
172.16.36.0/24
Exclude Routes:
DNS Servers:
Search Domains:2017-01-19 17:11:00 Connected via tun
2017-01-19 17:11:00 EVENT: CONNECTED @.ddns.net:1194 () via /UDPv4 on tun/10.0.9.2/
2017-01-19 17:11:01 SetStatus Connected
2017-01-19 17:11:01 NET WiFi:NotReachable/WR t–----
2017-01-19 17:11:01 NET Internet:ReachableViaWWAN/WR t------
2017-01-19 17:11:46 TUN reset routes
2017-01-19 17:11:46 EVENT: DISCONNECTED
2017-01-19 17:11:46 Raw stats on disconnect:
BYTES_IN : 4863
BYTES_OUT : 4970
PACKETS_IN : 15
PACKETS_OUT : 25
TUN_BYTES_IN : 1000
TUN_PACKETS_IN : 10
2017-01-19 17:11:46 Performance stats on disconnect:
CPU usage (microseconds): 191855
Tunnel compression ratio (downlink): inf
Network bytes per CPU second: 51252
Tunnel bytes per CPU second: 5212
2017-01-19 17:11:46 ----- OpenVPN Stop ----- -
Yes, but my Foscam cameras are on a different and physically separated interface; the reason is: Foscam (and Dahua) "disable p2p" function on the GUI doesn't disable it at all, so I put them on a different network (different from my "trusted" LAN).
I'm no It guy at all, but I kind of thought that one of the reasons we use pfSense is because it is versatile enough to work around shitty implementations like Foscam.
By that I mean, why does it matter if the GUI for the webcams doesn't work? pfSense automatically blocks anything you don't write a rule to pass, and you can assign static IP's to your cameras and write rules specific to your webcams. So even if you specifically configured your cameras to make all of your feeds available to the world, if pfSense doesn't let that traffic out, it isn't going anywhere. You can even log all of the traffic on your webcams if you wanted to. Basically, is it really necessary to isolate the webcams on their own subnet? It seems like an extra, unnecessary step that is complicating things.
