Remote Connection with VPN on Host

ifunlisted
ifunlisted
edited September 2018 in SecuritySpy
I'm running SS on a Mac mini, and its fantastic. However, I recently added a VPN (ExpressVPN), and now I'm having an issue viewing my cameras remotely. Everything still works fine on my home network whether I advertise Bonjour or not, so I don't think that's the issue. I have also had no problem with remote viewing in the past..I have the web server enabled and I'm using the viewcam.me ddns.

I have a feeling it has something to do with my IP changing (for outgoing communication) due to the VPN. Is there a standard method for using SS with VPNs, or is this something that needs to be addressed on their end?

Thanks:)

Comments

  • Ben
    Ben
    With a VPN, your Mac is no longer connected directly to the Internet; it's connected via the VPN, and your public (WAN) IP address will be provided by the VPN company and may be shared by multiple VPN users. Furthermore, you will be behind the VPN company's NAT (Network Address Translation), with no access to configure this NAT, so there is no route from incoming connections from the Internet back to any device on your network.

    So for remote access to SecuritySpy, I think you will have to turn off VPN for this Mac mini.
  • ifunlisted
    ifunlisted
    Thanks man...I was able to reconfigure the VPN using their split tunneling feature. Now I can selectively choose which apps are routed through the VPN and which ones to run normally.
  • Ben
    Ben
    Perfect - great to know this is possible!
  • Gregory
    Gregory
    I encountered exactly the same problem, but ExpressVPN was blocking access to SecuritySpy from the WAN even when I specified that only Safari and Mail be tunnelled.

    So now I'm trying ProtonVPN. security wise, it appears to be close or on par with ExpressVPN and it doesn't block connection to SecuritySpy.
  • Gregory
    Gregory
    so, a week later, I have to report that ProtonVPN *also* blocks incoming connections to SS.
  • kaps
    kaps
    Why dont you guys install a L2TP VPN on the gateway for remote access
  • Gregory
    Gregory

    kaps, it's something I've been thinking about. but...

    I'm now actually able to connect to SS from outside our LAN with ProtonVPN turned on.

    I think the difficulty in connecting to our LAN is due to how SS (and another DynDNS app) gets our WAN IP number. when the VPN is on, the software is getting the IP of the other end of the VPN tunnel rather than our modem. if I specify the IP of the modem rather than our DynDNS domain, SS gets through.

    not sure exactly what's happening. I'll keep testing.

  • Gregory
    Gregory
    edited November 2021

    I just checked again. it would appear that the DynDNS software is updating the DNS to the VPN's IP rather than the modem's WAN IP.

    if I manually specify the WAN IP of the modem, the SS app can access my cameras from the WAN.

    the modem is set to reboot every 3 days, so the modem's IP will change.

    is there any way to program (Terminal shell commands) a call to the modem to get the actual WAN IP?

    one challenge is that when the VPN is on, even Safari cannot connect with the modem! LOL

  • Ben
    Ben

    To update the IP for our viewcam.me DDNS service, SecuritySpy makes an outgoing connection to one of our servers on the Internet. The server then looks at the origin IP address of the connection, and sets this as the IP of the viewcam.me DDNS name. So it's the VPN's public IP that is apparently being seen for this connection, indicating that the connection is going via the VPN.

    You mention an exclusion in the VPN for SecuritySpy - can you set this for outgoing connections as well as incoming connections?

    There is no good way to obtain the public IP address of your local Internet connection using some kind of script or Terminal command - this is precisely what DDNS is for! One option could be to ask your ISP to give you a static (rather than dynamic) IP address, this would solve the problem of it changing every time the router is rebooted. There is usually a small fee for this, but it shouldn't be too expensive.

  • kaps
    kaps

    what if you run a dyndns client on the modem/router and use that to connect back from the SS app. That should reflect your WAN ? assuming that proton is run-on the SS machine.

