Access to remote camera (RTSP/Onvif over OpenVPN)

happynewguy

Hi guys!
I have a configured OpenVPN server and permission rules.
There is a remote router Cudy that connects as an OpenVPN client to pfSense.

Rules:

Ping from pfSense successfully passes to the OpenVPN client.

In Client Specific Overrides in Advenced section I have added:

ifconfig-push 10.50.30.11 255.255.255.0

to static IP to my client.

Port forwarding has been done on the Сudy router: RTSP 554 and ONVIF 2020 (yeah 2020, not 8899).

However NVR or VLC player can't connect to the camera via its OpenVPN IP address.

I would be extremely grateful for help in setting up! Thank you!

viragomann

@happynewguy said in Access to remote camera (RTSP/Onvif over OpenVPN):

In Client Specific Overrides in Advenced section I have added:
ifconfig-push 10.50.30.11 255.255.255.0
to static IP to my client.

The "Tunnel network" box is meant for this setting.

However NVR or VLC player can't connect to the camera via its OpenVPN IP address.

Do the cameras even have a gateway setting and is it configured correctly?
Not all such devices have this and hence are not meant to be accessed from outside.

johnpoz

@viragomann great question about the gateway, but I would think the nvr should have one.

@happynewguy What side are the cameras even on? why are you doing port forwards? Why are you setting gateways in your openvpn rules?

There really should be nothing special to do here, other than hit your NVR IP - that I assume is sitting behind pfsense, or your cameras IP..

How about a napkin drawing showing what is where and on what networks...

edit:
So your cameras are behind pfsense and your nvr is on this remote network behind cudy router (client of pfsense vpn service).. Again why should need to port forward anything?

happynewguy

I apologize for not attaching the network map immediately.

I also attach the OpenVPN server config
https://imgur.com/a/lHaoZuL

I would also like to point out that I am specifically directing all traffic through the tunnel.

Apparently the problem is in the static route, but I don't know how to specify it. I still have no access from the private network 10.77.50.0 to the router 192.168.10.1.

Thank you all in advance!

johnpoz

@happynewguy If you want some nvr to see your camera down the vpn on a 192.168.10.10 address.. And your natting at that cudy router.. You would have to hit whatever its 10.50.30.x address is. So you would need a port forward on cudy.

And for the camera to be able to talk back, then the cudy router would need to know hey traffic going to 10.77.50.x needs to go down the tunnel.

Not sure why you have gateways setup in pfsense openvpn rules? And to be honest there is no reason to nat traffic coming into the cudy router down the tunnel.. If you were not natting there then your nvr would just try talking to 192.168.10.10, pfsense would say oh send that down this vpn tunnel, that 192.168.10 network is on the other end of this tunnel.

happynewguy

@johnpoz
I have changed the OpenVPN server configuration. Now I route all traffic for the client through the tunnel.

The client connects successfully. It has access to the private network 10.77.50.0/24.

I also made a port forward to the necessary ports. But I still can't access the remote camera on the 192.168.10.0/24 network from the 10.77.50.0/24 network.

Could the problem be that I don't have a separate interface for OpenPVN?

And that's why I can't create the necessary rule in routing?

I'm stuck in this problem. I don't understand what I'm doing wrong. Could you please route me to the right way? :)

johnpoz

@happynewguy said in Access to remote camera (RTSP/Onvif over OpenVPN):

The client connects successfully. It has access to the private network 10.77.50.0/24.

And can you ping whatever the clients tunnel IP is.. from your 10.77.50 network..

Your nvr has to go find the camera..

happynewguy

ping from webgui pfSense to vpn client - no ping.
ping from webgui pfSense to own vpn server - ok
ping from network 10.77.50.0/24 to any vpn clients - no ping

johnpoz

@happynewguy not the vpn client IPs - the tunnenl address of the client... Do you allow ping on the cudy router?

If you can't even talk to the cuddy IP - your never going to be able to use its port forwards.

happynewguy

Yes, I tried that too.
I tried to ping the client's tunnel IP - unsuccessfully.