  • Ben
    Ben

    This is a good idea @kaps.

  • Gregory
    Gregory
    edited November 2021

    my modem doesn't provide a dyndns option, and ProtonVPN doesn't allow exclusions, but I may have found a work-around.

    use Terminal command:

    networksetup -setadditionalroutes 35.166.142.92 255.255.255.0 192.168.1.1  51.195.234.92 255.255.255.0 192.168.1.1 


    the first tuple points to freeMyIP, and the second tuple points to viewcam.me. I looked up the IPs using the Network Utility. I have an AppleScript applet that updates freeMyIP every 5 minutes.

    I'm on Catalina.

  • Gregory
    Gregory

    the IP for viewcam.me was wrong. had to change it to the IP for ddns.bensoftware.com.

  • Ben
    Ben

    Thanks for reporting back, this is an ingenious solution!

  • Gregory
    Gregory
    edited November 2021

    the exact command for freeMyIP and then ddns.bensoftware.com is (one single line):

    sudo networksetup -setadditionalroutes  Ethernet  51.195.234.92 255.255.255.0 192.168.1.1  51.68.217.46 255.255.255.0 192.168.1.1

    multiple 'additional routes' have to be specified in the same command. they can't be appended to the existing routes one command at a time.

    apparently, these additional routes persist across reboots but I haven't tested that yet.

    my command includes a 3rd tuple which allows me to access our cellular modem when the VPN is active. there is a router between the cellular modem and my computer.

    you can find the name of the network service by using this command:

    networksetup -listallnetworkservices

  • Gregory
    Gregory

    just a note to confirm that this works! I've had no problems accessing SS from outside as long as ProtonVPN's "Kill Switch" is off.

  • Gregory
    Gregory
    edited January 2022

    sometimes the IP numbers of the DynDNS servers change and the additional routes don't get to the servers. so I've changed my background AppleScript applet to automatically get the IP numbers and update the additional routes.


    use AppleScript version "2.4" -- Yosemite (10.10) or later
use scripting additions
use myGREP : script "GREP via NSString"

global viewcam_me, freemyip_com

on run
  idle
end run

on idle
  try
   updateAdditionalRoutes()
   updateDynDNS()
  on error m number n
   if m contains "connection timed out" then
     -- the DNS server could not be reached. sometimes happens if the network is down or the VPN is blocking traffic.
     log "ERROR: nslookup timed out!"
   end if
  end try
  
  return 15 * minutes
end idle


to updateAdditionalRoutes()
  lookupIPs()
  setAdditionalRoutes()
end updateAdditionalRoutes

to lookupIPs()
  set freemyip_com to lookupIP("freemyip.com")
  set viewcam_me to lookupIP("ddns.bensoftware.com")
end lookupIPs

to lookupIP(theDomain)
  set theReply to do shell script "nslookup " & theDomain & " 9.9.9.9"
  tell myGREP to return findString(theReply, "[0-9.]+$")
  
  (*
  --- sample reply ---
  Server:   9.9.9.9\r
  Address: 9.9.9.9#53\r\r
  Non-authoritative answer:\r
  Name: freemyip.com\r
  Address: 35.166.142.92\r
  *)
end lookupIP

to setAdditionalRoutes()
  set shellCommand to "sudo networksetup -setadditionalroutes Ethernet 10.88.0.1 255.255.255.0 10.0.1.1 "
  set gatewayStr to " 255.255.255.0 10.0.1.1 "
  set shellCommand to shellCommand & freemyip_com & gatewayStr & viewcam_me & gatewayStr
  do shell script shellCommand user name "dolphins fly" password "bread and fish" with administrator privileges
end setAdditionalRoutes

to updateDynDNS()
  -- update yyyyy.freemyip.com
   do shell script "curl https://freemyip.com/update?token=xxxxx&domain=yyyyy.freemyip.com&verbose=yes"
end updateDynDNS

Categories